PSD2: A secure approach to the banking of the future

Secure implementation of PSD2

Do you rely on Open Banking? Together with you, we have implemented PSD2 in a secure manner. A new era of bank transactions begins in September 2019. You can use our PSD2 certificates to test your interfaces and systems and use them in production from Sept. 14th onwards. We are one of the first qualified trust service providers in Europe to supply eIDAS conformal live and test PSD2 certificates.

The Second Payment Services Directive (PSD2) triggers a revolution in electronic payments: from mid-September 2019, banks operating in the EU are required to provide third-party providers access to their customers accounts in real-time, and to provide an interface (API) that is secured by qualified website certificates (QWACs) for this purpose. In turn, third-party providers must register with their National Competent Authority (NCA)*, and require qualified website certificates or qualified seal certificate (QSEALs) to access the bank accounts.

D-TRUST GmbH, a subsidiary of Bundesdruckerei GmbH, is one of the few European Qualified Trust Service Providers who offer these certificates.

Order your PSD2 certificates (QWAC andQSEAL) now

PSD2 for FinTechs and banks: the most important information at a glance

The Second Payment Services Directive obliges banks to grant third-party providers access to their customers' accounts. PSD2 opens up tremendous opportunities for the new providers, but banks can also benefit – for example, by cooperating with start-ups or expanding their own service portfolio with these new services. The directive is without doubt in the spirit of open banking and promotes competition. Yet, at the same time, it also imposes much stricter security requirements on FinTechs

Firstly: only providers of online payment services have to implement PSD2. To use the bank interfaces, third-party providers require a license with defined access rights. This license is issued by the National Competent Authority (NCA). Once granted, the provider requires a QWAC to secure its communication. This enables it to identify itself to the bank as the holder of an NCA license. The bank may also require the additional use of a QSEAL to protect signed data from modification.

Since mid-March, the directive prescribes a test phase for banks in which third-party providers can try out the open interfaces in a test environment (sand box) and, if necessary, file a claim with their NCA. Third-party providers are recommended to participate in this test phase, to be able to review their own system and its compatibility with the interfaces of the banks, and to optimize it if required. For this first test phase, third-party providers, even without an NCA license, can order test certificates from Bundesdruckerei. Since mid-June, banks had to go live with their system in a second test phase (market test). Third-party providers were when able to access real customer accounts. Since May, Bundesdruckerei is also supplying the required live certificates with the PSD2 extension. These allow third-party providers to test the API provided under real-life conditions and productively use them from Sept 14th onwards The alternative access methods which were used previously will then be no longer allowed (possibly after some grace period).

Banks must present the new providers with an API that enables them to access bank account information and initiate payments. They may prove their own identity by means of a qualified website certificate.

From September 14th 2019, financial institutions are obliged to start the live operation and have to give access to all licensed third-party providers with a live certificate. The first phase of the trial already started in mid-March. At this point, a test system (sand box) had to available that allows third-party providers, including those that do not have a license yet, to identify themselves with test certificates and access test accounts.

D-TRUST is currently the only German provider listed in the EU Trusted List as a so-called qualified trust service provider authorized to issue QWACs and QSEALs. The subsidiary of Bundesdruckerei also was the first company in Europe to issue qualified certificates. Live and test certificates can be ordered from our order page.

A qualified website certificate (QWAC) secures the communication between banks and third-party providers at the transport level – in other words, the data transmission. The payment service provider uses it to authenticate itself as an NCA license holder towards the bank providing the account. The QWAC contains information about the role of the company as well as its registration ID with the financial supervisory authority. Additionally, QWACs encrypt all communication between banks and payment service provider.
QSEALs secure the data at the application level. This is especially useful to document in case of damage who has accessed the API. The QSEAL makes this process much easier. A bank can require a third-party provider to use qualified certificates for electronic seals. It also protects the signed data against modification. Bundesdruckerei offers qualified seal certificates alternatively with and without a smart card, the variant without a card is the preferred option for most customers.

Get PSD2-ready and order certificates today

Bundesdruckerei’s subsidiary D-TRUST offers live certificates to test the API under real-life conditions on real customer accounts and go into production on September 14th

Order your live and test certificates now (QWAC and QSEAL).

More information about the certificates can be found in our FAQs section.

In the spirit of open banking, PSD2 promotes competition in the European financial sector. For users, payment transactions will become more convenient, cheaper and safer. Both banks and payment service providers have to invest more in the security of their digital services.

If you have any questions, please feel free to call our support team at +49 (0) 30 2598-4054 or send an e-mail to support [at]

*See the list published by the European Banking Authority (EBA): National Competent Authorities in Europe

More useful information about PSD2

Sichere Kommunikation


Flyer PSD2

QWACs and QSEALs for payment service providers.

File size: 430.85 KB

Format: PDF