European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards, which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication. Through its European Qualified Trust Service Provider (TSP), QuoVadis, DigiCert is able to provide qualified digital certificates for PSD2.
The European Commission has long sought to make electronic payments as simple and secure across borders in the EU as they are within any single nation. Based on these efforts, a revised Payment Services Directive (EU Directive 2015/2366 known as PSD2) became effective in January 2018 with the following objectives:
PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:
The PSD2 RTS states that digital certificates issued by eIDAS Qualified Trust Service Providers (TSP) may be used by PSPs for online identification and secure communication.
eIDAS (EU Regulation 910/2014) is the European regime for regulating electronic identification, authentication and trust services. Certificates issued by regulated TSPs in accordance with the regime are known as qualified and provide special status in certain legal and regulatory contexts.
A new ETSI standard, ETSI TS 119 495, defines the TSP policies and profiles for certificates meeting the requirements of the PSD2 RTS, which builds on the other eIDAS qualified standards. This includes defining fields for the certificates containing:
DigiCert also proposed Ballot SC17 in the CA/Browser Forum, which will enable PSD2 and other organisational identifier fields to be added to Extended Validation (EV) TLS certificates
There are two types of digital certificates being used in PSD2 for secure communications:
Each certificate offers different protection depending on the use case.
|Type of PSD2 Certificate||QWAC TLS/SSL||eSeal / QSealC|
|Where is it used?||Identifies end points, protects data during communication||Identifies origin of document or data and makes it tamperproof in communication and storage|
|What are the security features?||Confidentiality, authentication, and integrity||Authentication and integrity|
|Provides legal evidential value for transactions?||No||Yes, under eIDAS|
|Is data protected when passed through an intermediary?||Protects in direct peer-to-peer communications||End-to-end, even if passed through intermediary|
The RTS describes different scenarios that PSPs can consider in their use of certificates for secure communication. For example, the RTS describes a secure option with parallel protection of both the payment transactions data and their communications channels:
As a global leader of PKI-based solutions, DigiCert is keenly focussed on the specific regional and industry requirements surrounding online authentication, encryption, and digital signatures. In delivering this vision, DigiCert’s European QuoVadis operations are accredited as a Qualified Trust Service Provider in both the EU under eIDAS and in Switzerland.
With the September PSD2 deadline in sight, QuoVadis is already delivering test PSD2 certificates as banks and PSPs prepare their communication interfaces for the three-month prototype test.
For PSPs already advancing to the final three-month live test, QuoVadis can provide qualified PSD2 certificates. These qualified certificates require a heightened validation of the certificate administrator’s identity and authority, usually face-to-face or through notarised documents. For more information, please visit our PDS2 webpage.