| Executives May 14, 2019


May 14, 2019

PSD2 compliance is coming: do you have mobile app security for your payment apps?

By Praveen Mamnani, Satendar Bhatia

The security requirements mandated by the Revised Payment Services Directive (PSD2) directive create the need for stronger authentication and secure payment transactions. Mobile banking apps can leverage Lookout App Defense to provide proactive protection for customers.

Mobile banking apps are increasingly becoming the primary channel for consumers to manage their finances, transfer funds, deposit checks and pay bills. Unfortunately, this trend has not gone unnoticed by cyber criminals, who have upped the ante on targeting mobile app users. In fact, over 68% of all fraudulent transactions take place on mobile devices. As a result, there has been an increase in security measures for payment transactions conducted on mobile devices and an increase in regulation, such as the PSD2 from European Commission.

PSD2 mandates compliance by September 2019 and aims to regulate banks, payment service providers and electronic payments to include security features to protect consumers across digital channels. The PSD2 legislation will require financial services in the European Union (EU) to contribute to a more integrated, secure, and efficient payments ecosystem.

Understanding PSD2 compliance and mandates

The PSD2 directive requires financial institutions to:

  • Implement monitoring mechanisms in their apps to detect signs of malware
  • Provide security measures in their app to mitigate risk for the user device
  • Ensure consumers have a secure environment to execute their financial transactions

In Article 2 and Article 9 of the directive, PSD2 highlights Strong Customer Authentication (SCA) and Safe Execution Environment (SEE), which requires de-risking across various threat vectors impacting mobile apps. These include detecting compromised devices (eg: jailbroken or rooted), unsafe environments (such as a fake or malicious wi-fi), as well as malware and vulnerabilities within the application execution environment. PSD2 also includes RTS (Regulatory Technical Standards), which are regulatory requirements set by the European Banking Authority (EBA) to ensure that payments across the EU are secure, fair & efficient.

To meet these requirements, financial institutions need to add strong security capabilities to their mobile apps that protect against known and unknown threats on users’ devices. At the same time, mobile banking apps should be able to detect when they are installed on risky devices, and restrict access to banking services until those risks have been remediated.

How Lookout App Defense supports PSD2

The security requirements mandated by the PSD2 directive create the need for stronger authentication and secure payment transactions. Mobile banking apps can leverage Lookout App Defense SDK on android and iOS to provide proactive protection for customers. During the app activation and authentication process, the App Defense SDK scans the device for the presence of malware or unsafe environments. It also provides visibility and self-protecting remediations, based on the severity level of the malware, for various types of malware (surveillanceware, trojan, bots, spyware, riskware, etc.) that may reside on the device. Flagging devices that are compromised provides a safe and secure environment for banking or payment transactions. In addition, Lookout integration with Trustonic Trusted Execution Environment (TEE) provides an added layer of protection, enabling sensitive payment transactions to be stored within the device secure enclave.

The App Defense SDK leverages the full power and scale of the Lookout Security Cloud with 170 million devices and 70 million apps to detect behavior anomalies and malware threats, which is unrivaled in the security industry

Click here to learn more about mobile banking trends and how Lookout helps organizations align with PSD2 Compliance.


Author

Praveen Mamnani,
Principal Product Manager


Author

Satendar Bhatia,
SVP, Embedded Security Sales