After 6 years of faffing around, my Core Concept Security website is finally up and running! Click (https://coreconceptsecurity.com) or on the image for more:
PSD2
Froud on Fraud
Security is Not Easy, But it Can Be Simple.
FinTech vs The Status Quo
There is an old wisdom story about a truck that gets stuck under a bridge. The details vary, but the gist is that all conventional [old school] thinking fails to solve the problem, but out-of-the-box thinking [a young girl/boy] gets the job done.
If you’ve not heard this overused (and yes, [pun intended] ‘tired’) analogy, the premise is that:
Continue reading
The Key to PSD2 Adoption? Mobile Phones!
On January 13th, 2018 the Payment Services Directive 2 (PSD2) becomes national law across the EU.
Depending on whom you ask – and to a large degree what their vested interests are – PSD2 will either have little effect, or be a FinTech game changer that will kill banking as we know it.
From the bank’s perspective, they clearly don’t want change. They have been front and centre for generations when it comes to consumer interaction, and the data they have collected is a major source of their power. Start-ups on the other hand, need a way in, and access to that data is a very good place to start. Whoever controls the consumer directly, will have the best chance of controlling the consumer’s financial choices.
PSD2 itself is supposed to promote 2 things:
- Make it easier and safer to use internet payment services by better protecting consumers against fraud, abuse, and payment problems as well as strengthen consumer rights; and
- Promote innovative mobile and internet payment services. [competition in other words].
The first applies no matter who you are, bank, service provider, or merchant. Combine this with General Data Protection Regulation (GDPR) and everyone needs to protect personal data.
The second however, is supposed to create a so-called ‘level playing field’, but can start-ups truly compete against the big banks who already have the direct consumer relationship?
Innovation is not the problem, FinTech is busting at the seams with new ideas, but none of them mean much unless they are adopted by the masses. What do they have to do to displace a bank, when the chances are they will not actually be providing banking services as we understand them? And what exactly are “innovative mobile and internet payment services” in this context – and to the point of this blog [finally] – how are mobile devices going to make all the difference?
Counterintuitively, mobile phones will actually improve security. You only have to look at the sheer number of each authentication factor of which the modern smartphone is capable to realise that traditional banking apps just don’t cut it. From passwords / passphrases, to fingerprints, to geo-fencing, to whatever comes next, your phone gets as close to true identity management as any device can.
That’s not to say mobile phones are secure, they are not, and this is one of the biggest hurdles to overcome. A bad guy ‘hacking’ into one of your banks accounts is bad enough, now imagine them hacking into an app that controls access to all of your finances. Money management apps is one of the greatest potential benefits of PSD2, and one of its scariest.
As for how mobile devices will aid PSD2 adoption, you only have to look at the trends. According to Statista for the UK:
- By the end of 2017 66% of the UK’s population will be using a smartphone – That’s 43 million people, and given the demographic, they control the lion’s share of the UK’s wealth.
- In 2015, 58% of all smartphone owners used banking apps
It follows therefore that a good chunk of that 43 million will be using their devices for a lot more than Facebook.
The only statistic that does not back this up, is adoption of mobile payments. Despite the Apple Pays/ Samsung Pays, and the plethora of digital wallets, mobile payments have in no way realised their potential. This is not the fault of the smartphone, this has to do with the inability of the payment apps to provide any sort of value-add. From loyalty point, to instant coupons, to ratings and reviews, payment apps are not improving the BUYING experience, just adding a payment option.
PSD2 will change all of that. When you have an app that can not only help you find the best price for something, but give you the best purchase choices based on your combined financial history, now you’re providing true benefit. It’s not about how you pay, it’s about how you buy.
Yes, you can do all of this through a PC / laptop, but on what device do you spend the majority of your time online?
[If you liked this article, please share! Want more like it, subscribe!]
PSD2: Where is the FCA?
On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.
Anyone know what ‘apply’ means in this context?
On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.
All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.
So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.
For example, the most pressing questions are:
- If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
o
- What happens to ASPSPs if they aren’t ready? Are there penalties?
o - When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
o - Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
o - Does the FCA have final say in liability?
I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.
Of the 50 people I trained in those 3 days:
- PSD2 knowledge was very low;
- So far they have received little guidance from senior leadership;
- 85% were more scared than optimistic;
- Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
- Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;
Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?
No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.
All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.
Here’s what senior leadership at ASPSPs could be doing:
- Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
- Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
- Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
- Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
- Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.
The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:
- Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
- Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
- Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.
The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.
[If you liked this article, please share! Want more like it, subscribe!]
What Will Brexit Mean for Cybersecurity?
No idea.
But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.
This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.
Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.
The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?
Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?
I don’t think so somehow.
Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.
And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.
Not one.
Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”
This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.
However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?
UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!
Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.
Don’t know how, ask.