Certificates for PSD2
What companies, banks and FinTechs need to know to use electronic certificates and seals.
Information and frequent questions regarding the Payment Services Directive
With the Second Payment Services Directive, or PSD2 for short, the EU regulates online payment traffic between market participants within the EU. Among other things, PSD2 obligates banks operating in the EU to grant third-party providers access to customer accounts. Additionally, the account holder is required to make use of two-factor, strong customer authentication (SCA).
The PSD2 regulations apply to banks as well as to third-party providers, such as fintechs and payment service providers, if they want to initiate payments or gather account data for their activities. Banks are required to open an interface (Application Programming Interface, API) for this purpose.
To operate in the EU, third-party providers need a license from their National Competent Authority (NCA). The license type determines the access rights of the third-party provider to access account data through the bank interface within the scope of its business model.
In order to gain access to bank accounts as a third-party provider, a company must identify itself with one or more certificates during automated access. Likewise, banks use a certificate to identify themselves towards the accessing payment service providers. The certificate serves as a "company ID" in electronic business transactions. Article 34 of the RTS (EU 2018/389) requires the use of qualified website authentication certificates (QWACs) or qualified electronic seal certificates (QSEALs).
The required electronic certificates are issued by a qualified trust service provider (QTSP) registered in the EU, such as D-TRUST GmbH, a subsidiary of Bundesdruckerei GmbH. The application is done online. The NCA license must have been issued to the payment service provider prior to this. If a bank wants to act as a third-party provider in order to access accounts of other banks, it also needs a QWAC and possibly a QSEAL. If the bank already possesses a full banking license, it does not require separate licensing from its National Competent Authority.
Qualified certificate providers are listed in the EU Trusted List, and have to register the company with their National Competent Authority as well as undergo a conformity assessment by a third party every 24 months. The EU Trusted List creates reliable, authenticated, encrypted communication relationships (for example between EU citizens and websites or between IT systems).
There are qualified website certificates (QWACs), qualified electronic seal certificates (QSEALs) and extended validation (EV) certificates. The QWAC registers the identity of the accessing company and secures the communication channel (transport level). The seal protects the signed data from modification. It makes subsequent changes visible and documents the identity of the accessing company (application layer). Article 34 of the RTS (EU 2018/389) requires third-party providers to use QWACs or QSEALs. The European Banking Authority (EBA) recommends the use of both a QWAC and a QSEAL. The Berlin Group's NextGenPSD2 specification requires a QWAC. Banks can identify themselves using a QWAC or EV certificate. In the latter case, the EBA recommends a QWAC.
For sealing of PSD2 requests D-Trust, a Bundesdruckerei company, offers the product Qualified Seal PSD2 ID (qualified seal certificate without seal card for advanced seals, „soft seal“).
For the seal certificate without card it is you who creates and manages the keys - like for QWAC -, this may be done e.g. on an HSM. Like for QWAC you send us a CSR which includes the public key and receive the certificate by e-mail. The seal certificate without card enables ease of handling and unlimited throughput. The certificate policy in the profile is QCP-l. The use of a Qualified Signature Creation Device (OSCD) is not mandatory.
Applying for live certificates
Yes, the application for qualified website certificates follows a defined process. For real certificates, a third party must first apply for authorization as a payment service provider with its National Competent Authority (NCA). After the NCA license has been granted, the certificate can be issued by D-Trust GmbH. It is possible to apply even before authorization. CRR credit institutions (banks) that also want to act as payment service providers do not require additional authorization and can apply for all roles in the certificates.
You can find the CA certificates of all QTSPs in the EU Trusted List. There is no need to check the root certificates.
If needed the root certificate can be downloaded directly from D-TRUST’s website. More information can be found in the Certification Practice Statements (CPS). Unlike EV certificates, you cannot rely on the root certificates being distributed via the browsers and hence being classified as trustworthy.
D-Trust’s QWACs are currently not entered in CT logs because this is not foreseen in the applicable standards. The certificates are not designed for use in communications via the browser so that no entry in CT logs is required.
The PSD2 regulation (EU 2015/2366) recognizes different roles (entitlements) for payment service providers. The aforementioned abbreviations are defined in ETSI standard 119 495. Common roles are account information service (PSP_AI) and payment initiation service (PSP_PI). Other roles include account services (PSP_AS) and issuing of card-based payment instruments (PSP_IC). Payment service providers may apply for one or more of these roles with their National Competent Authority (NCA), after which they will be registered and can be issued certificates with these roles.
The Revocation List Distribution Points attribute contains URLs for OCSP access and CRLs. Alternatively, this check can be carried out for live certificates via OCSP-Request.
Before the certificate is issued, we check whether the domain (CN) and alternative domain (SAN) listed in the certificate are under your control. As a standard procedure, e-mails with a security token are generated for each requested domain and sent to the following addresses:
admin@, administator@, hostmaster@, webmaster@ and postmaster@
We expect at least one reply to be sent to the address provided in the e-mail that contains this token – the sender address is not checked. You can, for instance, forward our e-mail to the specified address.
CAA records dienen dazu festzulegen, dass für gegebene Domains und ihre Subdomains nur ausgewählte CAs Zertifikate erzeugen dürfen. Die Beschreibung wird in RFC6844 definiert und vom CA/B Forum gefordert. Sollten auf Ihren Domänen CAAs eingetragen sein, die nicht d-trust.net enthalten, erhalten Sie eine Fehlermeldung beim Zertifikatsantrag. Bitte entfernen Sie in diesem Fall alle CAAs oder ergänzen Sie sie um d-trust.net.
The NCA ID is a national financial supervisory authority ID specified by ETSI TS 119.495, e.g. DE-BAFIN, AT-FMA or GB-FCA. The PSP Identifier is a unique national ID assigned by the NCA during licensing. In most countries, it is made up of 4 to 9 digits. Most NCAs have separate registers for TPPs and ASPSPs. There are also central EBA registers for TPPs and ASPSPs. These registers are still being set up and do not yet have the correct data in all places. In case of deviations the national register is relevant. The certificate contains the composite value, e.g. PSDGB-FCA-123456, as an attribute of the requester. You can find the full name of the NCA along with the requested roles in the QC statement (Qualified Certificate Statement).
To issue qualified certificates we need to identify a natural person, i.e. signature authentication must be carried out for identity verification. For QWAC and Qualified Seal PSD2 ID an authorized signatory can delegate this to another person, the subscriber’s representative. This authorization is done by the authorized signatory on the request form. In Germany, PostIdent is the standard procedure for identification. In other countries, we offer identification by representatives of german embassies and consulates or by authorized notaries listed in the European Directory of Notaries. If you cannot find your country in the Directory of Notaries, please send an inquiry to us at email@example.com.
In case that you apply for several certificates you have to do the identification process for each of them.