APIs have become integral to modern software architecture, and the digital economy has exponentially increased API adoption. However, with the rise of APIs, there has been a corresponding rise in API security risks. Capturing today’s headlines are API-origin data breaches that have compromised tens of millions of sensitive customer records. This dramatic increase in API-based attacks has caught the attention of regulators and standards bodies alike, giving way to various regulations and standards to ensure that APIs are secure and that sensitive data is protected. This blog is a quick reference to catch up on the current API security regulations and standards. To allow each to maintain their respective level of importance, I cover them alphabetically.
European Payment Services Directive (PSD2)
PSD2 mandates banks to share customer financial data with authorized third-party providers (TPPs) through secure APIs. Entered into force on January 12, 2016, this directive is one of the earliest to call attention to the need for API security. PSD2 is supplemented by regulatory technical standards on strong customer authentication and common and secure open standards of communication, as well as guidelines on incident reporting and security measures for operational and security risks. Beginning September 14, 2019, payment service providers must legally comply. I expect API security to have increased emphasis within PSD2 based on its 2023 evaluation report, where adoption has only partly been realized owing to fragmentation in the quality of application programming interfaces (APIs) and deficits in data sharing. European regulators will want to turn this around.
Federal Financial Institutions Examination Council (FFIEC)
In June of 2021, the FFIEC issued the Architecture, Infrastructure, and Operations booklet, part of the series of booklets comprising their Information Technology Examination Handbook (IT Handbook). Within this booklet, the FFIEC addresses how covered entities should protect APIs, including authorization, authentication, and encryption of private, public, and third-party APIs. The booklet calls out that security needs for APIs should be assessed and implemented to mitigate risks of exposing sensitive customer or entity information, referencing the guidance provided by the OWASP API Security Project.
In August 2021, the FFIEC issued additional API protection directions within the Authentication and Access to Financial Institutions Services and Systems guidance. This guidance identifies the inventorying of APIs, effective mitigating controls for credential and API-based authentication, and secure management of API passwords.
National Institute of Standards and Technology (NIST) Special Publication 800-204
NIST SP 800-24 – Security Strategies for Microservices-based Application Systems is an analysis of multiple implementation options available for core features and configuration options in architectural frameworks, develop security strategies that counter threats specific to microservices and enhance the overall security profile of the microservices-based application. This publication goes into depth on core API protection practices. Its importance is underpinned by many regulations referencing NIST as an accepted security baseline to comply with rules and regulations.
ISO/TS 23029:2020 Web-service-based Application Programming Interface (WAPI) in the Financial Services Standard
This ISO standard, published in February 2020, defines the framework, function, and protocols for an API ecosystem that will enable online synchronized interaction. Specifically, the document defines a logical and technical layered approach for developing APIs, including transformational rules. Sets out considerations relevant to an API ecosystem’s security, identity, and registration. Specific technical solutions will not be defined, but they will be referenced in the context of specific scenarios for guidance purposes. Like NIST, ISO standards are commonly called out in rules and regulations to achieve compliance.
OWASP API Security Project
Inaugurated in 2019, the OWASP API Security Project is an initiative by the OWASP Foundation to provide software developers and security assessors with strategies and solutions to understand and mitigate APIs’ unique vulnerabilities and security risks. The latest version of the OWASP API Security Top 10 in 2023 highlights APIs’ top ten security risks that organizations should follow to protect APIs from cyberattacks. This new release added five new risks covering broken object properties, unrestricted resource consumption, server-side request forgery, lack of protection from automated threats, and unsafe consumption of APIs. OWASP has become a de facto standard for protecting APIs and is referenced by rules and regulations.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS version 4.0 explicitly includes considerations for API security within its standard. An API would come into the PCI DSS scope for any organization hosting an API interface to receive or transmit cardholder account data. Requirement 6.4.2 of PCI DSS standard version 4 calls for the continuous detection and prevention of web-based attacks. The solution would include an automated technical solution to protect public-facing web applications, including APIs. Requirement 6.3.2 calls for the security of bespoke software, including libraries and APIs.
Personal Financial Data Rights Rule (Proposed)
The Consumer Financial Protection Bureau (CFPB) proposed a rule in October 2023 that would accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. The proposed rule requires establishing and maintaining interfaces to receive and respond to requests for covered data. Screen-scraping is no longer an accepted method; APIs have replaced it. The shift to APIs requires conformity with security specifications, including access credentials, following information security specifications in section 501 of the Gramm-Leach-Bliley Act. Organizations covered by CFPB must ensure that data security practices are adequate to safeguard covered data. API security practices and solutions are key to complying with CFPB.
U.S. Treasury Department API Guidance
In July 2018, The U.S. Treasury Department issued a report addressing the core principles outlined in Executive Order 13772 in February 2017. Of particular importance is for financial entities to move away from screen-scraping to more secure access methods to reduce cybersecurity and fraud risks that can occur when consumers provide login credentials to access fintech applications. The report calls out the need to transition to an API method of instantaneously and safely transferring data.
Final Thoughts
Plenty of motivation exists to protect APIs; however, regulators and standards bodies have upped the motivation. Regulations and standards go hand-in-hand. Referencing an authoritative standard is a sound practice to ensure compliance with a regulation. I don’t expect the light to stop shining on APIs, as 2024 will likely bring more regulatory scrutiny around API use and security. One way you can check your regulatory and standards preparadness is to look into Cequence’s free API security assessment. Contact me here to share your thoughts on API security rules and regulations. If you want to keep up with my blogs on related IT security issues, go here.
