NextGenPSD2 certification | SRC launches audits for XS2A
Are you ready to certify your NextGenPSD2 implementation?
The revised Payment Services Directive (PSD2) requires banks to allow authorized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innovative payment initiation and account information services. The NextGenPSD2 certification promotes the implementation of a uniform standard.
Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmonized solution for implementing the PSD2 requirements for the XS2A interface.
The correct implementation of the XS2A interface relieves the institute from implementing a fallback interface solution. The NextGenPSD2 Implementation Support Program (NISP) offers the participants a testing framework with test concept, test case catalog, compliance best practices and test tool requirements. The implementing institute evaluates its own work. As a result, the implementation is completed. It remains to be seen if this self-assessment will be considered sufficient by the supervisory authority (NCA).
Why should you undergo the NextGenPSD2 certification?
The self-assessment of the NextGenPSD2 implementation already offers a high level of quality. However, different interpretations of the specification can lead to interoperability problems. There is currently no documented agreement between banks and third-party providers on the exact implementation of the XS2A interface. This increases the probability that the responsible supervisory authority of the banks will refuse the exemption from the implementation of a fallback interface solution.
SRC has extensive and detailed expertise from its involvement in the specification and implementation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certification for you.
How does the NextGenPSD2 certification process work?
Requirements for the NextGenPSD2 certification are the test case catalogue, the implementation profile and the test specification of the implementing institute. SRC uses these requirements to carry out a complete functional, security and performance audit of the NextGenPSD2 implementation.
Audit Validation
During validation, the implementation is reviewed with respect to the requirements of the documentation.
Functional part
In the functional part, the test specifications are executed and the results are verified.
Non-functional part
In the non-functional part, the availability of the implementation (stress test) is determined and evaluated at relevant points.
Security test
In the security test, methods of penetration testing are used. It is evaluated if the implementation of the XS2A interface offers sufficient protection against fraud attempts on customer data and transactions.
The certification is documented in a final report. If all requirements are at least sufficiently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the implemented XS2A interface can be demonstrated to third parties and the supervisory authority. Based on the first certification, regression audits can be carried out in the future.
SRC consulting services for development optimization or for creating the test specification can be used to prepare for the NextGenPSD certification.
Why SRC?
As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep understanding of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in developing test environments with many licensed auditors for multiple functional and security evaluations according to formal certification schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.
Are you interested in NextGenPSD2 certification? Then please contact us at info@src-gmbh.de.