parallax background

For compliance ETSI TS 119 495


A safe approach for the banking of the future

Comply with authentication and communications security requirements with ANF AC qualified certificates.

Certificates for PSD2 compliance

If you are a Payment Service Provider, make sure you have Qualified certificates in accordance with eIDAS.
The Payment Services Directive (PSD2) takes effect in September 2019.

The financial services market is one of the most critical markets, with constant threats of fraud and security risk. The payment services directive (PSD2) is creating a new Digital Financial Services Market (together with new actors in the ecosystem).

All companies that plan to become a Payment Service Provider (PSP) under the new Payment Services Directive (PSD2) must use electronic certificates created specifically for PSD2 to safeguard the security of information.

It is important that these electronic certificates meet the requirements of the Regulatory Technical Standards (RTS) of the European Banking Authority for strong client authentication and secure common communications, so that all Payment Service Providers (PSP) and the users of the payment service (PSU) are protected when doing online business.

Two types of qualified PSD2 certificates


ANF Autoridad de Certificación

First Spanish CA accredited to issue qualified PSD2 certificates.

ANF Autoridad de Certificación the first Certification Authority accredited in Spain to issue certificates of type PSD2 as specified in the “Regulatory Technical Standards (RTS) of PSD2 for a solid authentication of the client and common and secure open communication standards”. The RTS requires the use of Qualified Electronic Seal Certificates (QC eSeal) and Qualified Website Authentication Certificates (QWAC) issued in accordance with the ETSI TS 119 495 standard.

Why choose ANF Autoridad de Certificación?

material - psd2
1st Spanish CA
accredited to issue
PSD2 certificates
material - psd22
Qualified Trust
Services Provider
material - psd23
European CA
material - psd24
Years of experience
behind us

PSD2 electronic seal certificate

950 €

Unique Rol

1 year
1.750 €

Unique Rol

2 years
1.150 €

Multiple Rol

1 year
2.250 €

Multiple Rol

2 years

PSD2 SSL Certificate

1050 €

Unique Rol

1 year
1350 €

Multiple Rol

1 year

Set 2 certificates PSD2 (SSL and Electronic Seal)

1.750 €

Unique Rol

1 year
2650 €

Unique Rol

2 years
2.350 €

Multiple Rol

1 year
4450 €

Multiple Rol

2 years

Application Form

    To manage your request, ANF AC requires your personal data. In accordance with current legislation on data protection, we inform you,

    Controller ANF Certification Authority, ANF AC.
    Purpose Registration and management of requests or queries for information about PSD2.
    Rights You have the right to information, access, rectification and erasure, object, restriction and data portability. See additional information.
    Additional Information

    Accept the Privacy Policy.

    Frequently Asked Questions

    1What is the new PSD2 regulation and what opportunities does it offer?

    The Second Payment Services Directive (PSD2) raises a new scenario in the banking and payments sector, since it obliges banks to grant access to Third Party Providers to their clients' accounts. PSD2 opens enormous opportunities, both for new entities and organizations that want to enter to participate in the banking and payment services sector, as well as for the banking entities themselves. The directive is in accordance with the spirit of open banking and promotes competition. For this approach to be possible, this PSD2 Directive imposes very strict security requirements on financial technologies. One of the requirements imposed by the directive itself is the obligation, for the participating figures, of the use of qualified certificates of Electronic Seal and Web Authentication, both with PSD2 character.

    2What are the requirements for Third Party Providers?

    To use the bank's interface, Third Party Providers require a license for access rights. This license is issued by the National Competent Authority (NCA). Once granted, the provider requires a Website Authentication certificate to ensure its communication. This allows you to identify yourself to the bank as the holder of an NCA license. The bank may also require the additional use of an electronic seal to guarantee the integrity of the signed data.

    3What are qualified certificates?

    Qualified certificates are electronic certificates that comply with Regulation (EU) No 910/2014 of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market (eIDAS). They can only be issued by Qualified Trusted Service Providers (QTSPs) accredited for this service, such as ANF Autoridad de Certificación.

    ANF AC, as a QTSP, guarantees that its certificates are qualified and comply with the eIDAS Regulation.

    4 Why is eIDAS (qualified certificates) relevant to PSD2?

    Article 34 of the Regulatory Technical Standards (RTS) for strong client authentication and secure communications under PSD2 indicates that eIDAS certificates must be used for the identification of Payment Service Providers (PSPs), and refers to two types of existing qualified certificates:

    • Qualified certificate for electronic Seal certificate (QSealC)
    • Qualified certificate for Website Authentication (QWAC)

    Containing in addition, the following attributes required by the RTS:

    • Authorization number of the PSP, issued by the National Competent Authority (NCA)
    • Role of the PSP
    • Name of the National Competent Authority where the PSP is registered.
    • PSD2 certificates of ANF Autoridad de Certificación are in full compliance with the RTS and with Spanish Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures, transposition of the Payment services - Directive (EU) 2015/2366 (PSD2).

    5When is it appropriate to use each PSD2 certificate?

    The RTS allow the use of qualified certificates of Electronic Seal (QSealC) and Website Authentication (QWAC) for identification. Each certificate is designed to fulfill a very specific function, in the different security protocols marked by the Directive.

    The use of a QsealC or a QWAC is not an arbitrary option, but depends on the way in which the certificates are used in the design of the interface.

    A QWAC certificate ensures communication between banks and external providers at the level of data transmission. The payment service uses it to authenticate as the holder of an NCA registration number in the bank that provides the account. The QWAC contains information on the function of the company, as well as its registration identification with the Financial Supervision Authority. In addition, QWACs encrypt all communication between the bank, the payment service provider and the user.

    QSEALs secures the data at the application level. This is especially useful to determine, in case of damage, who has accessed the API. The QSEAL makes this process much easier. In principle, a bank may require that an external provider use qualified electronic seals. It also documents all requests from the service provider and protects the signed data against modifications.

    6What is the Authorisation Number?
    In the framework of PSD2, article 34 of the RTS for strong authentication of the client and common and secure communications under PSD2, makes it clear that the number issued by the Competent National Authority (In the case of Spain, the Bank of Spain), will be the identifier to use.
    7What is the role of the Payment Service Provider?

    There are 4 possible roles to include in the PSD2 certificate:

    • Account Servicing
    • Payment Initiation
    • Account information
    • Issuing of Card-Based Payment Instruments
    8Can you edit the content of the certificates?

    There is no possibility to edit the fields of an existing certificate. If there is a change in the information contained in the certificate, for example, the name of the PSP, the old certificate must be revoked and a new one issued.