eIDAS: Qualified Certificates supporting PSD2

The Payment Service Directive 2 (PSD2) allows non-banks to provide payment services previously reserved for banks only. As a result, the market of services initiating a payment transaction or getting information about account balance will grow and open for new business models and technologies. The Directive and its implementation standards require all transactions to be handled through secure channels, and all data shall be protected regarding authenticity and integrity.

Qualified Certificates supporting PSD2

To achieve the security requirements, banks and PSD2 service providers will use Qualified Certificates for Websites and Qualified Certificates for Electronic Seals. Those certificates will be issued by Qualified Trust Service Providers (QTSPs) based on the technical standard, ETSI TS 119 495, which was published in May 2018. Qualified Certificates enable identification and verification of the payment institution by a third party. Identification will be based on the legal name of an organization, its registration number, and main role(s) in the payments space. 

Payment Service Provider authorization

Every PSD2 service provider and bank is authorized in their home country by the financial supervisory competent authority to provide services listed in the PSD2 directive. Information about this is published in the public registry, and this registry is the main source of information. To allow communication and data exchange automation, Qualified Certificates supporting PSD2 will include information about the authorization number of the Payment Service Provider, its home country’s supervisory competent authority, and its roles. A QTSP will verify this information while requesting the certificate, and it will then be included in the certificate for identification by others.

Authorization number

The payment institution authorization number within the certificate will contain additional information: origin country of the payment institution, payment institution supervisory body, and specific number assigned to the payment institution in the public registry. If there is a requirement for further information regarding the payment institution, this can be verified through the public registry based on an authorization code.

Figure: Syntax of the authorization numbers

Certificates 

There are two types of certificates directly supporting PSD2.

1. The Qualified Website Certificate allows both parties (Banks and service providers) to identify each other and build a secure channel for performing transactions. At the time of initiation, both sides of the transaction use their certificates and corresponding private keys to confirm their identity and establish secure SSL communication. In this initiation process, the validity of the Qualified Certificate is confirmed, including the status of Qualified Trust Service Provider who issued the certificate. A secure connection ensures confidentiality and authenticity.
2. The Qualified Certificate for Electronic Seal, which allows stamping of all evidence, including all data and transaction requests and confirmations. This enables all relevant information in communication to be sealed, protecting data authenticity and integrity. With this method, if exchanged information will be needed as evidence for any dispute, the relying party can confirm who was its creator and that the information was not changed since it was created.
   

Standard

Now that the ETSI TS 119 495 standard “Certificates supporting PSD2” is published, QTSPs can update their certification policies and upgrade systems to issue Qualified Certificates supporting PSD2. In addition, banks and payment institutions will need to prepare their infrastructure and systems to recognize and accept these certificates in their systems. Transactions based on PSD2 certificates will start in March 2019.

Michał Tabor is Editor of the ETSI standard TS 119495

References and Further Reading

• More articles by Michal Tabor on eIDAS and PSD2 (2017 - today)
• Details of 'DTS/ESI-0019495' Work Item (2017 - today), by ETSI
• ESI(17)60_035r1 - ETSI / ERPB PIS Experts PSD2 Workshop: Discussion Document on PSD2 Requirements for Qualified Certificate (10/2017), by the ESI at ETSI
• PSD2 Directive - DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (2015), by the European Parliament and the Council of the European Union.
• European Commission - Fact Sheet: Payment Services Directive (PSD2): Regulatory Technical Standards (RTS) enabling consumers to benefit from safer and more innovative electronic payments(11/2017), by the European Commission

• Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (2017), by the European Banking Authority EBA

• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
• Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank

 Image: DSC09406, courtesy of Laura Wolf, Flickr (CC BY 2.0)