In November 2018, ETSI published the new version of standard ETSI TS 119 495 - Sector Specific Requirements Qualified Certificate Profiles and TSP Policy Requirements under the Payment Services Directive (EU) 2015/2366. The standard was expected by financial institutions and trust services to allow secure communication in the context of Payment Service Directive 2 (PSD2).
Certificates for payment services are required
The Payment Service Directive 2 (PSD2) allows fintech services to take the role of a proxy between bank services and bank customers. There are two main services defined in PSD2 – Payment Initiation and Account Service Information, where both can be serviced by companies named Payment Service Providers (PSPs). The crucial issue for the provision of those transactions/services is authentication of the customer, as this process shall guarantee the level of assurance, confidentiality and provide evidence of the transaction. PSD2 is supported by a delegated act called the Regulatory Technical Standards (RTS), which mandates use of qualified certificates for the purpose of strong customer authentication. The certificates mandated by RTS are qualified certificates for electronic seals or qualified certificates for website authentication.
Standard for PSD2 certificates
The use of a qualified certificate in the context defined above is something new on the market, and it was necessary to make them recognizable by banks and other PSD2 players. The PSD2 qualified certificate will be recognized by specific attributes defining that it is issued for the purpose of payment services and what type of service is provided by the certificate owner.
The European Telecommunication Standards Institute (ETSI) published the standard which defines the certificate attributes (profile) and requirements for those certificate issuers. The newest version of the standard, published at the end of November 2018, has changed some requirements for Qualified Trust Service Providers (QTSPs) issuing PSD2 certificates and has introduced a new appendix for the clarification of interaction between QTSPs and the financial sector supervisory bodies - National Competent Authorities (NCAs).
Before publication of the new version, there were wide consultations between ETSI and European Banking Authority (EBA) which allowed both sides to better understand the needs. The new version of standard is identified as ETSI TS 119 495 V1.2.1 (2018-11) Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366.
Main changes in the certificate profile
The general context of the standard, definition of attributes and clarification of processes are described in the article: https://www.cryptomathic.com/news-events/blog/eidas-qualified-certificates-supporting-psd2-etsi-ts-119-495
There are a few minor changes in the definition of the certificate profile. Now it is clarified that a bank (a credit institution with a full license), if acting in its capacity as a third party provider, has assigned in a certificate all three roles: payment initiation (PSP_PI), account information (PSP_AI), issuing of card-based payment instruments (PSP_IC). If a credit institution acts in an account servicing capacity, it only needs to be assigned the account servicing (PSP_AS) role.
The new standard also specifies the initial list of identifiers for National Competent Authorities. This means the certificates issued to a PSP contain attributes to identify the supervisory body of that PSP. The semantics of coding the authorisation number has not changed, but now it is clarified how the country specific number can be coded.
Example of authorisation number presented the standard:
The organizationIdentifier "PSDPL-PFSA-1234567890" means a certificate issued to a PSP where the authorization number is 1234567890, authorization was granted by the Polish Financial Supervision Authority (identifier PFSA). Other examples can include use of non-alphanumeric characters such as "PSDBE-NBB-1234.567.890" and "PSDFI-FINFSA-1234567-8" and "PSDMT-MFSA-A 12345" (note space character after "A").
After consultations between European Banking Authority (EBA) and ETSI it was found that there are institutions which can request PSD2 certificates but have no authorization number. If the authorization number was not issued by the NCA, then another registration identifier recognized by the NCA is used from those defined in the standard ETSI EN/TS 319 412-1.
New policy requirements
It is now up to the EU Commission to adopt the new delegated act and give formal recognition to the EBA PSD2 Register. It is envisaged that the EBA PSD2 Register will go live early in 2019 and will combine information from all national PSD2 registers, presenting information about all payment services in EU. This register will be separated from another existing register that publishes information about all credit institutions (banks).
When a certificate is issued, a QTSP shall validate the PSD2 specific attributes in the national public register provided by the NCA or in the EBA PSD2 Register. Validation of the data in the register is requested every time a certificate is issued or renewed.
An NCA can request to be informed about the issuance of every PSD2 certificate to PSPs and, in this case, QTSPs are obligated to send notifications to the NCA every time a certificate is issued, or its status changed.
The standard changed some procedures regarding a certificate revocation process. An NCA can request revocation of a certificate if it was issued to entity licensed by that NCA. All QTSPs shall recognize three methods of authentication of the revocation request issued by the NCA:
- a shared secret, if it was provided by the TSP to the NCA for revocation purposes,
- an advanced electronic signature, supported by a qualified certificate issued to an NCA employee,
- an advanced electronic seal supported by a qualified certificate issued to the NCA.
The TSP shall provide an email address, or website in English or another language understood by the NCAs served, where an NCA can submit authenticated revocation requests. If such a request is sent to a QTSP, the QTSP must revoke the certificate within 24 hours. The NCA can also notify the QTSP about changes in the registry of PSPs but, in this case, there is no 24 hour obligation.
Seal certificate if a PSP is a natural person
The directive PSD2 allows individual persons to be licensed as a payment service provider. In this case, the standard clarifies that in recital 68 of the eIDAS regulation
"The concept of 'legal persons' … leaves operators free to choose the legal form which they deem suitable for carrying out their activity. Accordingly, 'legal persons', within the meaning of the TFEU [Treaty on the Functioning of the European Union], means all entities constituted under, or governed by, the law of a Member State, irrespective of their legal form."
It shall allow all PSPs to have all necessary certificates for the purpose defined in RTS.
PSD2 specific certificates are used mostly for API communication between systems, but a Qualified Website Certificate is also a certificate which can be used for the purpose of user interface communication. For now, the attribute used for the Authorization number is not recognized as trusted by the Chrome browser and Google is reluctant to extend the specification to enable usage of European Qualified Website Certificates defined by ETSI attributes. It will need some more consultation between ETSI and the CAB Forum to have a consensus regarding common and easy recognition of QWAC certificates by all browsers.
The new version of the standard can be found on the ETSI Website: https://www.etsi.org/standards-search#page=1&search=TS119495
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance).
Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC.
EBA/RTS/2017/10: "Final Report on Draft Regulatory Technical Standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein, under Article 15(4) of Directive (EU) 2015/2366 (PSD2)".