Within this architecture, the design of APIs must take into account the need to protect against distributed denial of service (DDoS) attacks. Fortunately, this threat is also an opportunity. Since creating systems with open APIs represents a “greenfield” development for many organizations, it provides a one-off window of opportunity to do things right from start, by blocking attacks high up the stack and protecting the intelligence located on lower layers.
Authenticate licensed TPPs using the TPP certificate issued by a QTSP under PSD2 and check against revocation list. In addition to this, maintain a list of licensed TPPs gathered from the EBA Register.
Protect against different types of content-based attacks such as malformed XML threats, malformed JSON threats, and malicious script injection threats.
Use transport layer encryption such as TLS to secure the communication. Any sensitive message in the API needs to be protected using message/field level encryption.
User info and/or TPP ID should be logged for Identity tracking using policies within the flow.
Use Data Masking policies for hiding sensitive data when logged. A "validation before consumption" principle should be used to safeguard APIs.
Use traffic management policies to prevent infrastructure getting overwhelmed. Implement throttling and rate limiting on the number of requests allowed for a TPP in a given time period.