PSD2 and what it means to your company
2019 is set to be a game-changing year for retail banking and FinTechs! As the PSD2 (Revised Payment Service Directive) becomes implemented and finally enforced on 14 September 2019, banks’ monopoly on their customer’s account information and payment services is becoming history.
In short, PSD2 enables both consumers and businesses, to use third-party providers to manage their finances. Soon you may be using your favorite social network to pay your bills, making peer-to-peer transfers and analyze your spending, while still having your money safely placed in your current bank account. PSD2 will fundamentally change the payments value chain and customer expectations.
Through PSD2, the European Commission aims to improve innovation, reinforce consumer protection and improve the security of internet payments and account access across the EU.

PSD2 and its implications on mobile security

The PSD2 guidelines set security requirements for payment services providers across the EU and will provide enhanced protection of EU consumers against payment fraud on the Internet. Specifically, the PSD2 security requirements for mobile apps are referred to in the Regulatory Technical Standards (RTS), for example, paragraph 26 and articles 9, 27 and 28.
RTS requires that the mobile app is running in a secure environment. This means that the integrity of the mobile device should be guaranteed and in case of compromise mitigation measures are taken. The same integrity and mitigation principles apply for the mobile app, too. Risk mitigation measures include the destruction, deactivation and revocation of the service. PSD2 also has a strong focus on data protection: data (e.g. certificates) shall be protected at rest, and when data flows between the mobile app and the service provider, the mobile apps should ensure the security of communication sessions and should avoid misdirection of communication.

Build38 makes your digital mobile channel PSD2 compliant
Your developers should focus on what they are best at: delivering business value, while Build38 provides mobile app security. Build38’s Trusted Application Kit (T.A.K) is a highly secure, holistic and easy to integrate mobile app security framework. It enables you to deliver PSD2 compliant mobile apps.
Build38’s approach to mobile app security is based on a unique triple-protection approach for compromise detection and continuous hardening: ensuring the integrity of device, app and security.
T.A.K can detect changes to the device’ secure execution environment, and in case of compromise or an ongoing attack, it can render its own function useless immediately. At the same time the app is secured by various In-App protection mechanisms, and while in use it is protected by RASP-technology (Runtime Application Self Protection). T.A.K protected data is never visible in clear nor can it be extracted from the device at runtime. When the same data is in motion the Secure Channel and Certificate Pinning prevent Man-in-the-middle (MITM) attacks.
It is Build38’s strong belief that in a changing digital landscape, app security isn’t a luxury. It is a necessity.
For more detailed information on Build38’s mobile app security please have a look at our whitepaper.