Certificates for PSD2

What companies, banks and FinTechs need to know to use electronic certificates and seals.

Information and frequent questions regarding the Payment Services Directive

General information

With the Second Payment Services Directive, or PSD2 for short, the EU regulates online payment traffic between market participants within the EU. Among other things, PSD2 obligates banks operating in the EU to grant third-party providers access to customer accounts. Additionally, the account holder is required to make use of two-factor, strong customer authentication (SCA).
The PSD2 regulations apply to banks as well as to third-party providers, such as fintechs and payment service providers, if they want to initiate payments or gather account data for their activities. Banks are required to open an interface (Application Programming Interface, API) for this purpose.
To operate in the EU, third-party providers need a license from their National Competent Authority (NCA). The license type determines the access rights of the third-party provider to access account data through the bank interface within the scope of its business model.
In order to gain access to bank accounts as a third-party provider, a company must identify itself with one or more certificates during automated access. Likewise, banks use a certificate to identify themselves towards the accessing payment service providers. The certificate serves as a "company ID" in electronic business transactions. Article 34 of the RTS (EU 2018/389) requires the use of qualified website authentication certificates (QWACs) or qualified electronic seal certificates (QSEALs).
The required electronic certificates are issued by a qualified trust service provider (QTSP) registered in the EU, such as D-TRUST GmbH, a subsidiary of Bundesdruckerei GmbH. The application is done online. The NCA license must have been issued to the payment service provider prior to this. If a bank wants to act as a third-party provider in order to access accounts of other banks, it also needs a QWAC and possibly a QSEAL. If the bank already possesses a full banking license, it does not require separate licensing from its National Competent Authority.
Qualified certificate providers are listed in the EU Trusted List, and have to register the company with their National Competent Authority as well as undergo a conformity assessment by a third party every 24 months. The EU Trusted List creates reliable, authenticated, encrypted communication relationships (for example between EU citizens and websites or between IT systems).
There are qualified website certificates (QWACs), qualified electronic seal certificates (QSEALs) and extended validation (EV) certificates. The QWAC registers the identity of the accessing company and secures the communication channel (transport level). The seal protects the signed data from modification. It makes subsequent changes visible and documents the identity of the accessing company (application layer). Article 34 of the RTS (EU 2018/389) requires third-party providers to use QWACs or QSEALs. The European Banking Authority (EBA) recommends the use of both a QWAC and a QSEAL. The Berlin Group's NextGenPSD2 specification requires a QWAC. Banks can identify themselves using a QWAC or EV certificate. In the latter case, the EBA recommends a QWAC.
For sealing of PSD2 requests D-TRUST, a Bundesdruckerei company, offers the product Qualified Seal PSD2 ID (qualified seal certificate without seal card for advanced seals, „soft seal“). For the seal certificate without card it is you who creates and manages the keys - like for QWAC -, this may be done e.g. on an HSM. Like for QWAC you send us a CSR which includes the public key and receive the certificate by e-mail. The seal certificate without card enables ease of handling and unlimited throughput. The certificate policy in the profile is QCP-l. The use of a Qualified Signature Creation Device (OSCD) is not mandatory.

Applying for live certificates

Yes, the application for qualified website certificates follows a defined process. For real certificates, a third party must first apply for authorization as a payment service provider with its National Competent Authority (NCA). After the NCA license has been granted, the certificate can be issued by D-TRUST GmbH. It is possible to apply even before authorization. CRR credit institutions (banks) that also want to act as payment service providers do not require additional authorization and can apply for all roles in the certificates.

You can find the CA certificates of all QTSPs in the EU Trusted List. There is no need to check the root certificates.

If needed the root certificate can be downloaded directly from D-TRUST’s website. More information can be found in the Certification Practice Statements (CPS). Unlike EV certificates, you cannot rely on the root certificates being distributed via the browsers and hence being classified as trustworthy.

D-TRUST’s QWACs are currently not entered in CT logs because this is not foreseen in the applicable standards. The certificates are not designed for use in communications via the browser so that no entry in CT logs is required.

The PSD2 regulation (EU 2015/2366) recognizes different roles (entitlements) for payment service providers. The aforementioned abbreviations are defined in ETSI standard 119 495. Common roles are account information service (PSP_AI) and payment initiation service (PSP_PI). Other roles include account services (PSP_AS) and issuing of card-based payment instruments (PSP_IC). Payment service providers may apply for one or more of these roles with their National Competent Authority (NCA), after which they will be registered and can be issued certificates with these roles.

