PSD2 Communities – Survey on Communication Security Practices

This survey looks at how the security of communications has been defined by different API communities and what requirements have driven them to design their security solutions.

Purpose of the Survey

All Payment Service Providers (PSPs) are required to communicate securely when providing access to account services. There is also an expectation that those who provide access services do so in an interoperable way, to reduce the difficulty of using the Application Programming Interface (API) or other secure channels.

This survey looks at how the security of communications has been defined by different API communities and what requirements have driven them to design their security solutions.


Key Findings

Whilst there are differences in the approach taken by the different API communities, there is much in common. They all use Transport Layer Security (TLS) with mutual TPP/ASPSP authentication to provide basic security. However, there are many identified limitations in the use of TLS as the only method of securing the communications between ASPSPs and TPPs. These limitations are overcome through also supporting Digital Signatures carried in the HTTP header.

Different communities have made different choices when it is necessary to apply digital signature to PSD2 requests and responses, and what data needs to be protected. However, given that all API communities take the same general approach in securing PSD2 communication this should not prohibit interoperable security.

A key difference is the technical protocol used for carrying digital signatures, with some communities adopting HTTP Signatures (Cavage v10) whilst others using JSON Web Signatures (JWS RFC 7515).

This could potentially divide the overall PSD2 communities into two non-interoperable groups. However, Open Banking Europe (OBE), working with the API communities and the ETSI European Standards Organisation, are working on standard solution which is based on JWS but has the capability to protect HTTP header information as in HTTP Signatures (Cavage v10).

Downloading the full report is restricted to OBE Europe members only. Please login to download.

Share:

Have a question?
Get in touch

* Indicates a mandatory field

On submission of this form you will be sharing your personal data with OBE S.A.S. and its partners. We will process such information for the purposes of reviewing and responding to your request. For more information on how we will process your data and your rights in relation to your data, please review our privacy policy.

You may also be interested in:

Day 2 of Open Banking Expo London kicked off with a Fireside Chat between Luis Miguel Zapata, Vice President, Digital

The 5th version of Latam Fintech Market, one of the most important industry events in the country, took place in

Lauren will be discussing how to balance innovation and business standards with esteemed speakers from Swift and the Bank of

Become a Member

Please fill in the form below to register your interest in joining our OBE Membership programme with us and a member of our team will contact you shortly.

Please note: fields marked with * are mandatory

On submission of this form you will be sharing your personal data with OBE S.A.S. and its partners. We will process such information for the purposes of reviewing and responding to your request. For more information on how we will process your data and your rights in relation to your data, please review our privacy policy.