What are the Secure app requirements for SCA (secure execution ++)?
As defined by the PSD2, two out of three elements have to be checked: possession (something you have), inherence (something you are) and knowledge (something you know). In Article 9 of the RTS it is required that if one of these elements are breached, the reliability of the other elements are not impacted. In addition, Article 9 further requires: <br/><br/>
"Payment service providers shall adopt security measures, where any of the elements of strong customer authentication or the authentication code itself is used through a multi-purpose device, to mitigate the risk which would result from that multi-purpose device being compromised.<br/><br/>
For the purposes of the above paragraph, the mitigating measures shall include each of the following:<br/><br/>
the use of separated secure execution environments through the software installed inside the multi-purpose device;<br/><br/>
mechanisms to ensure that the software or device has not been altered by the payer or by a third party;<br/><br/>
where alterations have taken place, mechanisms to mitigate the consequences thereof."<br/><br/>
Exactly what the requirements of a “separated secure execution environment” are is not defined by the EBA, but there are two alternatives:<br/><br/>
- If the security of the operating system is trusted, e.g. it is up to date with regards to security updates, then having a separate application to the SCA process is an alternative;<br/><br/>
or,<br/><br/>
- If the operating system is not up to date, then other mechanisms, such as having a separate containerized ‘sandbox’ for the SCA process has to be used.<br/><br/>
https://www.gsma.com/identity/wp-content/uploads/2018/02/Mobile-strong-customer-authentication-under-PSD2_March2018-FINAL.pdf<br/><br/>
The requirements demand that the [integrity] of the software performing the SCA process is validated. This is something which has to be done by the software provided by the payment service provider, and not something which can be left to the mobile operating system. In practice this means that the [integrity], [confidentiality] and [authenticity] of the secure execution environment should be verified for each use.<br/><br/>
There must be mechanisms to report any detected breaches, and in addition it is advisable to have honeypots - tempting targets for an attacker which has managed to go undetected.