PSD2: Secure at the interface with tomorrow’s banking
With our PSD2-certificates, you can secure your interfaces and systems. As one of Europe’s first-ever qualified trust service providers, we offer eIDAS-compliant production certificates for PSD2.
Your advantages at a glance
eIDAS-compliant production certificates
Data protection compliant
PSD2 for fintechs and banks – Key facts at a glance
The second Payment Services Directive (PSD2) set in motion a revolution in electronic payments. Since mid-September 2019, banks in the EU must ensure that third-party providers can access their customer account data and they must provide an interface (API) for this purpose. This interface is secured by qualified website authentication certificates (QWACs). In return, third-party providers must register with the Federal Financial Supervisory Authority (BaFin). In other countries, providers register with the respective banking supervisory authority. To access the bank accounts, they also need qualified website certificates or qualified seal certificates (QSeal). D-Trust, a subsidiary of the Bundesdruckerei Group, is one of the few qualified trust service providers in Europe to offer these certificates.
What the new PSD2 directive offers you
The second Payment Services Directive obliges banks to allow third parties to access their customer account data. The PSD2 is opening up enormous opportunities for new providers, but banks too can benefit, for instance, by cooperating with start-ups or expanding their own service portfolio to include these new services. There is no doubt that the directive serves open banking and promotes competition. However, it also imposes much stricter security requirements on fintechs.
Requirements for third-party providers
First of all, only providers of online payment services are required to implement PSD2. To be able to use the banks' interface, third-party providers need a license with defined access rights. These licenses are issued by BaFin or a comparable European authority. Once the license has been issued, the provider requires a QWAC to secure communications. In this way, the provider identifies itself to the bank as a holder of the BaFin license. The bank may also require the additional use of a QSeal to prevent signed data from being changed.Veränderungen schützt.
Get ready for PSD2 and order your certificates
D-Trust offers production certificates (QWACs and QSeals) that allow banks and third-party providers to integrate the APIs. In the spirit of open banking, the PSD2 promotes competition in Europe’s financial sector. Payment transactions will become more convenient, more secure and less expensive for users. Both banks and payment service providers must invest more in the security of their digital services.
You can also listen to the podcast from digital kompakt to find out what’s new and which requirements fintechs must meet in order to comply with PSD2.
Frequently Asked Questions
Banks need to provide an API for new payment service providers to access bank account data and trigger withdrawals. They can prove their identity with a qualified website certificate.
Since 14 September 2019, financial institutions have been obliged to go live, following a test phase, and to open access to all licensed third-party providers with valid production certificates.
D-Trust is currently one of a just a few German providers listed in the EU Trusted List as a so-called Qualified Trust Service Provider authorized to issue QWACs and QSeal certificates. D-Trust was already the first company in Europe to offer qualified certificates.
Test and production certificates are available on our order page.
A qualified website certificate (QWAC) protects communication between banks and third-party providers at the transport level, i.e. data transmission. The payment service thus authenticates itself with the account-holding financial institution as the holder of the BaFin license. The QWAC contains information on the role of the company as well as its registration ID with the Financial Supervisory Authority. QWACs also encrypt all communication between the bank and the payment service provider.
QSeals save the data at the application level. This is especially useful if you want to prove who accessed the API in the event of damage. This becomes much easier with the QSeal. A bank may require the third-party provider to use a qualified seal certificate. This documents all requests from the service provider and protects the signed data from changes. Bundesdruckerei offers qualified seal certificates without smartcards.
Do you have any other questions about PSD2?
We will be pleased to advise you.