scope:

The present document:

1) Specifies requirements for qualified certificates, or other non-EU schemes which provide equivalent assurance based ETSI best practices, for electronic seals and website authentication, to be used by payment service providers in order to meet needs of Open Banking including the EU PSD2. These profiles are based on ETSI EN 319 412-1 [1], ETSI TS 119 412-1 [2], ETSI EN 319 412-3 [3], ETSI EN 319 412-4 [4], IETF RFC 3739 [7] and ETSI EN 319 412-5 [i.6] (by indirect reference).

2) Specifies additional TSP policy requirements for the management (including verification and revocation) of additional certificate attributes as required by the above profiles. These policy requirements extend the requirements in ETSI EN 319 411-2 [5].

3) Specifies specific requirements for EU use of the qualified certificates for electronic seals and website authentication, to meet the requirements of the EU PSD2 Regulatory Technical Standards (RTS) [i.3]. Certificates for electronic seals can be used for providing evidence with legal assumption of authenticity (including identification and authentication of the source) and integrity of a transaction. Certificates for website authentication can be used for identification and authentication of the communicating parties and securing communications. Communicating parties can be payment initiation service providers, account information service providers, payment service providers issuing card-based payment instruments or account servicing payment service providers. The identifier for the Competent Authority and its country (see clause 5.2.3) can be used to identify the applicable legislation. It can be determined whether a country's' national legislation follows the EU PSD2 Directive (Directive (EU) 2015/2366 [i.2]), and hence whether the RTS [i.3] applies, using the EBA list of NCA identifiers as identified in Annex D.

The requirements in clauses 5 and 6 for the certificate profile and policy are common to both EU PSD2 and non-EU Open Banking certificates.

The present document identifies information for Open Banking that is provided by a regulatory authority recognized through regulations as competent for providing such information. In the case of EU PSD2 this information is provided through a national register operated by the NCA or a register operated by the European Banking Authority. In addition, the TSP may provide services to the Competent Authority to enable revocation of certificates based on information provided by competent authority. The present document places no requirements on the operation of Competent Authorities providing information for Open Banking.