Certificates for PSD2
General information
What are the regulatory requirements for third-party providers that want to access bank accounts or bank account data?
To operate in the EU, third-party providers need a license from their National Competent Authority (NCA). The license type determines the access rights of the third-party provider to access account data through the bank interface within the scope of its business model.
What are the technical requirements for third-party providers and banks?
In order to gain access to bank accounts as a third-party provider, a company must identify itself with one or more certificates during automated access. Likewise, banks use a certificate to identify themselves towards the accessing payment service providers. The certificate serves as a “company ID” in electronic business transactions. Article 34 of the RTS (EU 2018/389) requires the use of qualified website authentication certificates (QWACs) or qualified electronic seal certificates (QSEALs).
Where can third-party providers and banks obtain electronic certificates in accordance with PSD2 requirements?
The required electronic certificates are issued by a qualified trust service provider (QTSP) registered in the EU. The NCA license must have been issued to the payment service provider prior to this. If a bank wants to act as a third-party provider in order to access accounts of other banks, it also needs a QWAC and possibly a QSEAL. If the bank already possesses a full banking license, it does not require separate licensing from its National Competent Authority.
What are the requirements for providers of qualified website certificates (QWACs) and qualified electronic seal certificates (QSEALs)?
Qualified certificate providers are listed in the EU Trusted List, and have to register the company with their National Competent Authority as well as undergo a conformity assessment by a third party every 24 months. The EU Trusted List creates reliable, authenticated, encrypted communication relationships (for example between EU citizens and websites or between IT systems).
What are the differences between the various certificate types and which one do I need?
There are qualified website certificates (QWACs), qualified electronic seal certificates (QSEALs) and extended validation (EV) certificates. The QWAC registers the identity of the accessing company and secures the communication channel (transport level). The seal protects the signed data from modification. It makes subsequent changes visible and documents the identity of the accessing company (application layer). Article 34 of the RTS (EU 2018/389) requires third-party providers to use QWACs or QSEALs. The European Banking Authority (EBA) recommends the use of both a QWAC and a QSEAL. The Berlin Group’s NextGenPSD2 specification requires a QWAC. Banks can identify themselves using a QWAC or EV certificate. In the latter case, the EBA recommends a QWAC.
Applying for live certificates
Does the application for a qualified website certificate in accordance with PSD2 follow a defined, binding process?
Yes, the application for qualified website certificates follows a defined process. For real certificates, a third party must first apply for authorization as a payment service provider with its National Competent Authority (NCA). After the NCA license has been granted, the certificate can be issued by a qualified trust service provider. It is possible to apply even before authorization. CRR credit institutions (banks) that also want to act as payment service providers do not require additional authorization and can apply for all roles in the certificates.
Where can I obtain the root or CA certificates from QTSPs for the productive environment?
You can find the CA certificates of all QTSPs in the EU Trusted List. There is no need to check the root certificates.
What is the meaning of the abbreviations PSP_AI, PSP_PI, PSP_AS and PSP_IC on the certificate?
The PSD2 regulation (EU 2015/2366) recognizes different roles (entitlements) for payment service providers. The aforementioned abbreviations are defined in ETSI standard 119 495. Common roles are account information service (PSP_AI) and payment initiation service (PSP_PI). Other roles include account services (PSP_AS) and issuing of card-based payment instruments (PSP_IC). Payment service providers may apply for one or more of these roles with their National Competent Authority (NCA), after which they will be registered and can be issued certificates with these roles.
How can the status of the test and live certificates be checked for revocation?
The Revocation List Distribution Points attribute contains URLs for OCSP access and CRLs.
How do I generate a CSR in order to apply for a PSD2 QWAC?
Please note that the following description only applies to PSD2 certificates. Different specifications apply to other certificate types. You create and manage your own keys for QWACs for both the test and live certificates. Please use a minimum key length of 2048 for QWAC and 3072 for QSeal ID. You use this to generate a Certificate Signing Request (CSR) that, in addition to the public key, contains precisely the attributes O (Organization), OU (Organizational Unit, optional), CN (Common Name), C (Country Code), S (StateOrProvince), L (City). All other attributes are taken from the order page. With OpenSSL, you generate the CSR as follows:
You are prompted to enter all attributes and you then enter values for the above-named attributes and ’.’ (blank attribute) for the others. Please do not enter any other attributes, e.g. e-mail.
If you are using another program, please ensure that the CSR starts/ends with BEGIN/END CERTIFICATE REQUEST. BEGIN/END NEW CERTIFICATE REQUEST is rejected, edit the CSR if necessary.
We still generate keys for the seal card, a CSR is not necessary.
How is domain validation carried out?
Before the certificate is issued, we check whether the domain (CN) and alternative domain (SAN) listed in the certificate are under your control. As a standard procedure, e-mails with a security token are generated for each requested domain and sent to the following addresses:
admin@, administator@, hostmaster@, webmaster@ and postmaster@
We expect at least one reply to be sent to the address provided in the e-mail that contains this token – the sender address is not checked. You can, for instance, forward our e-mail to the specified address.
Which values must be specified in the request for an NCA ID and PSP Identifier?
The NCA ID is a national financial supervisory authority ID specified by ETSI TS 119.495, e.g. DE-BAFIN, AT-FMA or GB-FCA. The PSP Identifier is a unique national ID assigned by the NCA during licensing. In most countries, it is made up of 4 to 9 digits. Most NCAs have separate registers for TPPs and ASPSPs. There are also central EBA registers for TPPs and ASPSPs. These registers are still being set up and do not yet have the correct data in all places. In case of deviations the national register is relevant. The certificate contains the composite value, e.g. PSDGB-FCA-123456, as an attribute of the requester. You can find the full name of the NCA along with the requested roles in the QC statement (Qualified Certificate Statement).
How is a natural person identified?
To issue qualified certificates we need to identify a natural person, i.e. signature authentication must be carried out for identity verification. For Qualified Seal Card PSD2, an authorized signatory must be identified. For QWAC and Qualified Seal PSD2 ID an authorized signatory can delegate this to another person, the subscriber’s representative. This authorization is done by the authorized signatory on the request form. In Germany, PostIdent is the standard procedure for identification. In other countries, we offer identification by representatives of german embassies and consulates or by authorized notaries listed in the European Directory of Notaries.
In case that you apply for several certificates you have to do the identification process for each of them.
Applying for test certificates
Do I have to submit an application to my NCA to receive test certificates?
Test certificates do not require an NCA license.