Thursday 14 July 2016

Will Brexit affect PSD2's Strong Customer Authentication Requirements?

There is no doubting that Brexit is having a profound affect on the UK and ripples of disruption have been felt around the world as result of the UK's decision to leave the EU.

I have written extensively on EU and EC legislation and its impact on a number of cyber security matters including mobile security, identity, authentication and biometrics. 

Recent researchhas investigated the impact of PSD2  on security; in particular the impact on how payment service providers (PSPs) manage customer authentication. 

To summarise the main objectives of PSD2:

  • Contribute more to a more integrated and efficient European Payments market
  • Improve the level playing field for payment service providers (PSPs), including new players
  • Make payments safer and more secure
  • Protect consumers
  • Encourage lower prices for payments

The European Parliament adopted PSD2 in October 2015 and EU member states have two years in which to implement the new procedures. The EC states that there is a different date of application for the new security measures, including Strong Customer Authentication (SCA) and standards for secure communication. This is subject to the adoption of the regulatory technical standards which are being developed by the European Banking Authority (EBA) and adopted by the EC. It is anticipated that the new security measures shall apply 18 months after the adoption of the standards by the EC.

PSD2 provides rules for payment security and customer authentication, concentrating on protecting consumers when paying on the internet. 

PSD2 applies to all payment service providers (PSPs) operating in the EU, including banks, payment institutions or third party providers (TPPs) and relates to all electronic means of payment.
The EC defines SCA as a process that “validates the identity of the user of a payment service or of the payment transaction”.

SCA is based on the use of two or more elements:
  1. Knowledge - something only the user knows, e.g. a password or a PIN
  2. Possession - something only the user possesses, e.g. a card or an authentication code (OTP) generating device
  3. Inherence - something the user is, e.g. a biometric authenticator such as fingerprint, voice or eye-print
PSD2 states that these elements have to be independent of each, meaning that if one element is breached or compromised then this does not compromise the “reliability” of the others. The design of the authentication solution must also protect the confidentiality of the authentication data or identity credentials. 
As the UK has voted to exit the EU, will this mean that UK banks and PSPs will not be bound to comply with these regulations (and in fact other EU legislation)? This is a difficult question to answer as the exact nature of the UK's exit and what will exactly be negotiated as the UK triggers Article 50 is still very much up in the air. What I think will happen is this:
  • UK banks and PSPs that have functions in the EU will have to comply with PSD2 - it also makes competitive sense to support PSD2
  • PSD2's authentication requirements are pretty-much the basic requirements for supporting strong customer authentication and it makes common sense to support them especially some of the risk-based authentication services that enable lower-risk payment transactions to be exempt from strong customer authentication
  • Some UK retail banks are owned by European organisations who will want to have a common strategy for customer authentication that supports PSD2
As the UK's ex Prime Minister, Harold Wilson said in the 1960s "A week is a long time in politics" and I am sure that there will much debate over the coming months and years about the relevance of EU legislation to the EU. If you are a UK bank and have started projects to ensure compliance to PSD2 then I am pretty sure that these will not be halted as a result of Brexit.
Please let me know your thoughts my commenting on this blog. Thank you and remember in the global economy no nation is an island!

You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.

Thursday 7 July 2016

The Future of Mobile Security

Mobility is the new normal for enterprise users. With forecasts from the GSMA predicting that 80 percent of adults on earth will have a smart phone by 2020 these always connected and always on devices are the most popular personal computer in history.

The use of smart mobile devices (smart phones and tablets running mobile platforms such as Apple iOS and Google Android) in the enterprise is rising rapidly each year. Figures from Citrix indicate that the number of smart mobile devices (SMD) managed in the enterprise increased by 72 percent from 2014 to 2015.

What is surprising, however, is that the enterprise is not fully embracing mobile. Whether it is an employee-owned Android smart phone or a company-issued and controlled iPhone productivity-enhancing enterprise services are still relatively scarce within the enterprise. Outside of email and calendar applications there are relatively few examples of enterprise mobile apps. This differs from the current situation with consumer adoption of mobile where it dominates social, financial services, commerce and entertainment.

So why is? In the latest white paper from Goode Intelligence, the issues facing the enterprise in delivering services to mobile is explored. The report discovers that a mixture of technology constraints, security concerns, compliance to regulation and privacy law are having an impact of restricting mobile enterprise services.

Enterprises do face a challenge in enabling productivity enhancing applications to be available through smart mobile devices but there are ways in which they can combine the convenience of mobility and strong security mechanisms that meet company security policy and comply with regulation. In covering mobile security since 2007 I have learnt that next generation mobile security solutions should have these characteristics:
  • They should focus on users
  • Support agile multi-factor authentication (MFA) with a choice of authenticator to match the context 
  • Be able to provide mobile-based single-sign-on (SSO)
  • Must protect the data, both at rest and during transmission
  • Be available in a simple to use and unified security offering
I believe that there are very few solutions that offer a unified solution that supports these characteristics and this is why we have seen limited adoption of full-throttled enterprise services for mobile. Often, an organisation will have to mix and match technology solutions to support this vision and this can be expensive and time-consuming. A solution that combines the functionality and features of a next generation mobile security solution is the Sign&go Mobility Center from Ilex International

This product provides an integrated security solution to solve the enterprise mobility conundrum; mixing convenience and mobile security in a unified product and provides:
  • Strong Multi-Factor Authentication supporting one, two or three factors
  • Mobile SSO
  • Data Protection in a secure container
Without the combination of these features, organisations will remain limited in what productivity-enhancing mobility solutions they can deliver.