D-TRUST PSD2

PSD2-certificates

Secure interfaces and systems with our PSD2 certificates

PSD2: Secure at the interface with tomorrow’s banking

Do you rely on open banking? We can implement PSD2 securely with you. September 2019 marks the beginning of a new era in banking.
With our PSD2 certificates you can test your interfaces and systems and use them in live operation since 14 September. As one of Europe’s first-ever qualified trust service providers, we offer eIDAS-compliant production and test certificates for PSD2.

Your advantages at a glance

eIDAS-compliant production and test certificates

Data protection compliant

Product details

PSD2 for fintechs and banks

The second Payment Services Directive (PSD2) is setting in motion a revolution in electronic payments: As of mid-September 2019, banks in the EU must ensure that third-party providers can access their customer account data in live operation and they must provide an interface (API) for this purpose. This interface is secured by qualified website certificates (QWACs). In return, third-party providers must register with the Federal Financial Supervisory Authority (BaFin)* and will also need qualified website (QWAC) or qualified seal (QSeal) certificates to access the bank account data. D-TRUST, a subsidiary of Bundesdruckerei, is one of the few European qualified trust service providers to offer these certificates.

About the new PSD2 directive and the opportunities it has to offer

The second Payment Services Directive obliges banks to allow third parties to access to their customer account data. The PSD2 is opening up enormous opportunities for new providers, but banks too can benefit, for instance, by cooperating with start-ups or expanding their own service portfolio with these new services. There is no doubt that the directive serves open banking and promotes competition. However, it also imposes much stricter security requirements on fintechs.

Requirements for third-party providers  

First of all, only providers of online payment services are required to implement PSD2. To be able to use the banks' interface, third-party providers need a license with defined access rights. These licenses are issued by BaFin or a comparable European authority. Once the license has been issued, the provider requires a QWAC to secure communications. In this way, the provider identifies itself to the bank as a holder of the BaFin license. In addition, the bank may require the additional use of a QSeal to prevent signed data from being changed.

The next steps for third-party providers

Since mid-March, the regulation has prescribed a test phase for banks in which third-party providers can check the open interfaces of a test environment (sandbox) and, if necessary, lodge a complaint with BaFin. Third-party providers are recommended to participate in this test phase so that they can check their own system and its compatibility with bank interfaces and optimize it if necessary.

For this first test phase, third-party providers can also request test certificates without a BaFin license.
 from Bundesdruckerei. Since mid-June, banks have had to open their live system in a second test phase (market testing phase); third-party providers can also access real customer accounts. Since May, Bundesdruckerei has been providing the required production certificates with the PSD2 extension. With these certificates, third-party providers can test the provided API under real-life conditions and have been able to use it productively since 14 September. The previously used alternative account access is then no longer permitted, if necessary, with a transition period.

Get ready for PSD2 and order your certificates

Through its subsidiary D-TRUST, Bundesdruckerei offers production certificates (QWACs and QSeals) that allow banks and third-party providers to integrate the APIs. 

In the spirit of open banking, the PSD2 promotes competition in Europe’s financial sector. Payment transactions will become more convenient, more secure and less expensive for users. Both banks and payment service providers must invest more in the security of their digital services.

*In other countries from the respective banking supervisory authority. An overview is provided here

Less product details

Downloads

Flyer PSD2

QWACs and QSEALs for payment service providers.

File size: 613.46 KB | Format: PDF

Frequently Asked Questions

Banks need to provide an API for new payment service providers to access bank account data and trigger withdrawals. They can prove their identity with a qualified website certificate.

Since 14 September 2019, financial institutions have been obliged to go live and open access to all licensed third-party providers with valid production certificates. The first phase of test operation began in mid-March. A test system (sandbox) had to be provided in which even unlicensed third parties were able to identify themselves with test certificates and access test accounts.

D-TRUST is currently the only German provider listed in the EU Trusted List as a so-called Qualified Trust Service Provider authorized to issue QWACs and QSeals. This Bundesdruckerei subsidiary was already the first company in Europe to offer qualified certificates. 

Test and production certificates are available on our order page

A qualified website certificate (QWAC) protects communication between banks and third-party providers at the transport level, i.e. data transmission. The payment service thus authenticates itself with the account-holding financial institution as the holder of the BaFin license. The QWAC contains information on the role of the company as well as its registration ID with the Financial Supervisory Authority. QWACs also encrypt all communication between the bank and the payment service provider.

QSeals save the data at the application level. This is especially useful if you want to prove who accessed the API in the event of damage. This becomes much easier with the QSeal. A bank may require the third-party provider to use a qualified seal certificate. This documents all requests from the service provider and protects the signed data from changes. Bundesdruckerei offers qualified seal certificates without smartcards.

Do you have any other questions about PSD2?

We will be pleased to assist you!
Go to our Support section where you will find more tips and information about PSD2.