Can a malware attack be replicated to other installations of the payment software?

The PSD2 RTS requires that payment vendors should protect against “new threats to the security of electronic payments”. An example of a threat which has not been discussed that much so far is that malware is not limited to a single device, but can infest a large number of devices. This means that if a security vulnerability is found it can be automated, then quickly replicated to a large number of devices. Having a large number of accounts be compromised and part of a coordinated attack is in itself a major threat to a payment vendor.<br/><br/>

One way of protecting against this type of “mass attack” is to make sure that the secure execution environment required in the RTS Article 9 is sufficiently unique from payment transaction to payment transaction, or at least unique from installation to installation.