{"id":18544,"date":"2024-04-10T17:33:33","date_gmt":"2024-04-10T16:33:33","guid":{"rendered":"https:\/\/staging2022.42crunch.com\/?p=18544"},"modified":"2024-04-10T21:49:18","modified_gmt":"2024-04-10T20:49:18","slug":"addressing-api-security-regulations-in-financial-services","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/addressing-api-security-regulations-in-financial-services\/","title":{"rendered":"Addressing API Security Regulations in Financial Services"},"content":{"rendered":"<h2><span style=\"font-weight: 400;\">Introduction<\/span><\/h2>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">APIs are disrupting almost every industry vertical, and nowhere is their impact more profound than in the financial services industry. Whether helping modernize legacy systems or creating entirely new business opportunities through innovations such as OpenBanking, APIs are the lifeblood of the financial services industry. At the same time, there is increasing scrutiny on the security of these very APIs to ensure that they both meet the requirements of strict regulatory standards (such as PSD2 and PCI-DSS) and instil confidence within their customers.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">OpenBanking depends on APIs to connect banking systems, customer devices, and third-party providers (TPPs). OpenBanking allows TTPs to provide innovative services, access account information, and initiate payments on the account holder\u2019s behalf. It is becoming widely adopted, with one in nine people in the U.K. using associated services in 2023 and a doubling in the volume of payments in that period. Due to the sensitive nature of the data and operations processed by OpenBanking APIs, providers must ensure they are implemented securely to meet regulatory requirements and customer demands.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The overarching regulatory standard to ensure secure APIs is the European Union (EU) Payment Services Directive (PSD2), which has specific requirements for the following:<\/span><\/p>\n<ul style=\"font-weight: 400;\">\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Strong Customer Authentication (SCA): PSD2 requires the implementation of SCA to access payment accounts and initiate payment transactions through APIs.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Secure Communication: PSD2 mandates using secure communication protocols, such as TLS (Transport Layer Security), for all API communications.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">API Access and Consent Management: PSD2 requires financial institutions to provide access to customer account information and payment initiation services to authorized third-party providers (TPPs) through APIs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">API Documentation and Testing: Financial institutions must provide comprehensive and up-to-date documentation for their APIs, including technical specifications, security requirements, and integration guidelines.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Fraud Detection and Risk Management: PSD2 requires financial institutions to implement robust fraud detection and risk management mechanisms for APIs. APIs should incorporate real-time monitoring and analysis of transactions to identify and prevent fraudulent activities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Incident Reporting and Management: Financial institutions must have processes in place for reporting and managing security incidents related to APIs.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Regulatory Reporting: PSD2 requires financial institutions to regularly report to regulatory authorities regarding their API implementations and compliance status. This includes reporting on API performance, security measures, incident management, and any deviations from the regulatory requirements.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Mandate For Automated API Security Testing<\/span><\/h2>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/blog.pcisecuritystandards.org\/pci-dss-v4-0-resource-hub\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Payment Card Industry Data Security Standard <\/span><\/a><span style=\"font-weight: 400;\">(PCI-DSS) version 4.0 also has specific mandates relating to software security, which providers should be aware of. Section 6.2.4 requires providers to implement automated application vulnerability security testing of public-facing web applications, APIs, and internal components. Typically, these requirements can be met by incorporating various software engineering techniques, such as secure design or static code analysis \u2014 in general, a shift-left approach is recommended. Section 6.2.3 recommends implementing a secure code review process that is well suited to an API design-first approach since reviews can be conducted on API definitions to ensure they comply with the OpenAPI Specification (OAS) and implement security best practices. Of specific interest to API providers is the new section 6.4.2, which requires affected businesses to <\/span><\/p>\n<blockquote style=\"margin: 5px; padding: 5px;\"><p>&#8220;Deploy an automated technical solution for public-facing web applications that continually detects and prevents web-based attacks.&#8221;<\/p><\/blockquote>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The technical requirements mandate that such a device be placed in front of public-facing interfaces or applications, be active and capable of either directly blocking web-based attacks or generating alerts that are immediately investigated.\u00a0\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">42Crunch works with many leading financial institutions providing and consuming APIs and we acknowledge that these requirements may initially seem daunting. Let us break them down to see how to address them.\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">To address the requirements of OpenAPI \/ PSD2, begin with the following:<\/span><\/p>\n<ul style=\"font-weight: 400;\">\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Strong Customer Authentication (SCA): APIs must support SCA and ensure that the authentication process is secure and complies with the regulatory technical standards (RTS) specified by PSD2. SCA involves a multi-factor authentication process, such as <\/span><i><span style=\"font-weight: 400;\">3DSecure<\/span><\/i><span style=\"font-weight: 400;\">.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Secure Communication: APIs must ensure the confidentiality and integrity of sensitive payment data transmitted between parties. Proper encryption mechanisms should protect data in transit and at rest.