Qualified Seals for PSD2 Payment Providers

PSD2 Directive (2015/2366) is a complex framework aimed at regulating the European market for payment services. One of its goals is to open a possibility for Payment Service Providers (non-banks) to offer services on a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users.

The definition on how to provide the authentication and trust for communication for the PSD2 related messages was delivered in the Amendment to the PSD2 Directive on November 27 2017 by the Regulatory Technical Standard EU Delegated Act (2018/389), which stated, that the communication of parties in the PSD2 framework should rely on the qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014.

Real life implications for PSD2 providers

This essentially means, that the PSD2 directive has been linked to the eIDAS regulatory framework and to operate as a PSD2 PSP), the provider has to be able to use qualified electronic seals (QSeal).

But how to build an infrastructure for qualified seals?

The qualified certificates must be issued by a Qualified Trust Service Provider (QTSP), who fulfills all the requirements set out in the standards and has been audited, approved, and placed on the EU Trusted List. Such QTSP can issue qualified certificates for various PSPs. Cost of such certificate with 2-year validity can be several hundred of Euros.

This qualified certificate has to be stored on secure element and accessed by a qualified application, which can administer qualified electronic seals according to the required signature formats. For real time payment solution, the system also has to support very high capacity, so the issuing of the seals can happen without a longer delay.

3Key eIDAS compliant remote signing solution

Core of the solution is 3Key eIDAS SignServer. The solution can be delivered in any form factor, including container image and can be operated in a cloud-based environment. The deployment takes only few minutes. It supports scalability, load balancing and high availability, which can be easily configured easily.

The private keys can be stored for example in AWS KMS. The AWS KMS Crypto Token allows you to work with the keys generated and managed by the Amazon Web Services Key Management Service. Using the AWS KMS CryptoToken, you can achieve the same functionality with the keys stored and managed by the cloud, as with any other Crypto Token. This way there is no need to procure expensive hardware security module and sort out the housing or connectivity. The same applies in case of Azure Key Vault or other cloud-based key management systems.

Typical sealing process

Functionalities of the solution

3Key eIDAS compliant remote signing solution can not only allow the sealing of the PSD2 related messages, but it can also be used to confirm the authenticity, integrity, and non-repudiation of various other documents or data such as invoices, emails, financial statements and reports or digitized legal acts.

Support of all Advanced Electronic Signature formats come handy (PAdES, XAdES, CAdES, JAdES and ASiC). Qualified time stamps can also be generated and included in the signed data with the revocation information. It is integrated with QSCDs and therefore the functionality can be easily upgraded for the support of the qualified signature. The whole solution can be easily integrated using available APIs and connected to all the corresponding applications in short time.

3Key remote signing solution will allow organizations to provide a high assurance digital signing service including:

  • A signature creation device aligned with existing and anticipated eIDAS requirements
  • A direct integration with document and signature management solutions
  • Strong user authentication and remote signature authorization
  • Signature creation application supporting all advanced electronic signature formats
  • Management of cryptographic keys and certificates
  • Easy and comprehensive reporting, monitoring, and dashboards
  • Automation of signing-related procedures and tasks

Why this is the ideal solution for PSD2 PSPs or banks?

The 3Key remote signing solution is compliant with eIDAS regulation and ETSI standards, which are often applied across the world and acts as a blueprint for trust services. It has no volume-based fees, and there are no marginal costs as the quantity of sealed documents/data increases.

It can sustain very high volumes where a single node has been tested to process millions of seals per hour. All transactions are secured on a qualified level with guaranteed reliability, auditability, non-repudiation, confirmed authenticity and guaranteed integrity. The cloud-based provisioning ensures maximum flexibility and ease of operation with very developer friendly integration options.

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!