Skip to main content

Protect Critical Payment Apps and Achieve PSD2 Compliance

The Revised Payments Service Directive (PSD2) requires banks to grant third-party providers access to a customer’s online account and payment services — with their permission — in a regulated and secure way via application programming interfaces (APIs).

As a result, strict new security guidelines have been issued to help mitigate operational and security risks, including requirements to:

  • Implement preventative security measures
  • Ensure data protection and confidentiality
  • Verify device and software integrity
  • Continuously monitor, detect and report security incidents
  • Analyze the threat landscape and update security measures accordingly

How Arxan Can Help with PSD2 Compliance

Arxan can help keep businesses compliant with PSD2 regulations and requirements by protecting personally identifiable information (PII) that is transmitted to and is resident in mobile apps. Additionally, Arxan protects applications from reverse engineering and tampering and can report back to the business if an app is running in an unsafe environment or is actively being attacked.

PSD2 will require open banking apps to secure PII data via application hardening and data encryption, and it will require the ability to monitor, detect and report on application attacks.

Arxan helps protect open banking APIs from exploitation by hardening mobile apps through active protections, static analysis defense and advanced obfuscation techniques to deter app reverse engineering and tampering. Additionally, Arxan helps secure critical data and API data encryption keys using White-Box Cryptography, a technology designed to allow encrypted, in-app data to be accessed and to provide secure API communications — without revealing confidential information or secure keys.

Arxan Application Protection ensures app and device integrity through the continuous monitoring and reporting of app attacks and device compromise status. This near real-time threat data allows businesses to understand the origin and threat level of any attack and provides advanced warning so businesses can take appropriate actions to stop attacks from going viral.

Following is a summary of PSD2 requirements and how Arxan can help businesses achieve compliance:

PSD2 Requirement Arxan PSD2 App Protection Support

Data Protection

Arxan can protect PII data resident in mobile apps via White-Box Cryptography

Secure Communication

Arxan can protect encrypted communication keys used to securely transmit PII data by:

  1. Protecting against key exposure by deterring reverse engineering attacks 
  2. Encrypting communication keys via White-Box Cryptography to maintain key security
Separate Environment

Arxan supports requirements for separate software and data environments by:

  1. Detecting and alerting on compromised environments (Jailbroken/Rooted)
  2. Protecting application code via a combination of active protections (RASP) to prevent reverse engineering, static analysis defense and comprehensive code obfuscation
  3. Separating code, intellectual property and PII protection by encryption using White-Box Cryptography
Device and Software Integrity Arxan protects device and software integrity with comprehensive code obfuscation, debug detection and alerting, to not only deter app tampering, but also to provide real-time notification of app attacks.
Threat Landscape Situational Awareness, Monitoring, Detection and Reporting

Arxan Application Protection includes an integrated, active monitoring service that provides visibility into the security posture of protected applications. Arxan-protected apps can deliver timely, actionable intelligence to help customers understand the level of risk apps are exposed to.

Arxan-protected apps can help businesses understand the difference between an app operating in a safe environment vs. one that is operating in a risky environment, or that is actively being attacked. If a protected app determines its running in a compromised environment, or more importantly is being attacked, it can provide advanced warning, allowing corrective action to be taken before an attack is completed or becomes widespread.