picture of tbs certificates
picture of tbs certificates
Our products range

PSD2 Certificates

PSD means Payment Service Directive, 2015/2366 in EU terminology.

The PSD2 is a regulation that applies to the banking world, with the objective of ensuring its modernisation.

X509 certificates are issued to PSPs (Payment Service Providers), which may be credit institutions, payment institutions, fintechs, etc. A PSP must be authorised by a national banking authority (NCA).

With regard to digital certificates, the directive introduces 2 new types of certificates that are documented in the ETSI TS 119 495 standard, which are derived from qualified eIDAS certificates:

  • a QWAC certificate (Qualified Website Authentication Certificate), which is a TLS server certificate with server and client EKUs, which also derives from the CA/B Forum Extended Validation standard and contains fields specific to PSPs

  • a seal certificate (QSealC or SealC) which is a server seal certificate containing fields specific to PSPs

All banks (ASPSP) offering an online service must also offer API access to other PSPs (TPPs). This access is based on a TLS layer (to ensure confidentiality) with mutual authentication. The client (initiator of the connection) must present a QWAC PSD2 certificate to identify itself, the server can use a QWAC PSD2 certificate or another TLS certificate. This QWAC can use a software-stored private key, there is no obligation to use qualified cryptographic hardware.

On the other hand, once the communication is established, the exchanged information is signed by the server seal certificate for storage purposes and to identify the data transmitted end-to-end (there may be aggregators or exchange nodes at the TLS level). The use of the seal certificate is not made mandatory by PSD2, but is recommended for its proof benefits. QSealCs can generate qualified signatures if the private key is generated and operated within a QSCD qualified cryptographic hardware; otherwise the generated signatures are of advanced type and a SealC is sufficient. PSD2 does not require signatures to be qualified.

These 2 types of certificates must be issued by a QTSP (Qualified Trust Service Provider), i.e. an eIDAS Qualified Certification Authority that has been audited for the ETSI TS 119 495 standard.

In addition, actors must also implement verifications to ensure that the certificates presented comply with the standard, contain the required fields, are issued by a QTSP and are not revoked.

Obtaining test certificates

TBS issues test certificates that have the structure of PSD2 certificates but arte not issued by an official certification authority. The vetting process is also streamlined.


The CSR of the WAC certificate must be filled such as an EV certificate. The CSR of the seal certificate must contain a CN formated as "O_field_content - test PSD".

Other fields: PSD2 special fields should not be added in the CSR.

Finally, it is not necessary nor advisable to define a organizationIdentifier field in those CSR. See our documentation to generate a CSR for your plateform. See our documentation to generate a CSR for your plateform.

PSD attributes

The PSD field format has been defined by the EBA:

  • France:
    • National Competent Authority: Autorité de contrôle prudentiel et de résolution
    • NCA ID: ACPR
    • PSP authorisation number: use your CIB if you have one, otherwise your SIREN number
  • United Kingdom:
    • National Competent Authority: Financial Conduct Authority
    • NCA ID: FCA
    • PSP autorisation number: FCA autorisation number
  • Check this list for other countries

Obtaining official certificates

TBS issues PSD2 certificates from a certification authority that has been audited compliant to the ETSI TS 119 495 V1.2.1 (2018-11) standard. The vetting process requires that the legal representative of the organisation applying for the certificate must have a qualified eIDAS electronic signature in order to be able to sign the contractual documents. (You can order one here: Certigna ID RGS** or use an online eIDAS signature service).

The QWAC require a technical verification via DCV which consists of adding a TXT record in the DNS.

We issue PSD2 certificates for all 31 countries in the European Economic Area having a participating NCA. Your organisation must have an authorisation number issued by your NCA.

Delivery time is 5 business days (once your signed documentation is received).

Certificate hierarchy