Introduction to the Payment Services Directive 2 (PSD2)

Directive (EU) 2015/2366 on payment services in the internal market, commonly known as PSD2, is a key piece of legislation in the European Union’s financial regulatory framework.

Its purpose is twofold: on the one hand, to harmonise the regulation of new payment and account information services with a cross-border approach to promote a single, integrated and efficient market; and on the other, to strengthen the security of electronic transactions and consumer protection.

To this end, it establishes a legal framework that imposes the development of standards in each country based on the guidelines of the directive that will give rise to new financial services and new actors promoting technological innovation in the financial sector, in what is known as Open Banking.

Subjective scope of PSD2

The payment services regulations distinguish six categories of payment service providers that can carry out this activity. In the case of Spain, according to Article 5 of Royal Decree-Law 18/2018, the six providers are:

1. Credit institutions, including branches in Spain of foreign credit institutions, whether the central administrations of these branches are located within the European Union or outside it.
2. Electronic money institutions, including branches in Spain of foreign electronic money institutions, whether the central administrations of those branches are located within the European Union or outside it, to the extent that the payment services provided by the branches are linked to the issuance of electronic money.
3. Payment institutions specifically authorised to provide payment services, such as transfers, direct debits or payment initiation services
4. Sociedad Estatal de Correos y Telégrafos, S.A., with respect to the payment services for which it is authorised to provide by virtue of its specific regulations.
5. The European Central Bank, the Bank of Spain and the other national central banks when they are not acting in their capacity as public authorities.
6. The General State Administration, the Autonomous Communities and the Local Entities when they do not act in their capacity as public authorities.

Roles in the PSD2 ecosystem

To operate legally, institutions must obtain an authorisation from the national competent authority (NCA) – which in the case of the Bank of Spain is reflected in the assignment of a 4-digit entity identifier that can be consulted in the register of entities on its website – which will determine the roles assumed by the entity:

• ASPSP (Account Servicing Payment Service Provider): It is the entity (usually a bank) that offers and maintains a user’s payment account. It is required to provide secure access to its application programming interfaces (APIs) to AISP or PISPs. The traditional financial institution in which its customers open an account.
• AISP (Account Information Service Provider): Provider of account information services. An entity authorised to access information on a customer’s payment accounts held in one or more ASPSPs, in order to consolidate such information and provide the customer with an aggregated view of their financial situation The entity that allows its customers to see all their bank accounts in a consolidated way in a single application.
• PISP (Payment Initiation Service Provider): Payment initiation service provider. An entity that, at the user’s request, initiates a payment order from an account maintained in an ASPSP. It acts as an intermediary that facilitates transfers without the payer needing to interact directly with their bank’s interface. It allows transfers to be made from any of the user’s bank accounts from the same App. It is usually associated with purchases in e-commerce, in which it is concluded with a transfer to the seller’s account.

CBPII (Card-Based Payment Instrument Issuer): Issuer of card-based payment instruments. An entity that issues payment instruments linked to a card and that, before authorizing a transaction, needs to confirm the availability of funds in the customer’s account, held in an ASPSP. Traditional card payments managed with new protocols.

Qualified e-certificates: security pillar in PSD2

An essential technical and security requirement under PSD2 is the use of qualified electronic certificates, as stipulated in Regulation (EU) No. 910/2014, known as the eIDAS Regulation. The mandatory nature of its use is detailed in the Technical Regulatory Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) (Delegated Regulation (EU) 2018/389).

These certificates are cryptographic instruments issued exclusively by Qualified Trust Service Providers (QTSPs) and are used by AISP or PISPs (which encompass all variants of entities) and ASPSPs (account providers) to reliably identify each other in communications through APIs, guaranteeing a secure and trustworthy environment.

There are two types of qualified certificates specific to PSD2 compliance:

• QWAC (Qualified Website Authentication Certificate): Its main function is to identify the entity that initiates a communication and to establish an encrypted communication channel (TLS, Trusted Layer Securty). The QWAC allows the ASPSP to verify the name of the entity attempting to access its API and its identification in the NCA registry. The certificate also contains the PSD2 roles that it manages (AISP, PISP, CBPII).
• QSealC (Qualified Electronic Seal Certificate): Certificate of legal entity. This certificate is used to create qualified electronic seals (technically similar to electronic signatures, but with legal entity certificates instead of natural person certificates). Its purpose is to ensure the integrity and attribution to the AISP or PISP entity of the transmitted data (e.g. payment orders or account information). By “sealing” the information, it is ensured that it has not been altered during its transmission from the AISP or PISPs to the ASPSP, protecting it from potential man-in-the-middle attacks. This certificate also includes the PSD2 roles that it manages (AISP, PISP, CBPII).

For more technical information on the certificate issuance process, you can refer to this EADTrust PSD2 Certificate Issuance Guide (PDF).

The role of qualified trust service providers (QTSP)

The issuance of QWAC and QSealC certificates is a regulated activity reserved for Qualified Trust Service Providers (QTSPs). These entities have been audited by CABs (Conformity Assessment Bodies) and their activity is monitored by the national supervisory body of their country. This results in its inclusion in the European Union Trust List, guaranteeing the highest level of reliability and compliance with the eIDAS Regulation.
EADTrust is a Qualified Trust Service Provider based in Madrid, included in the trusted list of the Ministry for Digital Transformation and Public Service of Spain and, therefore, in the ‘EU/EAA Trusted Service List’ of the European Commission. As a QTSP, EADTrust is empowered to issue the PSD2 certificates (QWAC and QSealC) that regulated entities need to operate in the Open Banking ecosystem with full legal and security guarantees. Entities that require obtaining these certificates must contact an accredited QTSP to ensure regulatory compliance.

How is it related to Beneficiary Verification?

One of the practical applications that are emerging in the context of PSD2 and Open Banking is the Verification of Payee, which seeks to reduce fraud by confirming that the holder of the receiving account matches the name indicated by the payer. You can learn more about this topic in the article published by Julián Inza on his blog: Verification of the beneficiary.

Order your QWAC and QSEAL certificates

Apply for your PSD2 certificate (QWAC/QSealC) with EADTrust now, we accompany you every step of the way so that the process is clear, fast and hassle-free.