What is APILogic TPP Validator?

The European Union Directive PSD2 (Payment Service Directive 2) announced in 2016 implements an open banking API on European market, enabling third parties to initiate payments and access to the client’s bank accounts. The directive and regulatory standards require that all transactions should be processed via secure channels and that all the data should be protected in terms of authenticity and integrity.

Qualified certificates supporting PSD2

To meet security requirements, banks (or generally the account servicing payment service provider – ASPSP) and external PSD2 service providers (Third Party Provider, TPP) will use qualified certificates for websites (QWAC) and qualified certificates for electronic seal (QSealC). These certificates will be issued by qualified trust service providers (QTSP) based on the new technical standard ETSI TS 119 495, which was published in May, 2018.

Validation of a qualified EIDAS certificate

The QWAC and QSealC certificates described above must be qualified in accordance with the EIDAS Regulation. In order to validate the qualified EIDAS certificate, the validating entities must significantly extend the validation tools. Among others, following challenges must be addressed:

  • The list of PSP certificates for validation is not known and it is variable over time.
  • PSP certificates can be issued by QTSP throughout the European Union.
  • The number of CA Root certificates used by QSTP is not known and it is variable over time (currently there are more than 200).
  • Attributes necessary for validation (eg. link to the CRL list) may be outside of the certificate (eg. on TSL lists).

Considering mentioned above, it is not possible to use standard tools to validate the certificate, based on hardware solutions such as NetScaler or F5.

Register of payment and credit institutions

Besides certificates validation, before transaction ASPSP must confirm that TPP:

  • is authorized by the competent national authority
  • is approved for performing PSP role that is compatible with its API request
  • owns "passportization" to perform services in a specific country.

Verification of the above mentioned requirements is possible by confirming the actual state in the registers kept by the competent national authority. The option it is to query the EBA register which needs to be updated on a regular basis by the competent national authority due to the PSD2 directive.


In order to meet the RTS requirements (article 33 and 34) beneath there are requirements that ASPSP should implement:

  • Validation of the qualified EIDAS website authentication certificate (QWAC) in real time
  • Validation of the qualified seal EIDAS certificate (QSealC) in real time
  • Validation of the actual state of the license / entry in the register in real time

The APILogic TPP Validator through the provided functionality supports the implementation of the requirements described in Article 33 and 34 of Commission delegated regulation 2018/389 (RTS)


Contact us!

Test TPP Validator


APILogic TPP Validator is a software for checking certificates and the status of a license or entry in the register of payment institutions. APILogic Validator performs its services in accordance with European legislation. In particular APILogic TPP Validator supports the eIDAS Regulation, the PSD2 Directive and other related standards.

The scope of the APILogic TPP Validator service:

  • support for TPP identity verification by validation of qualified authentication certificate QWAC
  • support to confirm the integrity and authenticity of documents sent by TPP by validating the qualified seal certificate (QSealC).
  • confirmation of the current status of the license and entry in the PSP register by querying the EBA register for the actual state.

APILogic TPP Validator can be implemented in two models:

  • as a PROXY component with validation function
  • as REST validation services


APILogic TPP Validator has a PROXY module that validates the certificate before forwarding the request to the emergency interface. Thus, it provides the requirements of article 33 and 34 of the RTS standard.


In this model, APILogic TPP Validator provides REST services that validate PSP requests forwarded to the API Gateway. The API Gateway calls the APILogic TPP Validator to validate the certificate and the PSP license before passing the request to the actual PSD2 services.

The solution provides the following REST services:

  • validatePSD2certificate
  • validatePSD2license

The second service at the entrance receives the TPP license number and returns information about:

  • license status
  • PSD2 roles assigned to TPP
  • the status of passportization

The first of services receives the TPP certificate at the entrance and validates it in accordance with the requirements of the EIDAS Regulation and EBA requirements. In response the service returns information about:

  • certificate status
  • PSD2 roles in which TPP may occur (AISP, PISP)
  • the number of TPP license
  • type of certificate: QWAC, QSealC