The Payment Service Directive 2 (PSD2) allows non-banks to provide payment services which before were reserved for banks only. The market of services initiating a payment transaction or getting information about account balance will grow, and will also be open for new business models and technologies. The Directive and its implementation standards require all transactions to be handled through secure channels and all data shall be protected regarding authenticity and integrity.
Qualified Certificates supporting PSD2
To achieve the security requirements, banks and PSD2 service providers will use Qualified Certificates for Websites and Qualified Certificates for Electronic Seals. Those certificates will be issued by Qualified Trust Service Providers (QTSPs) based on the new technical standard, ETSI TS 119 495, which was published in May 2018. Qualified Certificates enable identification and verification of the payment institution by a third party. Identification will be based on the legal name of an organisation, registration number and its main role(s) in the payments space.
Payment Service Provider authorization
Every PSD2 service provider and bank is authorized in their home country by the financial supervisory competent authority to provide services listed in the PSD2 directive. Information about this is published in the public registry and this registry is the main source of information. To allow automation of communication and data exchange, Qualified Certificates supporting PSD2 will include information about the authorization number of the Payment Service Provider, its home country’s supervisory competent authority and its roles. This information will be verified by a QTSP in the process of requesting the certificate, and after that this information will be included in the certificate for the purpose of identification by others.
The payment institution authorization number within the certificate will contain additional information: origin country of payment institution, payment institution supervisory body and specific number assigned to the payment institution in the public registry. If there is a need for additional information about the payment institution, this can be checked in the public registry, based on the presented authorization number.
Figure: Syntax of the authorization numbers
There are two types of certificates directly supporting PSD2.
- The Qualified Website Certificate, which allows both parties (Banks and service providers) to identify each other and build a secure channel for performing transactions. In time of initiation, both sides of the transaction use their certificates and corresponding private keys to confirm their identity and establish secure SSL communication. In this initiation process validity of the Qualified Certificate is confirmed, including the status of Qualified Trust Service Provider who issued the certificate. The secure channel protects confidentiality and authenticity.
- The Qualified Certificate for Electronic Seal, which allows stamping of all evidence, including all data and transaction requests and confirmations. This enables all relevant information in communication to be sealed, which in turn protects data authenticity and integrity. With this method, if exchanged information will be needed as evidence for any dispute, the relying party can confirm who was its creator and that the information was not changed since it was created.
Now that the ETSI TS 119 495 standard “Certificates supporting PSD2” is published, QTSPs can update their certification policies and upgrade systems to issue Qualified Certificates supporting PSD2. Banks and payment institutions will need to prepare their infrastructure and systems to recognize and accept these certificates in their systems. Transactions based on PSD2 certificates will start in March 2019.
Michał Tabor is Editor of the ETSI standard TS 119495
References and Further Reading
- More articles by Michal Tabor on eIDAS and PSD2 (2017 - today)
- Details of 'DTS/ESI-0019495' Work Item (2017 - today), by ETSI
- ESI(17)60_035r1 - ETSI / ERPB PIS Experts PSD2 Workshop: Discussion Document on PSD2 Requirements for Qualified Certificate (10/2017), by the ESI at ETSI
- Open Banking Europe Directory Services for PSD2 (10/2017), by PRETA
- PSD2 Directive - DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (2015), by the European Parliament and the Council of the European Union.
- European Commission - Fact Sheet: Payment Services Directive (PSD2): Regulatory Technical Standards (RTS) enabling consumers to benefit from safer and more innovative electronic payments(11/2017), by the European Commission
Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (2017), by the European Banking Authority EBA
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank