3 min read

eIDAS: Qualified Certificates supporting PSD2

eIDAS: Qualified Certificates supporting PSD2

The Payment Service Directive 2 (PSD2) allows non-banks to provide payment services previously reserved for banks only. As a result, the market of services initiating a payment transaction or getting information about account balance will grow and open for new business models and technologies. The Directive and its implementation standards require all transactions to be handled through secure channels, and all data shall be protected regarding authenticity and integrity.

Qualified Certificates supporting PSD2

To achieve the security requirements, banks and PSD2 service providers will use Qualified Certificates for Websites and Qualified Certificates for Electronic Seals. Those certificates will be issued by Qualified Trust Service Providers (QTSPs) based on the technical standard, ETSI TS 119 495, which was published in May 2018. Qualified Certificates enable identification and verification of the payment institution by a third party. Identification will be based on the legal name of an organization, its registration number, and main role(s) in the payments space. 


Payment Service Provider authorization

Every PSD2 service provider and bank is authorized in their home country by the financial supervisory competent authority to provide services listed in the PSD2 directive. Information about this is published in the public registry, and this registry is the main source of information. To allow communication and data exchange automation, Qualified Certificates supporting PSD2 will include information about the authorization number of the Payment Service Provider, its home country’s supervisory competent authority, and its roles. A QTSP will verify this information while requesting the certificate, and it will then be included in the certificate for identification by others.


Authorization number

The payment institution authorization number within the certificate will contain additional information: origin country of the payment institution, payment institution supervisory body, and specific number assigned to the payment institution in the public registry. If there is a requirement for further information regarding the payment institution, this can be verified through the public registry based on an authorization code.

Qualified Certificate for eIDAS

Figure: Syntax of the authorization numbers


There are two types of certificates directly supporting PSD2.

  1. The Qualified Website Certificate allows both parties (Banks and service providers) to identify each other and build a secure channel for performing transactions. At the time of initiation, both sides of the transaction use their certificates and corresponding private keys to confirm their identity and establish secure SSL communication. In this initiation process, the validity of the Qualified Certificate is confirmed, including the status of Qualified Trust Service Provider who issued the certificate. A secure connection ensures confidentiality and authenticity.
  2. The Qualified Certificate for Electronic Seal, which allows stamping of all evidence, including all data and transaction requests and confirmations. This enables all relevant information in communication to be sealed, protecting data authenticity and integrity. With this method, if exchanged information will be needed as evidence for any dispute, the relying party can confirm who was its creator and that the information was not changed since it was created.


Now that the ETSI TS 119 495 standard “Certificates supporting PSD2” is published, QTSPs can update their certification policies and upgrade systems to issue Qualified Certificates supporting PSD2. In addition, banks and payment institutions will need to prepare their infrastructure and systems to recognize and accept these certificates in their systems. Transactions based on PSD2 certificates will start in March 2019.

Michał Tabor is Editor of the ETSI standard TS 119495



Download white paper



References and Further Reading

 Image: DSC09406, courtesy of Laura Wolf, Flickr (CC BY 2.0)