Pursuing the principles of open banking, the Payment Services Directive 2 (PSD2) means that financial institutions must open up, among other things, APIs and customer account data to regulated third party payment service providers. The goal is that those third parties will be able to build innovative new services for banking customers.
Another key pillar of PSD2 is the aim to secure electronic payments and communications across European borders. It does so by requiring Strong Customer Authentication - backed up with multi-factor authentication - and secure communication by PSPs.
The secure communication concept within PSD2 requires that transactions between banks and PSPs be protected with digital certificates issued by qualified Trust Service Providers (TSPs) which are supervised under the EU’s Electronic Identification, Authentication & Trust Services (eIDAS) regulation, the group that ultimately sets standards for many e-transaction activities in the EU.
Qualified certificates issued under eIDAS mean that consistent technical and identity checking standards are followed by different issuers across the EU. The EU’s emphasis is on ensuring that strong identity assertions are bound to the organization named in the certificate as a means of protecting users from the growing use of low-authentication certificates that only verify the domain in online fraud campaigns.
First is the Qualified Certificate for Electronic Seals (QSealC) which is used to create digital signatures to protect data or documents. These e-Seals are used at the application layer to prove the authenticity and the legal origin of a transaction, providing an ‘electronic paper trail’ for authorities as well as assurances between the banks and PSPs.
Second and more commonly used is the QWAC - the Qualified Certificate for Website Authentication – which is used for two purposes: the verification of the parties, and their secure communications using Transport Layer Security Encryption.
The QWAC standards are partly based on the CA/Browser Forum’s standard for Extended Validation certificates (EV), the strongest form of identity assurance for users on the web, and so draw upon their high assurance identity vetting procedures. In addition, Qualified PSD2 certificates include information on the holder’s regulatory authorization and roles under PSD2.
The PSD2 Regulatory Technical Standards (RTS) describe the different ways in which these certificates might be used. In one example, it describes a secure option with parallel protection for both the payment transactions data and their communications channels. In such a situation, QWACs would be used to assert the PSP’s identity and communicate securely and QSealCs will be used to ensure that the app data originates from a trusted PSP and has not been tampered with.
The deadline to become PSD2 compliant is coming in mid-September 2019, and most enterprises are already deep in their preparations. Such is the scale of the task that some countries – such as the UK – have already signaled delays in PSD2 enforcement. However, enterprises which fail to live up to the PSD2 requirements may ultimately be issued a penalty by their NCA. Moreover, those that don’t use eIDAS-approved certificates may find themselves outside of the legal protections that the directive offers.
In order to comply, PSPs must purchase certificates from eIDAS-Qualified TSPs, which will verify the applicant’s license information with the relevant National Competent Authority (financial regulator). To date, the significant providers of PSD2 certificates include DigiCert by virtue of its acquisition of QuoVadis, as well as BuyPass, InfoCert, Microsec and D-Trust.
QWACs and QSealCs are on their way in the context of PSD2 – one small part of the sea change being driven by the Payment Services Directive, which will ultimately affect the entire European payments ecosystem.
At the same time, they represent a major step ahead for the eIDAS Qualified certificates which are likely to be adopted in other regulated industries and transactions.