EADTrust offers several services related to the issuance of PSD2 qualified certificates, including the issuance of test certificates.
But, what Are PSD2 Certificates?
PSD2 certificates are specialized digital certificates mandated under the European Union’s Revised Payment Services Directive (PSD2, EU Directive 2015/2366), designed to enhance the security, transparency, and interoperability of electronic payment systems across the EU. Introduced to foster open banking, PSD2 requires financial institutions, such as banks, and third-party providers (TPPs) to allow secure access to customer account data and payment services, provided customer consent is given. To facilitate this securely, PSD2 mandates the use of qualified electronic certificates compliant with the eIDAS Regulation (EU No 910/2014), which ensures trust and authenticity in electronic transactions.
These certificates serve as a digital “company ID” for payment service providers (PSPs), identifying them and their roles within the payment ecosystem while securing communications between parties, such as banks (Account Servicing Payment Service Providers, or ASPSPs) and TPPs. The certificates are critical for meeting the Regulatory Technical Standards (RTS) outlined in EU 2018/389, particularly Article 34, which specifies requirements for strong customer authentication (SCA) and secure communication channels. Issued by Qualified Trust Service Providers (QTSPs) listed in the EU Trusted List, PSD2 certificates ensure that only authorized entities can access sensitive financial data or initiate payments, thereby reducing fraud and enhancing consumer protection.
Types of PSD2 Certificates
There are two primary types of PSD2 certificates, each serving distinct purposes within the PSD2 framework:
- Qualified Website Authentication Certificate (QWAC):
- Purpose: QWACs are used to establish a secure, encrypted Transport Layer Security (TLS) connection between parties, such as a TPP and a bank’s API. They authenticate the identity of the PSP or TPP and secure the communication channel, ensuring data confidentiality and integrity during transmission.
- Use Case: QWACs are mandatory for identifying PSPs when they access a bank’s dedicated interface (API) or fallback mechanism (emergency interface). They are akin to Extended Validation (EV) TLS/SSL certificates but include additional PSD2-specific fields.
- Technical Details: QWACs rely on a minimum key length of 2048 bits and are generated using a Certificate Signing Request (CSR) that includes the public key and specific attributes (e.g., Organization, Country).
- Qualified Certificate for Electronic Seal (QSealC or QSEAL):
- Purpose: QSealCs provide a digital signature or “seal” on data or messages exchanged between parties, ensuring the data’s origin and integrity. They prevent tampering and offer non-repudiation, meaning the sender cannot deny having sent the message.
- Use Case: QSealCs are used to sign requests or transactions (e.g., payment initiation or account information retrieval), providing evidence of the request’s authenticity. While not always mandatory, some banks or standards (e.g., Berlin Group’s NextGenPSD2) may require their use alongside QWACs.
- Technical Details: QSealCs require a minimum key length of 3072 bits for higher security. They can be implemented as “soft seals” (stored digitally without hardware) or with hardware security modules (HSMs) or smart cards, depending on the provider.
Both certificate types are defined under the ETSI TS 119 495 standard, which outlines their technical specifications and ensures interoperability across the EU.
Information Contained in PSD2 Certificates
PSD2 certificates include standard fields found in digital certificates, as well as additional PSD2-specific information to meet regulatory requirements. The key details are:
- Standard Certificate Fields:
- Organization (O): The legal name of the PSP or entity.
- Organizational Unit (OU): Optional, specifying a department or division (if applicable).
- Common Name (CN): Typically the domain or identifier of the entity.
- Country Code (C): The two-letter code of the entity’s home country (e.g., “DE” for Germany).
- State or Province (S): The entity’s state or region (optional).
- City (L): The entity’s city of operation.
- PSD2-Specific Fields (in the Qualified Certificate Statement, QC Statement):
- Authorization Number: A unique identifier issued by the National Competent Authority (NCA) upon registration or licensing of the PSP. This links the certificate to the official public register.
- PSD2 Roles: The specific roles or entitlements of the PSP, indicating the services they are authorized to provide (detailed below).
- Name of the National Competent Authority (NCA): The regulatory body overseeing the PSP (e.g., BaFin in Germany, Bank of Spain in Spain).
These fields ensure that the certificate unambiguously identifies the PSP, its authorized activities, and the supervising authority, enabling banks and other parties to verify legitimacy during transactions.
