News and updates

How can Zero Knowledge Help Regulated Industries Comply with Requirements?

Compliance for Regulated Industries

Europe’s financial institutions are sleepwalking into a regulatory nightmare with security systems that are not fit for purpose to meet the requirements of the European Union’s revised Directive on Payment Services (PSD2), which was adopted in 2015. Member states have had two years to introduce the necessary changes in their national legislation in order to comply with the new rules, and firms are expected to be compliant by January 2018.

While the aim of the original directive is to make cross-border payments as easy, efficient and secure as “national” payments within a member state, PSD2 also seeks to improve competition by opening up payment markets to new entrants in order to foster increased efficiency and reduce costs. Equally as important as this growth opportunity are the technical implications for firms processing electronic payments, through the introduction of strict security requirements for the initiation and processing of electronic payments and the protection of consumers’ financial data.

It is these twin concerns of innovation and security that should be uppermost in the minds of companies operating within this environment: the EU is deliberately seeking to open the payments market to new entrants while introducing greater protection for transactions and consumer data. There is the potential for large-scale disruption as new, innovative entrants to the market seize the initiative by opting for novel security protocols in relation to payment services; these are likely to be both more secure and also more cost-efficient. For some organizations, the new paradigm may even generate an additional revenue stream.

Strong Authentication

So what exactly does PSD2 mean for security in the financial services sector? The EU Banking Commission requires “strong authentication” to be in place by late 2018 for all organizations offering online account access or services. In this context, strong authentication means that a user within the system needs to provide two or more of the following three criteria when requesting access:

  • Something only the user has
  • Something only the user knows
  • Somewhere the user is

Not only do current security conventions (passwords and two-step authentication) not meet these definitions by delivering two or more of the criteria, but they carry the additional cybersecurity risk of relying on sending and storing centralized authentication credentials.

Passwords, digital certificates, two-factor authentication and other aspects of stored authentication are all built around central databases, which are inherently easier to compromise than zero-knowledge systems because other methods store credentials in whole form in one place. It is important to understand that two-factor authentication does not remove this threat.

Eliminate Centralized Systems

Real security requires the complete elimination of such centralized systems via a distributed cryptosystem that delivers multi-factor authentication – which is inherently far more robust. In practice, this means a distributed solution where authentication keys are split up into key shares using elliptic curve cryptography, and where an end user proves their identity without sending authentication credentials in whole form across the web or to a centralized system (both of which can be compromised).

This new approach delivers the significant advantage of smaller, stronger and faster authentication keys and eliminates the risk of a centralized authentication database, which is hackable. What’s more, this approach can reduce authentication costs by an order of magnitude, which plays into the hands of new market entrants seeking to provide lower-cost payment services to consumers (or established players seeking to provide compliance without adding significant financial or management overhead).

PSD2 is coming, quickly. Isn’t it time that you woke up to the potential of a new way of securing your business?

MIRACL’s use of a zero knowledge proof (or process) allows any user or device to confirm their identity without revealing any valuable information about themselves. Learn about MIRACL Trust® multi-factor authentication, which features our zero knowledge proof.

Learn about Zero Knowledge