Mapping layered security with AA ecosystem APIs
Category | AA | FIP | FIU | Layered Security consideration for Request and Response |
Account Discovery and Linking | Χ |
| Χ |
|
|
| |||
|
| |||
Consent |
|
| Χ |
|
Consent Handle Management |
| Χ | Χ |
|
|
| |||
FI Data Flow |
|
| Χ |
|
|
|
| ||
Notification |
|
|
|
|
Monitoring |
|
| Χ |
|
Security Requirement 1 [SR1]: The Account discovery request and response implements the application layer security and protocol layer security. The security goals of implementing the application layer security are authenticating the sender, overcome the man-in-the-middle attack, preserve the integrity of the request and response data. Along with application layer security, the protocol layer security encrypts the request and response body while in transit by using TLSv1.2. In this way, the encryption of payload ensures that the data including PII is a secure during data-in-transit without any additional encryption mechanism for PII.
Security Requirement 2 [SR2]: The Account linking/delinking follows the same security requirements as defined in Security Requirement 1[SR1].
Security Requirement 3 [SR3]: The Authenticating link/delink uses GET API call to submit the token for verifying the customer based on industry standard RESTful API design principle. The Application layer security by generating the x-jws-signature on GET URL request ensures that the OTP is submitted by authentic customer and overcome the replay attack. The time-bounded space of OTP is restricted to access only for short time for OTP submission and validation. The payload encryption with api key also ensure that the only authentic requester can call this API to submit the OTP which is non-PII data.
Last updated