Requirements for Issuance of PSD2 Certificates
The issuance of PSD2 certificates involves strict requirements to ensure security and compliance with EU regulations. These include:
- Authorization by a National Competent Authority (NCA):
- Before applying for a certificate, a PSP must obtain a license or registration from its NCA (e.g., the Financial Conduct Authority in the UK, KNF in Poland). This process confirms the entity’s eligibility to operate as a PSP under PSD2.
- CRR credit institutions (banks with a full banking license) do not require additional authorization and can directly apply for certificates covering all roles.
- Application to a Qualified Trust Service Provider (QTSP):
- Certificates must be issued by a QTSP accredited under eIDAS and listed in the EU Trusted List. Examples include DigiCert, GlobalSign, and Buypass.
- The PSP submits a Certificate Signing Request (CSR) containing the public key and required attributes, generated with specified key lengths (2048 bits for QWACs, 3072 bits for QSealCs).
- Identity Verification:
- A natural person (e.g., an authorized signatory) must be identified to represent the PSP. This can be:
- The signatory themselves for a Qualified Seal Card PSD2.
- A delegated representative (subscriber’s representative) for QWACs or QSealCs, authorized via a signed request form.
- Identification methods vary by country:
- In Germany, PostIdent is standard.
- Elsewhere, it may involve embassies, consulates, or notaries listed in the European Directory of Notaries.
- A natural person (e.g., an authorized signatory) must be identified to represent the PSP. This can be:
- Validation Against Public Registers:
- The QTSP verifies the PSP’s authorization number and roles against the NCA’s public register or the European Banking Authority (EBA) register to ensure accuracy and legitimacy.
- Technical Requirements:
- The PSP generates and manages its own private keys, ensuring they remain secure (e.g., using an HSM for QSealCs).
- Test certificates, which do not require an NCA license, are available for pre-authorization testing but follow the same technical standards.
- Certificate Validity and Renewal:
- QWACs are typically valid for one year, while QSealCs may vary depending on the QTSP. Changes (e.g., PSP name or roles) require revocation of the old certificate and issuance of a new one, as fields cannot be edited.
Roles Encoded in PSD2 Certificates
PSD2 recognizes four distinct roles for PSPs, which define their authorized activities within the payment ecosystem. These roles are encoded in the certificates and align with the ETSI TS 119 495 standard abbreviations:
- Account Information Service Provider (AISP, PSP_AI):
- Description: AISPs aggregate and provide consolidated views of a customer’s payment accounts (e.g., from multiple banks). They help with budgeting, expense tracking, and financial planning.
- Function: Read-only access to account data, with customer consent.
- Payment Initiation Service Provider (PISP, PSP_PI):
- Description: PISPs initiate payments on behalf of customers directly from their bank accounts, acting as intermediaries between merchants and banks.
- Function: Facilitates online credit transfers or direct debits, bypassing traditional card payments.
- Account Servicing Payment Service Provider (ASPSP, PSP_AS):
- Description: Typically traditional banks or institutions that maintain payment accounts for customers.
- Function: Provides account management services and must open APIs for TPPs to access customer data or initiate payments.
- Payment Service Provider Issuing Card-Based Payment Instruments (PSP_IC):
- Description: Entities authorized to issue card-based payment instruments (e.g., debit or credit cards).
- Function: Enables card payments as part of the payment ecosystem.
A single PSP can hold multiple roles (e.g., both AISP and PISP), and these are all encoded in the certificate’s QC Statement. Banks with a full CRR license can apply for all roles without additional authorization, while TPPs must specify their roles during NCA registration.
Conclusion
PSD2 certificates (QWACs and QSealCs) are vital tools for ensuring secure, authenticated, and interoperable electronic payments under the PSD2 framework. They identify PSPs, secure communications, and protect data integrity, relying on strict issuance processes overseen by QTSPs and NCAs. Containing detailed organizational and regulatory information, they encode one or more of the four PSP roles (AISP, PISP, ASPSP, PSP_IC), reflecting the diverse functions within the open banking landscape. This robust system supports PSD2’s goals of enhancing security, promoting competition, and protecting consumers across the EU.
In Spain,
Todo es electrónico 