JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
 
Certificates
Our products range
Partners
Support
Focus


PSD2 Certificates

PSD means Payment Service Directive, 2015/2366 in EU terminology.

The PSD2 is a regulation that applies to the banking world, with the objective of ensuring its modernisation.

X509 certificates are issued to PSPs (Payment Service Providers), which may be credit institutions, payment institutions, fintechs, etc. A PSP must be authorised by a national banking authority (NCA).

With regard to digital certificates, the directive introduces 2 new types of certificates that are documented in the ETSI TS 119 495 standard, which are derived from qualified eIDAS certificates:

  • a QWAC certificate (Qualified Website Authentication Certificate), which is a TLS server certificate with server and client EKUs, which also derives from the CA/B Forum Extended Validation standard andcontains fields specific to PSPs

  • a QSealC certificate (Qualified electronic Seal Certificate) which is a server stamp certificate containing fields specific to PSPs

All banks (ASPSP) offering an online service must also offer API access to other PSPs (TPPs). This access is based on a TLS layer (to ensure confidentiality) with mutual authentication. The client (initiator of the connection) must present a QWAC PSD2 certificate to identify itself, the server can use a QWAC PSD2 certificate or another TLS certificate. This QWAC can use a software-stored private key, there is no obligation to use qualified cryptographic hardware.

On the other hand, once the communication is established, the exchanged information is signed by the QSealC server seal certificate for storage purposes and to identify the data transmitted end-to-end (there may be aggregators or exchange nodes at the TLS level). The use of the seal certificate is not made mandatory by PSD2, but is recommended for its proof benefits. QSealCs can generate qualified signatures if the private key is generated and operated within a QSCD qualified cryptographic hardware; otherwise the generated signatures are of advanced type. PSD2 does not require signatures to be qualified.

These 2 types of certificates must be issued by a QTSP (Qualified Trust Service Provider), i.e. an eIDAS Qualified Certification Authority that has been audited for the ETSI TS 119 495 standard.

In addition, actors must also implement verifications to ensure that the certificates presented comply with the standard, contain the required fields, are issued by a QTSP and are not revoked.

Obtaining test certificates

TBS will issue test certificates that will have the structure of PSD2 certificates but will not be issued by a qualified authority in the EU Trust List. The vetting process will also be streamlined, and the same CSR can be used for WAC and SealC.

These certificates will be available in February 2019 at a price of 400€ per pair.

To get them, please contact us at marianne.bonjour@tbs-certificats.com.

Obtaining real certificats

TBS plans to provide PSD2 certificates from April 2019.

To be contacted when available, please register interest with us by email to marianne.bonjour@tbs-certificats.com.