Electronic certificates

PSD2 EIDAS test Certificates (QWAC and QSeal)

EADTrust is offering PSD2 EIDAS (electronic IDentification, Authentication and trust Services) test Certificates to ASPSPs and TPPs whishing to test their infrastructure. Call +34 917160555 and talk to our specialists to get the right certificate for your entity.

QWAC and QSeal certificates are used in different context in PSD2 communications, to authenticate web servers and to electronically sign transactions in the Web API.

The EIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market was published before PSD2. EIDAS certificates taylored to PSD2 services are defined in ETSI Standard TS 119 495

ASPSPs are mandated, according Article 30(1)(a) of the RTS to deploy at least one interface which meets, inter alia, the requirement that AISPs, PISPs and CBPIIs are able to identify themselves towards the ASPSP.

TTPs (Third Party Providers) are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).

ASPSPs (Account Servicing Payment Service Providers) provide and maintain a payment account for a payer as defined by the PSRs and, are entities that publish Read/Write APIs to permit, with customer consent, payments initiated by third party providers and/or make their customers’ account transaction data available to third party providers via their API end points.

For the purpose of identification, ASPSPs and TPPs shall rely on using EIDAS Certificates for electronic seals and for website authenti­cation. Identifying themselves is mandatory for all TPPs that wish to get access to ASPSP’s sandbox, live API, or other channels.

EIDAS certificates are provided by Qualified Trust Service Providers (QTSPs) who are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates, and electronic signatures.

There are two  types of EIDAS certificates specifically designed for PSD2 incumbents:

  • Qualified Website Authentication Certificates (QWAC) – identification at the transport layer. QWAC is similar to SSL/TLS with Extended Validation used in the Internet web servers for the same purpose. It is used for website authentication, so that ASPSPs and TPPs can be certain of each other’s identity, securing the transport layer. TPP should present its QWAC client certificate towards an ASPSP. The ASPSP can choose between using the ASPSP QWAC server certificate or just an existing SSL/TLS certificate to receive the TPP’s identification request.
  • Qualified Certificate for Electronic Seals (QSEAL) – identification at the application layer. It is used for identity verification, so that transaction information is protected from potential attacks after communication. This means that the person receiving digitally signed data can be sure who signed the data and that it hasn’t been changed.

eIDAS QSEAL can be understood as the digital version of a traditional company stamp, and is currently applied to electronic documents sealing to guarantee the origin and integrity of the document.