Pylones Hellas, utilizing F5’s APM solution, responds to the new PSD2 directive

What is PSD2?

PSD2 is data-driven legislation that aims to increase competition, innovation and transparency across the European payments industry.

While the legislation brings direct challenges to banks by opening up data, it’s actually a directive that can work in banks’ favour to update their systems, increase collaboration and improve their fraud prevention and security platforms.

PSD2 will contribute to a variety of changes in the payments industry; the main points include open banking and creating an integrated payments ecosystem, increasing competition with fintechs and new entrants, and enhanced security and fraud prevention.

Opening up access of data is great news for consumers – enabling merchants and other permitted parties to accept payments without redirecting back to a third party (banks, in this case).

Banks, however, need to work hard to ensure their legacy systems comply with the new regulatory standards, and ensure their systems have open APIs in place to ensure the reliability of third-parties requesting access.

Every business planning to become a third-party payment service provider (TPP) according to the new PSD2 Payment Services Directive is required to use digital certificates created specifically for PSD2 to safeguard information security.

The “PSD2 Regulatory Technical Standards (RTS) for strong customer authentication and common and secure open standards of communication” requires use of Qualified Certificate for Electronic Seal (QC eSeal) and Qualified Website Authentication Certificate (QWAC) issued according to the ETSI TS 119 495 standard.

How does PSD2 work?

A simplified version of how PSD2 will work for most user is shown with the illustration below:

1. First, the financial institutions aka. payment service providers (right) expose data through an application layer. This is also known as an API.
2. In between the user and the API, there is an intermediate party. This can be a bank or financial institution itself or a third party provider. The last one is referred to as a TPP. When the user grants access, this intermediate can ask the bank to release the data you want them to process.
3. And finally, the user. The data can be used in a range of solutions to give the user more benefits and efficiency to do a transaction with you as a business or any other party.

The solution – Powered by F5 Networks

With F5 APM, your organization can authenticate TPP before accessing your OpenBank API and can forward the QWAC to your app for further processing, with no changes on your app.