Introduction

This article is the second in a series dealing with the use of the eIDAS regulation and qualified certificates in the context of the PSD2 directive. In the first article, we described the PSD2 requirements for TPP identification when using the ASPSP “special interface” / “emergency interface”. In this article we will focus on describing the certificates themselves and indicate the moment of their usage while realizing AIS, PIS, Cof and “Emergency Interface” services.

Types of eIDAS certificates in PSD2

To fulfil the security requirements, banks and TPP service providers will use qualified certificates for websites and qualified certificates for electronic seals. These certificates will be issued by qualified trust service providers (QTSPs) based on the new technical standard ETSI TS 119 495, which was published in May 2018. Qualified certificates allow the identification and verification of a payment institution by a third party. The identification will be based on the organization’s legal name, registration number and main role (s) in the payment area.

Certifications

There are two types of certificates directly supporting PSD2:

  • a qualified website authentication certificate (QWAC) that allows both parties (banks and service providers) to identify each other and build a secure channel for transactions. While issuing connection, both parties use certificates and appropriate private keys for confirming identity and establishing secure mTSL communication;

In this process, the correctness and validity of the qualified certificate is confirmed, including the status of the qualified trust service provider that issued the certificate. A secure channel protects confidentiality and authenticity.

  • a qualified seal certificate (QSealC) that allows you to stamp all evidence, including all data and transaction requests and confirmations. This QSealC makes it possible to seal all relevant information in communication, what protects the authenticity and integrity of the data. With this method, if the exchange of information is needed as evidence in a dispute, the relying party can confirm who the data creator was and that the information has not changed since its creation.

Now we know how to identify the types of certificates in the process of setting up the connection between TPP and ASPSP and exchange of information between these entities. We use a qualified website authentication certificate while establishing a secure TSL channel. We use a qualified seal certificate when exchanging messages in a previously secured secure channel.

The certificates are used in the same way in the context of the ‘special interface’ and ’emergency interface’. The most mature standard of the “special interface” API is OpenBanking GB. QWAC and QSealC certificate can be used since version 3.1, that was released in November 2018, Thus, OpenBanking GB met the requirements of RTS. Polish native standard does not mention eIDAS certificates. This does not mean that PolishAPI does not support the use of these certificates. Probably the authors of the standard assume that because RTSs explicitly require eIDAS certificates, PolishAPI does not have to repeat tis requirement anymore.

In the next article we will describe how to use eIDAS certificates in conjunction with the PolishAPI standard.