The second EU Payment Services Directive requires banks to implement an interface for authenticated account access. With the permission of the account holder, so-called third party providers (TPPs) are to be allowed to access account information. The implementations are subject to supervision and review by the European Banking Authority (EBA) and its national authorities.
The draft “EBA Guidelines on the security measures for operational and security risks under PSD2” are more detailed. They require financial institutions to comprehensively review their information security. The aim is to effectively identify potential vulnerabilities in their ICT systems.
The security aspect played a special role in both the specification and implementation of the XS2A interface. For the acceptance and secure operation of your system, you need an independent assessment. Here, it must be proven at certification level that your foresighted diligence has led to a reliable result. Hackers and white-collar criminals should not be given a chance. Are there still security gaps despite all precautions? Is it possible to bring your system to its knees by deliberately overloading it? Do you have to make the result of your precautionary measures credible to the banking supervisory authority? Only a penetration test can provide answers to these questions.