JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
 
Certificates
Our products range
Partners
Support
Focus


PSD2 Certificates

PSD means Payment Service Directive, 2015/2366 in EU terminology.

The PSD2 is a regulation that applies to the banking world, with the objective of ensuring its modernisation.

X509 certificates are issued to PSPs (Payment Service Providers), which may be credit institutions, payment institutions, fintechs, etc. A PSP must be authorised by a national banking authority (NCA).

With regard to digital certificates, the directive introduces 2 new types of certificates that are documented in the ETSI TS 119 495 standard, which are derived from qualified eIDAS certificates:

  • a QWAC certificate (Qualified Website Authentication Certificate), which is a TLS server certificate with server and client EKUs, which also derives from the CA/B Forum Extended Validation standard and contains fields specific to PSPs

  • a seal certificate (QSealC or SealC) which is a server seal certificate containing fields specific to PSPs

All banks (ASPSP) offering an online service must also offer API access to other PSPs (TPPs). This access is based on a TLS layer (to ensure confidentiality) with mutual authentication. The client (initiator of the connection) must present a QWAC PSD2 certificate to identify itself, the server can use a QWAC PSD2 certificate or another TLS certificate. This QWAC can use a software-stored private key, there is no obligation to use qualified cryptographic hardware.

On the other hand, once the communication is established, the exchanged information is signed by the server seal certificate for storage purposes and to identify the data transmitted end-to-end (there may be aggregators or exchange nodes at the TLS level). The use of the seal certificate is not made mandatory by PSD2, but is recommended for its proof benefits. QSealCs can generate qualified signatures if the private key is generated and operated within a QSCD qualified cryptographic hardware; otherwise the generated signatures are of advanced type and a SealC is sufficient. PSD2 does not require signatures to be qualified.

These 2 types of certificates must be issued by a QTSP (Qualified Trust Service Provider), i.e. an eIDAS Qualified Certification Authority that has been audited for the ETSI TS 119 495 standard.

In addition, actors must also implement verifications to ensure that the certificates presented comply with the standard, contain the required fields, are issued by a QTSP and are not revoked.

Obtaining test certificates

TBS issues test certificates that have the structure of PSD2 certificates but arte not issued by an official certification authority. The vetting process is also streamlined.

The CSR

The CSR of the WAC certificate must be filled such as an EV certificate. The CSR of the seal certificate must contain a CN formated as "O_field_content - test PSD".

It is not necessary nor advisable to define a organizationIdentifier field in those CSR. See our documentation to generate a CSR for your plateform.

Obtaining official certificates

TBS issues PSD2 certificats from a certification authority that has been audited compliant to the ETSI TS 119 495 V1.2.1 (2018-11) standard. It is not yet visible in the EU trust list (pending update). The vetting process requires that the legal representative of the organisation applying for the certificate must have a qualified eIDAS electronic signature certificate in order to be able to sign the contractual documents. (You can order one here: Certigna ID RGS** or ChamberSign Eurodacio 2*).

We issue PSD2 certificates for all EEA countries having a participating NCA. Your organisation must have an authorisation number issued by your NCA.