EADTrust offers EIDAS test certificates for PSD2 to ASPSPs and TPPs wishing to test their infrastructure. Call +34 917160555 and talk to our specialists to get the right one for your organisation.

QWAC and QSeal certificates are used in different contexts in PSD2 communications, to authenticate web servers and to electronically sign web API transactions.

The EIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market was published before PSD2. EIDAS certificates adapted to PSD2 services are defined in ETSI TS 119 495.

ASPSPs (Account Service Providers for Payments) are obliged under Article 30 (1) (a) of the regulatory technical standards to deploy at least one interface that complies, inter alia, with the requirement for AISPs, PISPs and CBPIIs to be able to identify themselves to the ASPSP.

TTPs (third party providers) are either payment initiation service providers (PISPs) or account information service providers (AISPs) or both types of providers at the same time.

ASPSPs (Account Service Providers for Payments) provide and maintain a payment account for a cardholder acting as payer as defined by the PSRs and are entities that publish a read/write API to allow, with the customer’s consent, payments (transfers) initiated by external providers or the collection of transaction information from customer accounts also by external providers via their API services.

In order to enable identification, ASPSPs and TPPs will rely on the use of EIDAS certificates for electronic seals and for website authentication. Identification is mandatory for all TPPs wishing to gain access to the limited ASPSP test environment, APIs in real environments or other channels.

EIDAS certificates are provided by Qualified Trust Service Providers (QTSPs) who are responsible for ensuring the electronic identification of signatories and the services they manage, through the use of strong authentication mechanisms including digital certificates and electronic signatures.

There are two types of EIDAS certificates specifically designed for PSD2 uses:

• Qualified Website Authentication Certificates (QWAC): identification at the transport layer. The security of QWAC certificates uses SSL / TLS encrypted communications with Extended Validation of the type used by servers. They are used for website authentication, so that ASPSPs and TPPs can be sure of each other’s identity, securing the transport layer. El TPP debe enviar su certificado de cliente QWAC a un ASPSP. The ASPSP can choose to use the ASPSP QWAC server certificate or simply an existing SSL / TLS certificate to receive the TPP identification request.
• Qualified certificate for electronic seals (QSEAL): identification at the application layer. It is used for identity verification, so that transaction information is protected from possible attacks after communication. This means that the person receiving the digitally signed or stamped data can be sure who signed the data and that it has not been modified.

The eIDAS certificate for QSEAL seal can be understood as the digital version of a company’s rubber stamp, and is currently applied to the sealing of electronic documents to guarantee the origin and integrity of the document.

If you liked this article, please visit our blog or our website.