The purpose of PSD2 APIs is to securely access bank account data of end users through regulated APIs. Ideally using these regulated APIs should also imply that end user sensitive data is only ever input in the bank interface, and never with the Account Information Service Provider (GoCardless). However, this is not always possible and is dependent on what authentication flow the bank uses and their specific API implementation.
Banks generally provide 3 different authentication flows for PSD2 APIs:
- Redirect - End User is redirected to the Bank's page to authorize their consent. This might also include initial authentication.
- Decoupled - End User uses a device to authorize their consent without being redirected to the Bank's page. In this case GoCardless checks if the End User has finished authorizing their consent.
- Embedded - GoCardless asks the End User to receive a One-Time-Password (most commonly via SMS) and then enter it in GoCardless view.
For certain banks though, GoCardless must ask and in rare cases also temporarily store the sensitive credentials (such as User ID or IBAN, or in some cases password) on our side, because this is how the specific bank API has been designed by the bank themselves. In almost all cases though, GoCardless is working as solely as an intermediary, where we pass over the respective data to the bank, and delete it right after.
Affected Banks
In the following banks, GoCardless has to ask for the following sensitive data points from End User, in order to pass this information on to the banks that provide decoupled flow. This information is deleted from GoCardless immediately after.
- Banks that require to request End User ID
- Banks that require to request Password
- Banks that require to request IBAN
Special Case
DKB (Deutsche Kreditbank) in Germany is the only bank, where in addition to asking for the sensitive data, GoCardless also has to store it temporarily, until the access expires (for a maximum 90 days). To ensure information security of said data, the information is encrypted, transfered over https and certificates are in place. The sensitive data is thereafter deleted permanently after the access has expired (between 0-90 days).
Comments
0 comments
Please sign in to leave a comment.