PSD2 compliance

EU's Payment Services Directive

According to the European Commission¹:

The [current] Payment Services Directive (PSD) was adopted in 2007. This legislation provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU. The objective is to make cross-border payments as easy, efficient and secure as 'national' payments within a Member State.

PSD2

Also, according to the European Commission²:

The Commission proposed to review the PSD to modernise it to take account of new types of payment services, such as payment initiation services ....

....

[PSD2's] main objectives are to:

• Contribute to a more integrated and efficient European payments market
• Improve the level playing field for payment service providers (including new players)
• Make payments safer and more secure
• Protect consumers
• Encourage lower prices for payments

....

To make electronic payments safer and more secure, PSD2 introduces enhanced security measures to be implemented by all payment service providers, including banks. The EBA will develop specific and objective security standards to that end.

PSD2 Security directives and regulations are written at a high level and the detailed implementation is being left to the industry. However, data security regulations related to PSD2 will almost certainly be subject to the same stringency as the General Data Protection Regulation (GDPR).

The inherent data-security challenge industry observers see in PSD2 is strengthening security to reduce fraud while not causing too much disruption to the end user experience.

Thales has a comprehensive set of solutions that can help organisations comply with PSD2 across all areas where data needs to be protected -- at rest, in motion and in use.

¹ https://ec.europa.eu/commission/presscorner/detail/en/MEMO_15_5793
² Ibid

An integrated compliance solution

Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales offers integrated products and services that enable your organisation to protect stored cardholder data, encrypt it for transfer and restrict access on a need-to-know basis. In addition, Thales works closely with partners to offer comprehensive solutions that can reduce the scope of your compliance burden.

Addressing the data-security every step of the way

Thales offers comprehensive data protection solutions that help organisations protect financial and personal information every step of the way:

• Protect transaction and personal data at rest: Thales’ CipherTrust Manager and Luna Hardware Security Modules (HSMs) enable organisations to centrally manage encryption keys and deliver a variety of encryption, tokenisation and data masking solutions to protect transaction and personal data in files, folders, applications and databases in both traditional and cloud or virtualised environments.
• Encrypt financial transactions and personal data in motion: Thales High Speed Encryptors (HSE) encrypt all data that traverses open networks (e.g. between point-of-sale devices and systems that process cardholder data).
• Develop and maintain secure systems and applications: Thales Luna HSMs enable organisations to securely store signing material in a trusted hardware device, thus ensuring the authenticity and integrity of any application code files.
• Implement strong access control measures: Thales CipherTrust products can be set up for unique, multifactor administrative access to enterprise systems on-premises and in the cloud. In addition, SafeNet Trusted Access enables you to centrally manage unique user identities, risk-based authentication policies, and add/revoke access to systems across hybrid IT.
• Track and monitor all access to sensitive data: All products in the Thales CipherTrust data protection portfolio produce audit records that log any encryption key lifecycle operations (creation/deletion/rotation/revocation) and other administrative functions that can be used to reconstruct events.