The Revocation List Distribution Points attribute contains URLs for OCSP access and CRLs. Alternatively, this check can be carried out for live certificates via https://www.bundesdruckerei.de/en/OCSP-Request.

Please note that the following description only applies to PSD2 certificates. Different specifications apply to other certificate types. You create and manage your own keys for QWACs for both the test and live certificates. Please use a minimum key length of 2048 for QWAC and 3072 for QSeal ID. You use this to generate a Certificate Signing Request (CSR) that, in addition to the public key, contains precisely the attributes O (Organization), OU (Organizational Unit, optional), CN (Common Name), C (Country Code), S (StateOrProvince), L (City). All other attributes are taken from the order page. With OpenSSL, you generate the CSR as follows:

  • openssl genrsa -out [privateKeyName].key 3072
  • openssl req -new -utf8 -key [privateKeyName].key -out [requestName].csr

You are prompted to enter all attributes and you then enter values for the above-named attributes and '.' (blank attribute) for the others. Please do not enter any other attributes, e.g. e-mail.

If you are using another program, please ensure that the CSR starts/ends with BEGIN/END CERTIFICATE REQUEST. BEGIN/END NEW CERTIFICATE REQUEST is rejected, edit the CSR if necessary.

Before the certificate is issued, we check whether the domain (CN) and alternative domain (SAN) listed in the certificate are under your control. As a standard procedure, e-mails with a security token are generated for each requested domain and sent to the following addresses:

admin@, administator@, hostmaster@, webmaster@ and postmaster@

We expect at least one reply to be sent to the address provided in the e-mail that contains this token – the sender address is not checked. You can, for instance, forward our e-mail to the specified address.

CAA records are used to determine that only selected CAs may generate certificates for given domains and their subdomains. The description is defined in RFC6844 and required by the CA/B Forum. If your domains contain CAAs that do not include d-trust.net, you will receive an error message when you apply for a certificate. In this case, please remove all CAAs or add d-trust.net to them.

The NCA ID is a national financial supervisory authority ID specified by ETSI TS 119.495, e.g. DE-BAFIN, AT-FMA or GB-FCA. The PSP Identifier is a unique national ID assigned by the NCA during licensing. In most countries, it is made up of 4 to 9 digits. Most NCAs have separate registers for TPPs and ASPSPs. There are also central EBA registers for TPPs and ASPSPs. These registers are still being set up and do not yet have the correct data in all places. In case of deviations the national register is relevant. The certificate contains the composite value, e.g. PSDGB-FCA-123456, as an attribute of the requester. You can find the full name of the NCA along with the requested roles in the QC statement (Qualified Certificate Statement).

To issue qualified certificates we need to identify a natural person, i.e. signature authentication must be carried out for identity verification. For QWAC and Qualified Seal PSD2 ID an authorized signatory can delegate this to another person, the subscriber’s representative. This authorization is done by the authorized signatory on the request form. In Germany, PostIdent is the standard procedure for identification. In other countries, we offer identification by representatives of german embassies and consulates or by authorized notaries listed in the European Directory of Notaries. If you cannot find your country in the Directory of Notaries, please send an inquiry to us at support [at] bdr.de.

In case that you apply for several certificates you have to do the identification process for each of them.

Applying for test certificates

Test certificates do not require an NCA license. D-TRUST issues test certificates without thorough examination.

Since July 2019, test certificates can be purchased from Bundesdruckerei: www.bundesdruckerei.de/en/Ordering.

The keys for Test Website PSD2 ID and Test Seal PSD2 ID are generated at the customer end. You have to upload a Certificate Signing Request (CSR) during the request process. The certificate will then be delivered via e-mail.

Important: Please download the request after the application process and send it to us by post or e-mail. Additional documents, such as ID documents or an excerpt from the commercial registry, are not required. Also no identification at embassy or notary is needed.

Please note that we only issue test certificates to companies and not to private individuals. However, unlike for the productive certificates, we do not require you to have a bank or third-party payment provider license.

If you have any questions regarding our test certificates, please send an e-mail to support [at] bdr.de.

You can download the issuer and root certificates required for the integration of the test certificates at the following links:

These certificates must be entered into the certificate store as trusted certificates and used exclusively for the test system.

If you have any questions, please feel free to call our support team at +49 (0) 30 2598-4054 or send an e-mail to support [at] bdr.de.