PSD2: A secure approach to the banking of the future

Secure implementation of PSD2

Do you rely on Open Banking? Together with you, we will be implementing PSD2 in a secure manner. A new era of bank transactions will begin in September 2019. You can use our PSD2 certificates to test your interfaces and systems. We are one of the first qualified trust service providers in Europe to supply live certificates.

The Second Payment Services Directive (PSD2) triggers a revolution in electronic payments: from mid-September 2019, banks operating in the EU will be required to provide third-party providers access to accounts in real-time, and to provide an interface (API) that is secured by qualified website certificates (QWACs) for this purpose. In turn, third-party providers must register with their National Competent Authority (NCA)*, and require qualified website certificates or qualified seals (QSEALs) to access the bank accounts.

The live certificates with a PSD2 externsion are now availabe for the market test.

Order your PSD2 certificates (QWAC andQSEAL) now

PSD2 for fintechs and banks: the most important information at a glance

The Second Payment Services Directive obliges banks to grant third-party providers access to their customers' accounts. PSD2 opens up tremendous opportunities for the new providers, but banks can also benefit – for example, by cooperating with start-ups or expanding their own service portfolio with these new services. The directive is unmistakably in the spirit of open banking and promotes competition. Yet, at the same time, it also imposes much stricter security requirements on fintechs

Firstly: only providers of online payment services have to implement PSD2. To use the bank interface, third-party providers require a license for the access rights. This license is issued by the National Competent Authority (NCA). Once granted, the provider requires a QWAC to secure its communication. This enables it to identify itself to the bank as the holder of an NCA license. The bank may also require the additional use of a QSEAL to protect signed data from modification.

From mid-March, the directive prescribes a test phase for banks in which third-party providers can try out the open interfaces in a test Environment (sand box) and, if necessary, file a claim with their NCA. Third-party providers are recommended to participate in this test phase, to be able to review their own system and its compatibility with the interfaces of the banks, and to optimize it if required. For this first test phase, third-party providers, even without an NCA license, can apply for test certificates from Bundesdruckerei. From mid-June, banks will have to go live with their system in a second test phase (market probation phase). Third-party providers will then be able to access real customer accounts. Since May 17, Bundesdruckerei has been supplying the required live certificates with the PSD2 extension. This allows third-party providers to test the API provided under real-life conditions.

Banks must present the new providers with an API that enables them to access bank accounts or account information. Their own identity will be confirmed by means of a qualified website certificate.

Banks have to facilitate and document a test of the interface. Only by doing so can they avoid the legally required and expensive fallback solution and prevent possible third-party complaints.
From 14 September 2019, financial institutions are obliged to start the live operation. The first phase of the trial will start by mid-March at the latest. At this point, a test system (sand box) must be available that allows third-party providers, including those that do not have a license yet, to use test certificates to identify themselves and access test accounts.

During the second phase of the trial (market probation phase), which will start no later than mid-June, banks will open up their live system with real customer accounts to licensed third-party providers. Bundesdruckerei has been supplying the required live certificates since 17 May 2019.

D-TRUST is currently the only German provider listed in the EU Trusted List as a so-called qualified trust service provider authorized to issue QWACs and QSEALs. The subsidiary of Bundesdruckerei was the first company in Europe to obtain this right. Live certificates for the market probation phase can now be ordered from Bundesdruckerei:

A qualified website certificate (QWAC) secures the communication between banks and third-party providers at the transport level – in other words, the data transmission. The payment service uses it to authenticate itself as an NCA license holder to the bank providing the account. The QWAC contains information about the role of the company as well as its registration ID with the Financial Supervisory Authority. Additionally, QWACs encrypt all communication between bank, payment service provider and user.
 
QSEALs secure the data at the application level. This is especially useful to determine in case of damage who has accessed the API. The QSEAL makes this process much easier. In principle, a bank may require a third-party provider to use qualified electronic seals. It also documents all requests from the service provider and protects the signed data against modification.

Get PSD2-ready and order test certificates today

Bundesdruckerei’s subsidiary D-TRUST now offers live certificates to test the API under real-life conditions and to access real customer accounts. Banks can only avoid an expensive fallback solution if they can prove that they had performed a test phase of at least three months. Third-party providers can test their own systems and the banks’ Interfaces and access real accounts.

Order your live certificates now.

More information about the certificates can be found in our FAQs section.

In the spirit of open banking, PSD2 promotes competition in the European financial sector. For users, payment transactions will become more convenient, cheaper and safer. Both banks and payment service providers have to invest more in the security of their digital services.

If you have any questions, please feel free to call our support team at +49 (0) 30 2598-4054 or send an e-mail to support [at] bdr.de.

*See the list published by the European Banking Authority (EBA): National Competent Authorities in Europe

More useful information about PSD2

Sichere Kommunikation

06.02.2019

FAQ PSD2

What companies, banks and FinTechs need to know to use electronic certificates and seals.

File size: 265.08 KB

Format: PDF

Sichere Kommunikation

30.01.2019

Flyer PSD2

QWACs and QSEALs for payment service providers.

File size: 716.92 KB

Format: PDF