The PSD2 Directive opens a considerable market for new solutions in e-banking, account information services and payment initiation services. PSD2 payment services relate directly to the bank's protected data and resources, so the most important aspect related to their operation is adequate protection for the banks’ client data during the time of running a PSD2 functionality.
Every transaction according to payment initiation or account information shall be secured, the customer is authenticated for every transaction, and authentication data cannot be taken over by any proxy. When accessing an account, the PSD2 Directive requires strong customer authentication, based not only on the password, but also on the device or biometrics.
An additional requirement is to directly bind each transaction with strong authentication, in a way that confirms that the transaction specific credential was used and can not be executed for another transaction.
The technical requirements for the security of transactions between banks and payment service providers are described in the RTS (Regulatory Technical Standard) document drafted by the European Banking Authority. This document states, among other things, that digital signatures, one-time passwords and other symmetric cryptographic techniques should be used for strong customer authentication. The RTS requires to secure communication between banks and payment service providers on the basis of qualified website authentication certificates and qualified electronic certificates for electronic seals in accordance with the eIDAS regulation.
In July 2016, the eIDAS regulation introduced a single market for electronic trust services and set grounds for the legal recognition of these services, in particular the recognition by all courts and public administrations of qualified electronic signature certificates, qualified electronic seal certificates and qualified website certificates.
Qualified certificates are issued by qualified service providers in accordance with legal requirements and standards. Qualified service providers who issue certificates must meet several technical, organizational and compliance auditing requirements. One of the operational requirements for trust service providers is the validation of identity of the entity requesting a qualified certificate.
Under PSD2, qualified certificates can be issued to banks and other payment institutions. The payment service provider shall first obtain a national banking supervision authorization by the competent authorities of the home Member State (PSD2, article 5). After authorization, the authorization number is entered in the public register together with the role of the payment service provider. The law and standards define 4 roles:
Payment service providers will be able to request qualified certification service providers to issue a qualified certificate for electronic seals and a qualified website authentication certificate. These certificates will be used to protect communication between payment service providers.
A qualified website authentication certificate ensures that the communication is secured to the website or the API.
The certificate protects confidentiality and allows the payment service provider the necessary confirmation of identity. The payment service provider will call the bank’s API, ensuring direct communication with the bank, secured against eavesdropping and man in the middle attacks.
Electronic seals are used for securing data and documents originating from payment service providers. A seal guarantees the authenticity of the document - confirming that its source message or request is indicated in the seal certificate. In addition, the seal ensures the integrity of the document - being able to recognize if a document has been tampered with. Documents protected with an electronic seal can be preserved as evidence that will be independent of the system with which it was created.
The electronic seal in communication between payment services is crucial for securing all claims and transactions. The account information access service seals all requests for account information, including the expected information range in the request. Due to the seal, the account holder is able to retain the evidence of the request, ensuring unambiguous traceability of the service that provided the request.
Qualified PSD2 certificates will uniquely identify the service provider, its role, and the competent authorities of the home Member State to which they are subject. It will not be possible to issue such a certificate to an entity that is not under surveillance as a payment service provider. Certificates of entities that have ceased to provide payment services or where the scope has been changed will have their certificates revoked. To ensure the interoperability of all certifications, the Technical Committee ESI ETSI develops standards for certificates supporting PSD2. The standards will determine the way in which the information in the qualified certificate is issued to the payment service provider and the scope of the qualified service provider's commitment.
An unified payment service recognition mechanism based on qualified certificates provides a common approach to the identification of payment service providers throughout the European Union. Payment service providers, including banks, are electronically recognizable and the record of communication between these entities is secured in such a way that it can be presented as recognized evidence in each of the EU countries.
Michał Tabor is an editor of the ETSI standard describing technical and procedural requirements for PSD2 certificates.
Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (2017), by the European Banking Authority EBA