The Payment Service Directive 2 (PSD2) allows non-banks to provide payment services which before were reserved for banks only. The market of services initiating a payment transaction or getting information about account balance will grow, and will also be open for new business models and technologies. The Directive and its implementation standards require all transactions to be handled through secure channels and all data shall be protected regarding authenticity and integrity.

Qualified Certificates supporting PSD2

To achieve the security requirements, banks and PSD2 service providers will use Qualified Certificates for Websites and Qualified Certificates for Electronic Seals. Those certificates will be issued by Qualified Trust Service Providers (QTSPs) based on the new technical standard, ETSI TS 119 495, which was published in May 2018. Qualified Certificates enable identification and verification of the payment institution by a third party. Identification will be based on the legal name of an organisation, registration number and its main role(s) in the payments space.  

Payment Service Provider authorization

Every PSD2 service provider and bank is authorized in their home country by the financial supervisory competent authority to provide services listed in the PSD2 directive. Information about this is published in the public registry and this registry is the main source of information. To allow automation of communication and data exchange, Qualified Certificates supporting PSD2 will include information about the authorization number of the Payment Service Provider, its home country’s supervisory competent authority and its roles. This information will be verified by a QTSP in the process of requesting the certificate, and after that this information will be included in the certificate for the purpose of identification by others.

Authorization number

The payment institution authorization number within the certificate will contain additional information: origin country of payment institution, payment institution supervisory body and specific number assigned to the payment institution in the public registry. If there is a need for additional information about the payment institution, this can be checked in the public registry, based on the presented authorization number.

Qualified Certificate for eIDAS

Figure: Syntax of the authorization numbers

Certificates 

There are two types of certificates directly supporting PSD2.

  1. The Qualified Website Certificate, which allows both parties (Banks and service providers) to identify each other and build a secure channel for performing transactions. In time of initiation, both sides of the transaction use their certificates and corresponding private keys to confirm their identity and establish secure SSL communication. In this initiation process validity of the Qualified Certificate is confirmed, including the status of Qualified Trust Service Provider who issued the certificate. The secure channel protects confidentiality and authenticity.

  2. The Qualified Certificate for Electronic Seal, which allows stamping of all evidence, including all data and transaction requests and confirmations. This enables all relevant information in communication to be sealed, which in turn protects data authenticity and integrity. With this method, if exchanged information will be needed as evidence for any dispute, the relying party can confirm who was its creator and that the information was not changed since it was created.

Standard

Now that the ETSI TS 119 495 standard “Certificates supporting PSD2” is published, QTSPs can update their certification policies and upgrade systems to issue Qualified Certificates supporting PSD2. Banks and payment institutions will need to prepare their infrastructure and systems to recognize and accept these certificates in their systems. Transactions based on PSD2 certificates will start in March 2019.

Michał Tabor is Editor of the ETSI standard TS 119495

 

Download white paper

References and Further Reading

 Image: DSC09406, courtesy of Laura Wolf, Flickr (CC BY 2.0)

Other Related Articles: # PSD2 # eIDAS # Digital Signatures

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.