Sign up for our newsletter
Technology / Cloud

As PSD2 Deadline Looms, Is It Time to Jump in a Sandbox?

Denver-headquartered Ping Identity has launched a private sandbox for UK financial services sector actors to safely test and deploy the tools they need to be compliant with Open Banking security requirements.

The launch is the latest addition to a range of industry toolkits (Konsentus launched a similar sandbox last month) intended to help financial services actors make sure they are PSD2-compliant ahead of a March 2019 deadline.

What Happens in March?

In November 2017 the European Commission published its final technical standards on “Strong Customer Authentication” and “Common Secure Communication” under the revised Payment Services Directive (PSD2), which we’ll refer to hereafter simply as Open Banking.

These rules come into force on 14 March 2019.

White papers from our partners

They mean, in short, that if you want to do API-powered Open Banking or generally be part of a rapidly evolving new payments landscape, then you need to prove you can do it securely.

RTS for PSD2 + AISPs + ASPSPS + PISPS = APIs?

Computer Business Review will refrain from drowning readers in an alphabet soup of payment service acronyms (if you are already ready for the RTS for PSD2 and how it applies to ASPSPs, AISPs and PISPs, we salute you).

Ping Identity sandbox
Ping Identity CEO Andre Durand

Essentially, however, as Open Banking creates an API-powered financial services ecosystem, security has grown increasingly important.

See also: The Old Lady Roadblock: Bank of England IT “Archaic” and Hindering Payments Innovation

Yet API security itself remains – as Ping Identity CEO Andre Durand put it to Computer Business Review – “really greenfield for the whole industry”.

He added: “Open Banking in general is purely an API framework. Understanding what ‘normal’ looks like [in terms of API calls] and being able to notice ‘abnormal’ and send it off to a honeypot is really important. At the moment nobody knows if their APIs are being attacked until they go down.”

(Ping Identity earlier this year bought startup Elastic Beam, which developed an AI-powered API intelligence tool, now rolled into Ping’s portfolio as “PingIntelligence”).

Ping Identity Sandbox

Ping Identity – which names high-profile customers like HP, Netflix, Shell and the US’s top 12 banks – sees significant market opportunity in the sector and has the tools to help. It claims its “Quickstart Private Sandbox” can cut the time to Open Banking and PSD2 compliance by 90 percent.

The sandbox deploys the latest versions of the Ping Identity Platform with a set of example applications and APIs to allow service testing, the company said in a release.

See also: MuleSoft Founder Ross Mason on “Frankenstein” Data Sets and the Rise of the API Economy

The two reference applications are a sporting goods e-commerce store and a financial transaction aggregator. They integrate with a pair of test APIs for payments and accounts, which Ping has built to Open Banking’s Read/Write Data API Specifications.

This allows financial services providers to quickly carry out transaction testing and account aggregation within a security conformant framework.

“Automate the Entire Configuration”

Ping identity sandbox“The process of deploying multiple security elements to meet the Open Banking Security Profile is a complex and largely manual process that can take days and it’s potentially open to misconfigurations that may be difficult to spot within this relatively new technology area,” Phil Allen, VP EMEA for Ping Identity, said in a release.

The Ping Identity sandbox is “essentially an orchestration script that automates an entire configuration”, he added.

“This also includes reporting and exception warnings in just a few minutes as part of a process that is entirely controlled by the bank within any environment they wish.”

The Ping Identity sandbox has been designed to meet the 70 technical security tests set by Open Banking Ltd and Ping Identity said allows automated deployment across dedicated servers, hosted and cloud configurations including AWS and Google.

 
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.