PSD2
What it is — The Payment Services Directive 2 (PSD2) is an EU directive (Directive (EU) 2015/2366 ) regulating payment services and payment service providers in the European Economic Area. It promotes innovation in payment services while ensuring consumer protection and security. The associated Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) specify detailed security requirements.
Appsec relevance — PSD2 mandates security testing of payment systems (Article 10 of the EBA Guidelines on ICT and Security Risk Management), API security for third-party provider (TPP) access (Article 30 of the RTS on SCA), and protection of personalised security credentials (Article 97(3)). Open Banking APIs that enable Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) are directly in scope.
How Detectify Supports PSD2
| Requirement | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| EBA GL Article 5 | Establish processes to identify, classify, and mitigate ICT and security vulnerabilities and threats | Scheduled scanning with rapid test module generation via Alfred AI and Crowdsource Network provides continuous vulnerability management | Full |
| EBA GL Article 10 | Establish and implement a security testing framework including vulnerability scans and penetration tests | Application Scanning, API Scanning, and Internal Scanning with payload-based validation provide security testing evidence | Full |
| RTS Article 30 | Provide TPPs with dedicated interfaces (APIs) to access account and payment services securely | API Scanning with OpenAPI spec support tests Open Banking APIs for vulnerabilities including injection, authentication bypass, and data exposure | Full |
| Article 97(3) | Ensure adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials | Information exposure testing CWE-200 , cleartext storage detection CWE-312 , transmission security testing CWE-319 | Full |
What Detectify Covers
Detectify addresses PSD2’s security testing, vulnerability management, and API security requirements. API Scanning is particularly relevant for testing Open Banking interfaces that TPPs use to access account information and initiate payments. Application Scanning covers the web interfaces of payment services, and Alfred AI’s rapid test module generation for new CVEs supports the vulnerability management requirements.
PSD2’s Strong Customer Authentication requirements, incident reporting obligations, and audit logging requirements are outside DAST scope.
Complementary Tools You May Need
- Multi-factor authentication infrastructure — For Article 97 Strong Customer Authentication and Article 98 RTS requirements
- Incident management and reporting — For Article 96 major incident notification
- Audit logging — For Article 95 operational and security risk management
- API gateway / management — For managing TPP access and enforcing API security policies
- Fraud detection — For transaction monitoring requirements