FRICTIONLESS ADAPTION OF PAYMENT SERVICES DIRECTIVE (PSD2) WITH WSO2

Pushpalanka JayawardhanaSenior Software EngineerApril 06, 2017

WSO2

2

● Founded 2005● 450+ employees (300 engineers)● 375+ customers (120 new in 2016)● Global offices

○ Mountain View, New York, London, Colombo, São Paolo

● 100% open source● Deploy anywhere: on-premise or cloud

WSO2

3

OVERVIEW

4

● Payment Services Directive 2 (PSD2)○ Background○ Objectives and Effects○ Security Implications

● WSO2 Identity Server (IS)○ Objectives○ Application Authentication Framework

• Brief Architecture○ Capabilities in the direction of PSD2

• Multi-factor authentication, Fine grained authorization, Federation...

● Use case demonstration with WSO2 IS and WSO2 API-M

PAYMENT SERVICES DIRECTIVE 2 (PSD 2)

● A new European regulation● PSD2 published in 2016 Jan as the successor of PSD● Expected to become a law by 2018 January● Directly affects payment service providers and banks● Enforces a secure mechanism for customers to authorize a third

party provider(TPP) to have direct access to:❏ Account and transactional data❏ Make and authorize payments

● Technical guidance EBA - Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of (PSD2)

Background

5

PAYMENT SERVICES DIRECTIVE 2 (PSD 2)Objectives and Effects

6

● Making electronic payments more secure

● Establish a platform for effective and integrated payment services

● Provide openness required for innovations in the domain, with enhanced competition.

PAYMENT SERVICES DIRECTIVE 2 (PSD 2)

● Two factor Authentication● Strong authentication is required with at least two factors

from below,• Knowledge factors (username and password, pin)• Possession factors (mobile, security device, token generator)• Inherence factors (fingerprint, voice, iris pattern)

● Adaptive Authentication● Access delegation with explicit user consent● Fine grained authorization● Open secured APIs for payment initiation and account information● Secured Communication● Fraud detection and audit logs

Security Implications

7

PAYMENT SERVICES DIRECTIVE 2 (PSD 2)

“Draft Regulatory Technical Standards, explicitly mentions to be based on known standards”● User authentication (with SSO)

○ SAML 2.0○ OpenID Connect

● Access delegation - OAuth 2.0● Fine grained authorization - XACML● Multifactor authentication - SMSOTP, FIDO, DUO, MePin

Technology Requirements

8

WSO2 IDENTITY SERVER (IS)

● Supports multi-factor, multi-option authentication○ Connectors store - https://store.wso2.com/store/assets/isconnector/list

• MePin, SMSOTP, FIDO, DUO and much more● Standards SAML 2.0, OAuth2.0, OpenIdConnect, XACML3.0, SCIM● User Mgt - LDAP, Active Directory, JDBC ...● Federation framework for

○ Authentication○ User provisioning○ Identity protocol mediation

● Workflows● Analytics with Identity Analytics Server

Capabilities in the direction of PSD2

9

10

WSO2 APPLICATION AUTHENTICATION FRAMEWORK

11

CONSUME AUTHENTICATION AT API SECURITY

12

FINE GRAINED AUTHORIZATION● In the Authentication Flow

○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0○ User authentication decision can be affected by other factors

■ Eg. In a specific time interval, users cannot login● In the API calls

○ WSO2 AM can intercept the flows to apply fine grained authorization○ Consume authorization decisions from IS, acting as a PEP

■ Eg. API response can be further customized according to user attributes.

● If the user belongs to ‘Platinum’ tier let them take online loans below an amount x.

13

WSO2 IDENTITY SERVER ANALYTICSLogin Analytics / Session Analytics● Track success/failed login attempts by user/service provider/identity provider.● Detect anomalous login behavior.● Track all the sessions in the system by user and the duration of the session

REFERENCE ARCHITECTURE WITH WSO2

15

WSO2 Identity Server, WSO2 API Manager, WSO2 ESB

THANK YOU

wso2.com