PSD2 and GDPR are regulations that, although are now live, still bring technical and business challenges to companies. For those companies that expose APIs to partners and app developers, the governance around the APIs has become even more important. While the regulations apply to the European Union, anyone building APIs should take notice.
What is PSD2?
Payment Services Directive Two (PSD2) is a piece of legislation designed to force providers of payment services to improve customer authentication processes and to also bring in new regulation around third-party involvement . One of the main purposes is to make electronic payments more secure, but it also aims to increase consumer protection and foster innovation and competition among payment service providers . Regarding improvements on customer authentication, PSD2 has introduced Strong Customer Authentication (SCA) that establishes the need of additional associated ways to validate a user or a transaction as opposed to simply providing password or card details, such as temporarily generated codes, fingerprint/face/ voice recognition. These additional elements are independent and designed to protect the confidentiality of the data being authenticated.
Other aspect of PSD2 is creation of Open Banking, a set of new rules for payment service providers that allows regulated Third-Party Providers to provide:
- Payment Initiation Services: the payment is started from a payment provider instead of the traditional methods, e.g.: credit card, which provides merchants information on the initiation of the payment so that services/products purchased can be released quickly.
- Account Information Services: enables customers to have access to all their existing accounts in a consolidated and classified manner, for example, if one has 3 accounts in different banks, it is possible to get information from all accounts in only one of them and have classified the type of expenses (e.g.: food, utilities, grocery, etc) to facilitate budgeting and financial planning.
Adopted in 2007, the first Payment Services Directive (PSD1) legislation intended to provide legal foundation for an EU single market for payments. The intention was to leverage security and innovation on payment services across the EU . The revised directive was passed by the Council of the European Union on November 15th, 2015 and member states had two years to implement changes, but in November 2017 PSD2 was supplemented to incorporate regulatory technical standards to support strong customer authentication and secure and common open standard for communications.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation that is reshaping how data is handled in all sectors. It aims to protect Eu citizens from privacy and data breaches through providing mechanisms where consent needs to be collected in order to have data from anyone stored or processed.
Some important concepts:
- Data Subject: a natural person
- Personal Data: any information related to the data subject that can be used to identify, directly or indirectly, the person, e.g.: name, phone, email address, medical information, etc.
- Data Controller: the entity that determines the purposes, conditions, and means of the processing of personal data
- Data Processor: the entity which processes personal data (on behalf of the data controller)
As per definitions, the data subject needs to give consent on data that companies are requesting and those must define the correct purpose of the request. And as consent can be given it can also be withdrawn/revoked. Data subjects have some rights, briefly described below:
- Breach notification: it has become mandatory to notify any data breach where it could “result in a risk for the rights and freedoms of individuals.”
- Right to access: to give more power for data subjects, these have the right to request from data controllers if, where and for what purpose their personal data is being used. They are also entitled to receive, free of charge, a copy of the personal data in electronic format.
- Right to be forgotten: data subjects have the right to request their data to be erased from the data controller. This implies in no further processing any of the data subject details and potentially having third parties halt processing of the same data.
- Data portability: Data subjects can receive their data, in ‘machine-readable format’ so they are able to share this data with another data controller.
- Privacy by design: this states that data controllers shall implement appropriate technical and organizational measures to effectively protect the rights of the data subject.
Why are APIs impacted?
On PSD2, as Third-Party Providers have to communicate with both merchants (almost in real-time) and financial institutions (to conclude the payment later on and collect the amount from the customer’s account). APIs were the most effective way to integrate, especially with merchants. Another aspect was the SCA implementation, which demands a high level of interaction to validate customer and transaction, and when it comes to apps requesting confirmation to complete a transaction, APIs are a very good fit. All that said, new APIs had to be implemented to achieve PSD2 requirements.
With GDPR, as explained, it becomes really important to know where customers’ data has been used thus APIs that connect to different backend applications or different APIs used to update customer details in the same backend do need to be mapped in order to define the correct data flow based on a single source of truth and a single API managing customer details.
All that said, it becomes very important to understand who is accessing your APIs and if they are really authorized to do so. Also, tracking all updates made on the APIs that are either exposed to partners or to internal developers becomes critical as an incorrect change can impact the business or even compliance.
What are the implications on API Governance?
PSD2 and GDPR have very strong security requirements thus API Governance gets directly impacted as data security, access control, audit and a strong design based on security can be achieved by defining and applying good governance practices. Below are some of the practices to be considered while working on your APIs to deliver PSD2 and GDPR:
Security by Design
Both PSD2 and GDPR have requirements to enforce security of customers’ information and their transactions. Whilst it is important to guarantee these information will be properly stored and accessible it is also very important to design your APIs considering: a strong authentication mechanism, e.g. oAuth and 2FA, that ensures only authorized applications are allowed to access your APIs; deep analysis of the type of data that your API will manage in order to identify Personal Identifying Information (PII) and then design and configure obfuscation or masking policies to protect PII by either masking or removing these from logs to avoid compliance issues; implementation of authorization policies to avoid unauthorized access and data leaks;
As businesses evolve and that can closely impact the data that needs to be processed, APIs must evolve along with these needs and different versions should be made available to Partners, External/Internal Developers in order to: provide current data/functionality and identify who is accessing what version of your APIs. Versioning also helps in understanding what data/functionality was exposed on a particular point in time that can support troubleshooting.
Another important aspect is the ability to audit your APIs. Every change made on them need to be recorded to enable API Teams to easily identify changes made not only to the whole API but most importantly to sensitive information that needs to be securely handled. Audit functionality makes your APIs compliant not only with PSD2 and GDPR but also with some other important regulations.
Who accesses your APIs?
One important governance practice is to know who is accessing your APIs. API Management Platforms can provide impact analysis mechanisms that, besides showing how your APIs are connected to backend systems, show what applications are connected to them. This practice provides valuable information as it allows quick identification of high volume Apps (targeting creations of tailored plans/partnerships), version migration strategy (to identify what Apps are still using old versions of the APIs) as well as an overall understanding of your API utilization. Another way to obtain such information is by the implementation of reports to provide the overall access on the APIs.
Enforcing all the above with an API Management Platform
To make sure all the above practices are implemented and, most importantly, effectively applied, one could think of defining some validations in the API development process to guarantee APIs will only be made available if certain rules are satisfied. Although manual validations work well, they may not be very efficient and are subjected to errors.
Some API Management Platforms offer governance mechanisms that enable the creation of configurable workflows to implement policies automation aiming to improve the quality of the APIs before they are deployed. This means validations can be applied to the API according to the step they are in the API lifecycle, e.g. it is possible to check the existence of specific policies (e.g. obfuscation, data masking, logging), authentication mechanisms or even versioning before an API is deployed to an environment (Sandbox and/or Production).
By using the automated mechanisms offered by the API Platform, it is possible to achieve a higher level of compliance, accelerate time-to-market as the API validation process is fully automated, monitor in real-time governance issues and reduce risks of having a non-compliant API deployed to the production environment.
PSD2 and GDPR both require a lot of extra attention to companies that have an API Strategy as compliance around data and security are very demanding topics. API Governance practices can help achieve good results in compliance, but when implemented and enforced by the mechanisms offered by API Platforms, higher levels of quality and compliance can be achieved through automation mechanisms, that also help reducing risks and increasing productivity.