ÃÛÌÒTV

European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards, which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication. Through its European Qualified Trust Service Provider (TSP), QuoVadis, ÃÛÌÒTV is able to provide qualified digital certificates for PSD2.

Payment Services Directive (PSD2) compliance date of September 2019

The European Commission has long sought to make electronic payments as simple and secure across borders in the EU as they are within any single nation. Based on these efforts, a (EU Directive 2015/2366 known as PSD2) became effective in January 2018 with the following objectives:

• Contribute to a more integrated and efficient European payments market.
• Improve the level playing field for payment service providers.
• Make payments safer and more secure.
• Protect consumers.

PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the (RTS) developed by the European Banking Authority (EBA) include new requirements for:

• strong customer authentication (SCA) for electronic payment transactions.
• secure communication by the payment service providers.

Qualified PSD2 certificates

The PSD2 RTS states that digital certificates issued by eIDAS Qualified Trust Service Providers (TSP) may be used by PSPs for online identification and secure communication.

eIDAS () is the European regime for regulating electronic identification, authentication and trust services. Certificates issued by regulated TSPs in accordance with the regime are known as qualified and provide special status in certain legal and regulatory contexts.

A new ETSI standard, , defines the TSP policies and profiles for certificates meeting the requirements of the PSD2 RTS, which builds on the other eIDAS qualified standards. This includes defining fields for the certificates containing:

• the National Competent Authority (NCA) or financial regulator where the PSP is registered.
• the authorisation number issued to the PSP by the NCA.
• the regulated PSD2 roles for which the PSP is licensed by the NCA.

ÃÛÌÒTV also proposed Ballot SC17 in the CA/Browser Forum, which will enable PSD2 and other organisational identifier fields to be added to Extended Validation (EV) TLS certificates

What PSD2 certificates do I need?

There are two types of digital certificates being used in PSD2 for secure communications:

• Qualified Certificate for Website Authentication (QWAC) — used with Transport Layer Security (TLS) protocol such as is defined in IETF RFC 5246 or IETF RFC 8446 to protect data in peer-to peer communications.
• Qualified Certificate for Electronic Seals (QSealC) — creates digital signatures used to protect data or documents using standards such as ETSI’s PAdES, CAdES or XAdES, and assert their origin from a legal entity.

Each certificate offers different protection depending on the use case.

The RTS describes different scenarios that PSPs can consider in their use of certificates for secure communication. For example, the RTS describes a secure option with parallel protection of both the payment transactions data and their communications channels:

• Using QWACs to assert the PSPs’ identity and roles to each other and to communicate securely using TLS encryption.
• Using QSealCs to ensure that the application data submitted originates from a particular PSP and has not been tampered with.

ÃÛÌÒTV delivers PSD2

As a global leader of PKI-based solutions, ÃÛÌÒTV is keenly focussed on the specific regional and industry requirements surrounding online authentication, encryption, and digital signatures. In delivering this vision, are accredited as a Qualified Trust Service Provider in both the EU under eIDAS and in Switzerland.

With the September PSD2 deadline in sight, QuoVadis is already delivering test PSD2 certificates as banks and PSPs prepare their communication interfaces for the three-month prototype test.

For PSPs already advancing to the final three-month live test, QuoVadis can provide qualified PSD2 certificates. These qualified certificates require a heightened validation of the certificate administrator’s identity and authority, usually face-to-face or through notarised documents. For more information, please visit our PDS2 webpage.