What the PSD2 and GDPR mean for security

EU requirements around the use of data will receive a shake-up in 2018, bringing added implications for threat detection

By Tim Ferguson

Wed 22 Nov 2017 @ 14:19

Next year will see big changes in the way data is accessed and protected in Europe, with the arrival of a major EU regulation and an important directive in the financial services space.

The first to arrive is the second Payment Services Directive (PSD2), which becomes effective in January and focusses on increasing competition among payment providers. It forms part of the EU's Open Banking initiative to help new players enter the market.

Under the regulation, banks will be required to open up access to customer accounts via APIs so third-party service providers can directly access account data.

To protect consumers, the PSD2 will enforce stricter controls around identity, checking when online payments are made for higher value transactions. Consumers will also benefit from service providers being able to display information from a range of accounts in a single location.

A few months later, May 2018 will mark the point at which the General Data Protection Regulation (GDPR) will become enforceable.

The GDPR is a much broader regulation that brings widespread changes to the ways organisations can collect, store and process data from customers and partners.

One of its major stipulations concerns the way data breaches affecting EU citizens are handled and reported. If personal data has been changed, lost, or inappropriately accessed or shared, the breach will have to be reported to the local data watchdog within 72 hours of being discovered. The data owner, too, may have to be notified.

How these two regulations work together will be key for affected organisations.

In summary, the PSD2 enforces the idea that third-party providers can access client-owned data directly to give consumers a greater choice and to encourage competition within the FinTech space. However, this will be governed in part by the GDPR, which ensures data remains the sole property of individuals and is theirs to do with as they wish.

Although the specific objectives of the PSD2 and GDPR are different, they are both built on the principle that individuals own their personal data and should be able to choose how it is used and shared. The regulations aim to put customers in control of their data and to keep that data safe.

As a result, the two regulations will often be applied alongside each other — and this will have a significant impact on the approach financial institutions take to threat detection.

The PSD2 will see new organisations accessing customer data held on bank systems. Although steps will be taken to ensure that APIs are secure, today's threat landscape suggests they will still offer a new route into bank networks for cyber criminals to exploit.

The high value of the data held within these networks is also likely to motivate cyber criminals to put significant efforts into accessing it. For example, cyber criminals could impersonate third-party organisations to gain access to customer data for nefarious purposes.

It will therefore be crucial for banks and payment service providers to expand the network activity they monitor so any new and unusual interactions that could signify a compromise can be picked up before they lead to a damaging breach. Technologies like user and entity behaviour analytics (UEBA) will be vital in building this capability.

As well as flagging potential issues, security technology will also need to be sophisticated enough to avoid false positives so that all legitimate requests to access data are allowed, ensuring the overall objectives of the PSD2 are supported.

While security tools will need to monitor a greater range of activity around customer data, they will also need to support the GDPR's 72-hour reporting requirement. If a breach is detected, organisations will be in line for severe penalties if they are unable to detect and report it quickly enough. Effective security information and event management (SIEM) technology will therefore also be critical.

The latest network monitoring and forensics technology, rapid threat detection and advanced SIEM are increasing in importance all the time. The arrival of the PSD2 and GDPR will only accelerate this trend, especially for financial services organisations.