Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Frictionless Adaption of PSD2 with WSO2

465 views

Published on

Looking closely at the security implications of PSD2 , existing technology standards that can be used in meeting the requirements and how WSO2 products can be leveraged for faster adaption of PSD2.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Frictionless Adaption of PSD2 with WSO2

  1. 1. FRICTIONLESS ADAPTION OF PAYMENT SERVICES DIRECTIVE (PSD2) WITH WSO2 Pushpalanka Jayawardhana Senior Software Engineer April 06, 2017
  2. 2. WSO2 2 ● Founded 2005 ● 450+ employees (300 engineers) ● 375+ customers (120 new in 2016) ● Global offices ○ Mountain View, New York, London, Colombo, São Paolo ● 100% open source ● Deploy anywhere: on-premise or cloud
  3. 3. WSO2 3
  4. 4. OVERVIEW 4 ● Payment Services Directive 2 (PSD2) ○ Background ○ Objectives and Effects ○ Security Implications ● WSO2 Identity Server (IS) ○ Objectives ○ Application Authentication Framework ■ Brief Architecture ○ Capabilities in the direction of PSD2 ■ Multi-factor authentication, Fine grained authorization, Federation... ● Use case demonstration with WSO2 IS and WSO2 API-M
  5. 5. PAYMENT SERVICES DIRECTIVE 2 (PSD 2) ● A new European regulation ● PSD2 published in 2016 Jan as the successor of PSD ● Expected to become a law by 2018 January ● Directly affects payment service providers and banks ● Enforces a secure mechanism for customers to authorize a third party provider(TPP) to have direct access to: ❏ Account and transactional data ❏ Make and authorize payments ● Technical guidance EBA - Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of (PSD2) Background 5
  6. 6. PAYMENT SERVICES DIRECTIVE 2 (PSD 2) Objectives and Effects 6 ● Making electronic payments more secure ● Establish a platform for effective and integrated payment services ● Provide openness required for innovations in the domain, with enhanced competition.
  7. 7. PAYMENT SERVICES DIRECTIVE 2 (PSD 2) ● Two factor Authentication ● Strong authentication is required with at least two factors from below, ■ Knowledge factors (username and password, pin) ■ Possession factors (mobile, security device, token generator) ■ Inherence factors (fingerprint, voice, iris pattern) ● Adaptive Authentication ● Access delegation with explicit user consent ● Fine grained authorization ● Open secured APIs for payment initiation and account information ● Secured Communication ● Fraud detection and audit logs Security Implications 7
  8. 8. PAYMENT SERVICES DIRECTIVE 2 (PSD 2) “Draft Regulatory Technical Standards, explicitly mentions to be based on known standards” ● User authentication (with SSO) ○ SAML 2.0 ○ OpenID Connect ● Access delegation - OAuth 2.0 ● Fine grained authorization - XACML ● Multifactor authentication - SMSOTP, FIDO, DUO, MePin Technology Requirements 8
  9. 9. WSO2 IDENTITY SERVER (IS) ● Supports multi-factor, multi-option authentication ○ Connectors store - https://store.wso2.com/store/assets/isconnector/list ■ MePin, SMSOTP, FIDO, DUO and much more ● Standards SAML 2.0, OAuth2.0, OpenIdConnect, XACML3.0, SCIM ● User Mgt - LDAP, Active Directory, JDBC ... ● Federation framework for ○ Authentication ○ User provisioning ○ Identity protocol mediation ● Workflows ● Analytics with Identity Analytics Server Capabilities in the direction of PSD2 9
  10. 10. 10 WSO2 APPLICATION AUTHENTICATION FRAMEWORK
  11. 11. 11 CONSUME AUTHENTICATION AT API SECURITY
  12. 12. 12 FINE GRAINED AUTHORIZATION ● In the Authentication Flow ○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0 ○ User authentication decision can be affected by other factors ■ Eg. In a specific time interval, users cannot login ● In the API calls ○ WSO2 AM can intercept the flows to apply fine grained authorization ○ Consume authorization decisions from IS, acting as a PEP ■ Eg. API response can be further customized according to user attributes. ● If the user belongs to ‘Platinum’ tier let them take online loans below an amount x.
  13. 13. 13 WSO2 IDENTITY SERVER ANALYTICS Login Analytics / Session Analytics ● Track success/failed login attempts by user/service provider/identity provider. ● Detect anomalous login behavior. ● Track all the sessions in the system by user and the duration of the session
  14. 14. REFERENCE ARCHITECTURE WITH WSO2 15 WSO2 Identity Server, WSO2 API Manager, WSO2 ESB
  15. 15. THANK YOU wso2.com

×