How SOAR helps PSPs effectively comply with PSD2 regulations

Cybersecurity incidents are growing, both in density and complexity. Naturally, as the issue concerning cybersecurity incidents doesn’t seem to be going away anytime soon, the necessity for concise regulatory demands, such as the PSD2 regulations, on how cyber incidents are handled was nearly inevitable and rather understandable.

And even though one of the strictest regulatory demands concerning cyber incidents comes from GDPR (General Data Protection Regulation), PSD2 (Payment Services Directive) also has a set of guidelines and requirements which is a directive established by the European Union and further developed and refined by the European Bank Authority (EBA). The regulations are specifically targeted at financial institutions, namely payment service providers (PSPs).

However, given that these regulations revolve around time-based restrictions that are often challenging, PSPs need help in properly mitigating security risks that affect the payment services they provide, and this is exactly where the implementation of SOAR is of the utmost importance.

Understanding the essence of the PSD2 regulations

PSD2 is a directive on payment services that stepped into force on the 12th of January 2016 and was first applied on January 13th, 2018. Initiated by the European Union and in close cooperation with the European Central Bank, these guidelines and regulations have the goal of establishing a singular framework for PSPs that require them to impose and comply with a set of mitigation measures and control mechanisms in correlation with cybersecurity risks regarding the payment services they offer.

The reason why PSD2 imposes strict regulations for PSPs is two-fold:

• Value of personal data: Banks and other financial institutions offering payment services have access to sensitive personal data of their customers. This personal data mustn’t fall into wrong hands, ever.

• Risk of cyber fraud: Given that PSPs have access to personal data of their customers, they are often targeted by cyber fraudsters.

PSPs can’t afford to become victims of data breaches. That is why the regulations imposed with PSD2 are so rigorous and aggressive - because their goal is to leave no room for any potential mishaps.

The PSD2 guidelines cover the monitoring, detection, and reporting of security incidents and ultimately require every PSP to establish, maintain, and continuously upgrade effective incident-management procedures.

Incident classification criteria imposed by PSD2 regulations

After taking into account the existing guidelines present in PSD1, the EBA, and the ECB built upon these existing standards to use previous regulations as a basis of the framework that PSD2 will revolve around. After meticulous risk analysis, the EBA, and the ECB, adapted the regulations of PSD2 and determined the core threats and most common vulnerabilities to which PSPs are exposed the most.

In that regard, PSD2 imposes the following criteria for incident classification:

• Number of users affected

• Number of systems affected

• Number of transactions affected

• Amount of service downtime

• Level of internal escalation

• Degree of economic impact

• Effects on other providers or systems

• Reputational impact

The incident classification is based on higher and lower impact criteria. Based on these criteria, SOCs can define the severity of an incident, defining whether a certain incident is major or minor.

The challenges PSPs have with PSD2 regulations

The real challenges for PSPs come with the time frame implied for responding to incidents. According to PSD2 regulations, these are the criteria set for incident reporting:

• Initial incident report - After four hours: Initially, SOCs need to provide a detailed report stating the nature of the incident, signifying who reported it, and a short description of the incident.

• Intermediate report - At least every three days: As the investigation of the incident thickens, an in-depth analysis has to be submitted every three business days with updated details about the incident, classification, the impact of the incident, and taken mitigation measures.

• Final report - After a maximum of two weeks: The final report is supposed to include concise information regarding the root of the incident, the mitigation measures used, and recommendations for future measures.

Given that the most common challenges that PSPs have are connected to the timeframe, it’s very hard to determine whether an incident is major or not in such a short period of time.

That’s why PSPs are advised to rely on automation in order to detect and remedy cyber incidents.

Utilizing Cloud SOAR to comply with PSD2 regulations

PSD2’s guidelines state that the initial security incident reporting shouldn’t take more than four hours. That goes for the initial phase where a high-level set of details is required, including:

• Who reported the incident

• How it was detected

• A short description of the nature of the incident

• An estimation by when an update will be issued

However, given that modern cyber attacks are sophisticated and hard to detect, PSPs often have to deal with a big number of alerts on a daily basis, without being able to properly assess whether those alerts are false positives or pose actual threats.

In this regard, PSPs must provide their SOCs (Security Operations Centers) with more resources, in order for them to be more effective and handle every threat in accordance with the regulations posed by PSD2. And, the one technology that is capable of vastly improving the efficacy of SOCs is SOAR (Security Orchestration, Automation and Response).

Cloud SOAR can help PSPs meet the regulations of PSD2 in the following ways:

• Faster and more efficient incident reporting: SOAR allows analysts to be more effective as it creates extremely fast incident reports that only take a couple of minutes. SOAR provides an immediate and detailed incident report with corrective actions executed.

• Recognizing and reducing false positives: Banks are often required to deal with thousands of alerts, and naturally, not all of them are actual threats. But, they have to be dealt with, either way. And dealing with all those alerts is virtually impossible, leaving analysts with decimated resources and time spent in vain. With SOAR’s machine learning engine, analysts will only have to deal with actual incidents and high-level threats, as SOAR has the capability of recognizing and filtering false positives.

• Automating repetitive processes: One of SOAR’s major benefits is automation. SOAR allows SOCs to automate repetitive, mundane, and time-consuming tasks by effectively tackling alerts from detection to resolution in a fast and concise manner.

Cloud SOAR uses full automation, orchestration, and machine learning by leveraging its R3 Rapid Response Runbooks to enrich information and determine whether an alert deserves to be qualified as an incident.

Rely on Cloud SOAR’s unique triage and case management features

Furthermore, Cloud SOAR allows you to create immediate, advanced incident reports and quickly and effectively rule out any potential false positives that might waste your time with its unique features:

• Advanced case management: Sumo Logic’s latest patent regarding case management offers an advanced functionality designed for managing, storing, and reporting data gathered during incident categorization and resolution. It includes advanced reporting and is particularly important for incident tracking in data breaches, since it provides the exact kind of in-depth reporting needed to comply with PSD2 regulations.

• Triage: Triage is a capability that is unique to Sumo Logic’s Cloud SOAR. With Triage, Cloud SOAR can assess the characteristics and effectiveness of a possible threat or fraudulent transaction without having to generate an incident and only generates incidents after determining that the conditions for qualifying an alert as an incident are met.

In fact, one major European bank relies on Triage to eliminate the manual necessity of first-line assessment of potentially fraudulent transactions and thus, reduce the number of false positives.

So, by relying on SOAR’s unique features to automate and orchestrate cyber incidents through machine learning, PSPs can effectively meet PSD2 regulations while also largely improving their cybersecurity posture.