Scope
This document provides the answers to common questions about the use of Qualified certificates to support secure communications between payment services under PSD2 and their related Regulatory Technical Standards (RTS). The aim of this document is NOT to define how security works, but rather to explain which types of certificates are used, how to procure and validate them and the various operational and commercial processes.
Audience
This document is aimed at the following audiences:
- Account Servicing Payment Services Providers (ASPSPs)
- National Competent Authorities (NCAs)
- Third Party Providers (TPPs)
What are eIDAS Qualified Certificates?
Qualified Certificates are certificates aimed at enhancing trust in electronic transactions across the EU, regulated through Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). eIDAS defines requirements on Qualified Certificates, and the Qualified Trust Service Providers (QTSP) that issue them, which ensure their trustworthiness. The operation of QTSPs is supervised by a national supervisory body to assure that these requirements are met.
The ‘Qualified’ status gives a certificate a legal and trust mark which indicates that it meets specific technical and security requirements.
Most of the requirements of the eIDAS regulation are aligned with generally accepted standards and practices. However, these are enhanced to include technical features specific to Qualified Certificate such as being automatically identifiable as Qualified.
A list of QTSPs recognised by a supervisory body as meeting the requirements of eIDAS is issued by each nation. Each national list is referenced through a list of lists issued by the European Commission. All the lists can be viewed through a Trusted List Browser or automatically processed through the List of Trusted Lists.