PSD2 05-15-2019

Qualified Certificates for PSD2 Required by EU by September 2019

Stephen Davidson

European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards, which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication. Through its European Qualified Trust Service Provider (TSP), QuoVadis, DigiCert is able to provide qualified digital certificates for PSD2.

Payment Services Directive (PSD2) compliance date of September 2019

The European Commission has long sought to make electronic payments as simple and secure across borders in the EU as they are within any single nation. Based on these efforts, a revised Payment Services Directive (EU Directive 2015/2366 known as PSD2) became effective in January 2018 with the following objectives:

  • Contribute to a more integrated and efficient European payments market.
  • Improve the level playing field for payment service providers.
  • Make payments safer and more secure.
  • Protect consumers.

PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:

  • strong customer authentication (SCA) for electronic payment transactions.
  • secure communication by the payment service providers.

Qualified PSD2 certificates

The PSD2 RTS states that digital certificates issued by eIDAS Qualified Trust Service Providers (TSP) may be used by PSPs for online identification and secure communication.

eIDAS (EU Regulation 910/2014) is the European regime for regulating electronic identification, authentication and trust services. Certificates issued by regulated TSPs in accordance with the regime are known as qualified and provide special status in certain legal and regulatory contexts.

A new ETSI standard, ETSI TS 119 495, defines the TSP policies and profiles for certificates meeting the requirements of the PSD2 RTS, which builds on the other eIDAS qualified standards. This includes defining fields for the certificates containing:

  • the National Competent Authority (NCA) or financial regulator where the PSP is registered.
  • the authorisation number issued to the PSP by the NCA.
  • the regulated PSD2 roles for which the PSP is licensed by the NCA.

DigiCert also proposed Ballot SC17 in the CA/Browser Forum, which will enable PSD2 and other organisational identifier fields to be added to Extended Validation (EV) TLS certificates

What PSD2 certificates do I need?

There are two types of digital certificates being used in PSD2 for secure communications:

  • Qualified Certificate for Website Authentication (QWAC) — used with Transport Layer Security (TLS) protocol such as is defined in IETF RFC 5246 or IETF RFC 8446 to protect data in peer-to peer communications.
  • Qualified Certificate for Electronic Seals (QSealC) — creates digital signatures used to protect data or documents using standards such as ETSI’s PAdES, CAdES or XAdES, and assert their origin from a legal entity.

Each certificate offers different protection depending on the use case.

Type of PSD2 Certificate QWAC TLS/SSL eSeal / QSealC
Where is it used? Identifies end points, protects data during communication Identifies origin of document or data and makes it tamperproof in communication and storage
What are the security features? Confidentiality, authentication, and integrity Authentication and integrity
Provides legal evidential value for transactions? No Yes, under eIDAS
Is data protected when passed through an intermediary? Protects in direct peer-to-peer communications End-to-end, even if passed through intermediary

The RTS describes different scenarios that PSPs can consider in their use of certificates for secure communication. For example, the RTS describes a secure option with parallel protection of both the payment transactions data and their communications channels:

  • Using QWACs to assert the PSPs’ identity and roles to each other and to communicate securely using TLS encryption.
  • Using QSealCs to ensure that the application data submitted originates from a particular PSP and has not been tampered with.

DigiCert delivers PSD2

As a global leader of PKI-based solutions, DigiCert is keenly focussed on the specific regional and industry requirements surrounding online authentication, encryption, and digital signatures. In delivering this vision, DigiCert’s European QuoVadis operations are accredited as a Qualified Trust Service Provider in both the EU under eIDAS and in Switzerland.

With the September PSD2 deadline in sight, QuoVadis is already delivering test PSD2 certificates as banks and PSPs prepare their communication interfaces for the three-month prototype test.

For PSPs already advancing to the final three-month live test, QuoVadis can provide qualified PSD2 certificates. These qualified certificates require a heightened validation of the certificate administrator’s identity and authority, usually face-to-face or through notarised documents. For more information, please visit our PDS2 webpage.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What Is A CA’s Role In Delivering Digital Trust?


How to Secure Quantum Computing in the Cloud


4 best practices for bulk email senders