PSD2-certificates

PSD2 for fintechs and banks

The second Payment Services Directive (PSD2) is setting in motion a revolution in electronic payments: As of mid-September 2019, banks in the EU must ensure that third-party providers can access their customer account data in live operation and they must provide an interface (API) for this purpose. This interface is secured by qualified website certificates (QWACs). In return, third-party providers must register with the Federal Financial Supervisory Authority (BaFin)* and will also need qualified website (QWAC) or qualified seal (QSeal) certificates to access the bank account data. D-TRUST, a Bundesdruckerei company, is one of the few European qualified trust service providers to offer these certificates.

About the new PSD2 directive and the opportunities it has to offer

The second Payment Services Directive obliges banks to allow third parties to access to their customer account data. The PSD2 is opening up enormous opportunities for new providers, but banks too can benefit, for instance, by cooperating with start-ups or expanding their own service portfolio with these new services. There is no doubt that the directive serves open banking and promotes competition. However, it also imposes much stricter security requirements on fintechs.

Requirements for third-party providers  

First of all, only providers of online payment services are required to implement PSD2. To be able to use the banks' interface, third-party providers need a license with defined access rights. These licenses are issued by BaFin or a comparable European authority. Once the license has been issued, the provider requires a QWAC to secure communications. In this way, the provider identifies itself to the bank as a holder of the BaFin license. In addition, the bank may require the additional use of a QSeal to prevent signed data from being changed.

The next steps for third-party providers

Since mid-March, the regulation has prescribed a test phase for banks in which third-party providers can check the open interfaces of a test environment (sandbox) and, if necessary, lodge a complaint with BaFin. Third-party providers are recommended to participate in this test phase so that they can check their own system and its compatibility with bank interfaces and optimize it if necessary.

For this first test phase, third-party providers can also request test certificates without a BaFin license.
 from Bundesdruckerei. Since mid-June, banks have had to open their live system in a second test phase (market testing phase); third-party providers can also access real customer accounts. Since May, Bundesdruckerei has been providing the required production certificates with the PSD2 extension. With these certificates, third-party providers can test the provided API under real-life conditions and have been able to use it productively since 14 September. The previously used alternative account access is then no longer permitted, if necessary, with a transition period.

Get ready for PSD2 and order your certificates

Through its subsidiary D-TRUST, Bundesdruckerei offers production certificates (QWACs and QSeals) that allow banks and third-party providers to integrate the APIs. 

In the spirit of open banking, the PSD2 promotes competition in Europe’s financial sector. Payment transactions will become more convenient, more secure and less expensive for users. Both banks and payment service providers must invest more in the security of their digital services.

*In other countries from the respective banking supervisory authority. An overview is provided here.