PSD2 Modelling and Simulation of APIs Presents the best path to success

PSD2 Modelling and Simulation of APIs Presents the best path to success

The new Payment Services Directive II (“PSD 2”) deadlines are getting closer and thus there is a focus from banks to ensure they can be compliant when the axe falls in January 2018 when all financial services institutions should be compliant. While almost a year away, complying with the legislation is not technically simple so much work needs to be done.

The first key components that must be made available are APIs to enable Account Integration Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to interface with existing systems within the various financial services institutions. This is not a simple task due to the complexity of the existing systems already in place:

ost PSD2 mod 01

There are inherent dangers exposing APIs from the back office to external service providers as is required by PSD2:

  • Security:
    • How does the financial institution know the identity of the caller?
    • How do they map that identity to their own internal identity which most are loath to expose to the outside world?
    • How do they ensure that only data related to that identity is released?
  • Functionality:
    • What APIs are required to support both the AISPs and the PISPS?
    • How will they map to existing back office and internal APIs?
  • Performance:
    • What level of load can the APIs take?
    • How can the APIs ensure that a spike in load can be handled?

Many organizations have jumped straight in and started building out the APIs using one of the many API Gateway products in the market today.

ost PSD2 mod 02

However, this is an expensive way to ‘try things out’ given the cost and complexity of rolling out this infrastructure. There are significant benefits to simulating and modelling how the end result will look first using a sandbox approach like the following:

ost PSD2 mod 03

An Agile Testing Sandbox simulates the interfaces that are required to support AISP and PISPs. They simulate the environment upon which an application is dependent but runs independent of the real environment on Cloud, Docker or commodity hardware and software. Consider a sandbox to be like a flight simulator for your back office environments. This offers the capability to model and simulate the APIs you expect to have to expose in advance of building out the infrastructure to expose the real APIs.

This approach can help to cost effectively work through the issues and dangers identified earlier:

  • Security
    • Test out various identity capabilities to prove which the best one for your organization is.
    • Prove out your authorization capability to ensure that you have the level of control to enable or prevent access at the appropriate level to sets of data.
  • Functionality
    • Ensure that the functionality that is required is fully covered thus enabling you to build up a validated set of requirements for your back office before building out that infrastructure.
    • Identify any gaps in your back office infrastructure in advance.
  • Performance
    • Test the level of load that may occur using the sandbox approach.
    • In fact the sandbox approach could potentially be used as a delivery mechanism for some APIs as the sandbox can run in the Cloud and can therefore expand or contact based on the requests being placed on it.

These sandboxes are not simply built and thrown away after the project as they can continue to be used by AISPs and PISPs that are being supported by a financial institution for testing of new releases of their software. The sandbox environment can also be used for delivery of new versions of APIs to the AISP and PISPs for advance testing before a new functionality is rolled out. In this this way, the sandbox environment becomes a valuable asset that can be reused again and again long after PSD2 has been implemented and rolled out.

Portus EVS enables the creation of sandbox environments in days supporting financial services institutions to comply with the pending PSD2 implementation deadline.