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">API Access and Consent Management: Open Banking APIs require explicit customer consent for TPPs to access their data or initiate payments on their behalf. Consent management mechanisms allow customers to view, manage, and revoke consents easily.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data Minimization and Purpose Limitation: Open Banking APIs adhere to the principles of data minimization and purpose limitation, meaning that TPPs should only request and access the minimum amount of data necessary for the specific service they provide. APIs should have granular data access permissions to ensure that TPPs can only retrieve the specific data points they need and cannot access unnecessary customer information.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use OAuth2 and OpenID Connect: OAuth2 is a robust mechanism for managing API authorization, allowing granular user control of delegated access, while OIDC allows strong proof of identity using a standard mechanism.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use Financial Grade API (FAPI): The standard provides additional security features at the authorization server, tightening behaviors by segmenting TPP permissions.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">API Documentation and Testing: APIs should be thoroughly tested to ensure they meet PSD2 requirements, including functional testing, security testing, and performance testing.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Incident Reporting and Management: Ensure that all API access is sufficiently logged to a central location and that a continuous monitoring process is implemented to ensure that incidents and events are investigated timeously.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">How to Automate API Security\u00a0<\/span><\/h2>\n<p style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">42Crunch provides a range of solutions across the SDLC that address many of these requirements. PCI-DSS sections 6.2.3 and 6.2.4 mandate the use of tooling to address design issues early in the development lifecycle, and here, the <\/span><a href=\"https:\/\/staging2022.42crunch.com\/api-security-audit\/\"><span style=\"font-weight: 400;\">42Crunch API Audit<\/span><\/a><span style=\"font-weight: 400;\"> product can address design issues in the earliest development stage, namely the API definition. The 42Crunch API Scan product is able to assess the API implementation as the developer builds the API in their IDE or anywhere further down the pipeline. The API Scan validates the API implementation against the definition and is able to detect deviations in a continuous manner with low false positives. This Audit and Scan combination can also address the needs of OpenAPI\/PSD2 by enforcing well-documented APIs (via the OpenAPI definition) and a regimen of continuous testing across the lifecycle.<\/span><\/p>\n<p style=\"font-weight: 400;\"><a href=\"https:\/\/staging2022.42crunch.com\/micro-api-firewall-protection\/\"><span style=\"font-weight: 400;\">42Crunch API Protect <\/span><\/a><span style=\"font-weight: 400;\">is an API micro-firewall ideally suited to providing coverage for PCI-DSS section 6.4.2, which requires an inline solution with protection capability. The firewall is able to inject itself into the backend API data path (as a reverse proxy) and enforce the API definition at runtime by blocking invalid requests or data payloads. This would also address the OpenAPI\/PSD2 requirements for ensuring data minimization (by blocking excessive data exposure), and by providing continuous API monitoring and reporting via various SIEM integrations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The regulatory landscape for financial services API providers is only likely to become more stringent as more standards are enforced or existing standards (such as PCI-DSS) are bolstered. A broad focus on <\/span><i><span style=\"font-weight: 400;\">shift-left <\/span><\/i><span style=\"font-weight: 400;\">and simultaneous <\/span><i><span style=\"font-weight: 400;\">shield-right <\/span><\/i><span style=\"font-weight: 400;\">approaches is likely to ease the burden on implementors and providers alike.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/staging2022.42crunch.com\/mastering-secure-api-development-with-github-and-42crunch\/\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-18554 alignleft\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/04\/Mastering-Secure-API-Development-with-42C-GitHUb-CTA.png\" alt=\"\" width=\"962\" height=\"301\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/04\/Mastering-Secure-API-Development-with-42C-GitHUb-CTA.png 846w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/04\/Mastering-Secure-API-Development-with-42C-GitHUb-CTA-300x94.png 300w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/04\/Mastering-Secure-API-Development-with-42C-GitHUb-CTA-768x241.png 768w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction APIs are disrupting almost every industry vertical, and nowhere is their impact more profound than in the financial services industry. Whether helping modernize legacy systems or creating entirely new business opportunities through innovations such as OpenBanking, APIs are the lifeblood of the financial services industry. At the same time, there is increasing scrutiny on [&hellip;]<\/p>\n","protected":false},"author":10,"featured_media":18546,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Addressing API Security Regulations in Financial Services","_seopress_titles_desc":"The regulatory landscape for financial services API providers is likely to become more stringent. A focus on shift-left and simultaneous shield-right approaches will ease the burden on providers.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"disabled","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-18544","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18544"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=18544"}],"version-history":[{"count":2,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18544\/revisions"}],"predecessor-version":[{"id":18557,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18544\/revisions\/18557"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/18546"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=18544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=18544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=18544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}