Introduction

This article is the last in a series of articles dealing with the issue of the eIDAS Regulation and qualified certificates usage in the context of the PSD2 directive. We will describe the solution that addresses the requirements described so far in the area of ​​communication security between TPP and ASPSP. As
a reference solution we will present TPP Validator created by us.

Implementation of secure communication requirements between TPP and ASPSP

Let’s start by gathering all the requirements described in previous articles of our series. The solution ensuring secure communication between TPP and ASPSP should meet all these requirements. In our case, we put ourselves in the role of APSPS, because the ASPSP, in accordance with the requirements of RTS, is responsible for checking TPP.

As a bank, we must meet the following requirements:

  1. Requirements
  2. 1. Confirm the correctness / validity of eIDAS certificates used by the TPP:

1.1.1. QWAC when setting up the TLS channel (mTLS)

1.1.2. QSealC while checking the signature of the message sent by the TPP

1.2. Check whether the TPP has the appropriate roles as payment institution

1.2.1. Check the status of the license / entry in the PSP registry, regardless of the content of the roles in the certificate

1.2.2. Check whether the PSP has passporting to perform services in a specific country

1.2.3. Certificate validation time cannot be longer than ~ 100ms

1.2.4. The time of checking the passporting and license status may not exceed ~ 100ms

1.3. Integration with existing hardware (Netscaler, F5) and software (API Gateway) solutions should be assured in order to ensure security during:

1.3.1. establishing the mTLS connection

1.3.2. processing requests based on signed messages

  1. Constrains:

2.1. We cannot require TPP registration in our systems / API Portal. Communication between TPP and ASPSP must be automatic and may not require manual registration in ASPSP systems.

2.2. Explicit restriction set by RTS.

The description of the implementation of the above requirements / restrictions can be found beneath based on the approach used in our TPP Validator solution:

  • We have implemented support for eIDAS standards (https://portal.etsi.org//TBSiteMap/ESI/ESIActivities.aspx), what allowed validation of eIDAS / PSD2 certificates in accordance with the requirements of the eIDAS Regulation and the PSD2 Directive
  • We have implemented support for the ETSI TS 119 495 standard, which allows to check the PSP roles
  • We have implemented integration with the EBA register of payment institutions, what allows to check TPP’s passporting and confirms the status of the license
  • We have ensured adequate SLAs by “caching” the content:
  • of all TSL lists
  • of the EBA register of payment institutions
  • Integration with existing security solutions of the ASPSP (hardware / software gateway) was achieved by providing OSCP services for purpose of eIDAS certificate validation and REST services for retrieving information about licenses, passports and TPP roles.
  • Automatic confirmation of the TPP’s identity during:
  • establishing TLS (mTLS) connection with ASPSP
  • checking the signature of the message by the ASPSP,

without the need for manual registration of the TPP in the ASPSP system, that was implemented thanks to integration with pan-European PKI eIDAS.

 

——————————————

 

Marcin Parczewski

Founder and CEO of Inteca and author of the APILOGIC solution. An experienced systems architect, designer of advanced business improvements and digital transformation practices in large corporations