WELCOME TO THE NEW OPEN BANKING
For compliance ETSI TS 119 495
A safe approach for the banking of the futureComply with authentication and communications security requirements with ANF AC qualified certificates.
Certificates for PSD2 compliance
If you are a Payment Service Provider, make sure you have Qualified certificates in accordance with eIDAS.
The Payment Services Directive (PSD2) takes effect in September 2019.
The financial services market is one of the most critical markets, with constant threats of fraud and security risk. The payment services directive (PSD2) is creating a new Digital Financial Services Market (together with new actors in the ecosystem).
All companies that plan to become a Payment Service Provider (PSP) under the new Payment Services Directive (PSD2) must use electronic certificates created specifically for PSD2 to safeguard the security of information.
It is important that these electronic certificates meet the requirements of the Regulatory Technical Standards (RTS) of the European Banking Authority for strong client authentication and secure common communications, so that all Payment Service Providers (PSP) and the users of the payment service (PSU) are protected when doing online business.
Two types of qualified PSD2 certificates
ANF Autoridad de CertificaciónFirst Spanish CA accredited to issue qualified PSD2 certificates.
Why choose ANF Autoridad de Certificación?
accredited to issue
PSD2 electronic seal certificate
PSD2 SSL Certificate
Set 2 certificates PSD2 (SSL and Electronic Seal)
Frequently Asked Questions
The Second Payment Services Directive (PSD2) raises a new scenario in the banking and payments sector, since it obliges banks to grant access to Third Party Providers to their clients' accounts. PSD2 opens enormous opportunities, both for new entities and organizations that want to enter to participate in the banking and payment services sector, as well as for the banking entities themselves. The directive is in accordance with the spirit of open banking and promotes competition. For this approach to be possible, this PSD2 Directive imposes very strict security requirements on financial technologies. One of the requirements imposed by the directive itself is the obligation, for the participating figures, of the use of qualified certificates of Electronic Seal and Web Authentication, both with PSD2 character.
To use the bank's interface, Third Party Providers require a license for access rights. This license is issued by the National Competent Authority (NCA). Once granted, the provider requires a Website Authentication certificate to ensure its communication. This allows you to identify yourself to the bank as the holder of an NCA license. The bank may also require the additional use of an electronic seal to guarantee the integrity of the signed data.
Qualified certificates are electronic certificates that comply with Regulation (EU) No 910/2014 of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market (eIDAS). They can only be issued by Qualified Trusted Service Providers (QTSPs) accredited for this service, such as ANF Autoridad de Certificación.
ANF AC, as a QTSP, guarantees that its certificates are qualified and comply with the eIDAS Regulation.
Article 34 of the Regulatory Technical Standards (RTS) for strong client authentication and secure communications under PSD2 indicates that eIDAS certificates must be used for the identification of Payment Service Providers (PSPs), and refers to two types of existing qualified certificates:
- Qualified certificate for electronic Seal certificate (QSealC)
- Qualified certificate for Website Authentication (QWAC)
Containing in addition, the following attributes required by the RTS:
- Authorization number of the PSP, issued by the National Competent Authority (NCA)
- Role of the PSP
- Name of the National Competent Authority where the PSP is registered.
PSD2 certificates of ANF Autoridad de Certificación are in full compliance with the RTS and with Spanish Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures, transposition of the Payment services - Directive (EU) 2015/2366 (PSD2).
The RTS allow the use of qualified certificates of Electronic Seal (QSealC) and Website Authentication (QWAC) for identification. Each certificate is designed to fulfill a very specific function, in the different security protocols marked by the Directive.
The use of a QsealC or a QWAC is not an arbitrary option, but depends on the way in which the certificates are used in the design of the interface.
A QWAC certificate ensures communication between banks and external providers at the level of data transmission. The payment service uses it to authenticate as the holder of an NCA registration number in the bank that provides the account. The QWAC contains information on the function of the company, as well as its registration identification with the Financial Supervision Authority. In addition, QWACs encrypt all communication between the bank, the payment service provider and the user.
QSEALs secures the data at the application level. This is especially useful to determine, in case of damage, who has accessed the API. The QSEAL makes this process much easier. In principle, a bank may require that an external provider use qualified electronic seals. It also documents all requests from the service provider and protects the signed data against modifications.
There are 4 possible roles to include in the PSD2 certificate:
- Account Servicing
- Payment Initiation
- Account information
- Issuing of Card-Based Payment Instruments
There is no possibility to edit the fields of an existing certificate. If there is a change in the information contained in the certificate, for example, the name of the PSP, the old certificate must be revoked and a new one issued.