Staying PSD2 Compliant with QWAC
A new EU directive related to security is due to go into effect on the 14th of September 2019. It is called the Payment Service Directive 2 (PSD2), and it is focused on the banking and financial technology sectors. As the name suggests PSD2 is the second implementation of EU wide banking regulations, and it is part of the broader electronic identification and trust services (elDAS) that have allowed for electronic financial transactions to be given the same legal status as traditional paper transactions. PSD2 is part of the drive for Open Banking across the EU.
What organisations need to be aware of and comply with PSD2?
If your organisation operates in the financial sector as a provider of services or as a payment broker, then the PSD2 directive applies. For example:
- ASPSP (Accounts-servicing Payments Service Provider) - organisations that fall into this category are the traditional banks who provide accounts for individuals and businesses. For instance Bank of Ireland and Allied Irish Bank.
- AISP (Account Information Service Provider) - these are account aggregator services that handle financial data from multiple sources. For example, Quicken or Mint.
- PISP (Payment Initiation Service Provider) - organisations that enable payments to third parties from user’s bank accounts or credit cards. For example, PayPal, WorldPay, Sofort, Trustly, and many more.
Other organisations that may not fit into one of these categories will still need to comply with PSD2 if they handle financial transactions. Contact Renaissance to discuss if you are in any doubt about whether you need to implement the PSD2 requirements.
What does PSD2 Require?
Full details of what PSD2 directive requires are outlined in the 20-minute Entrust Datacard webinar that is available for on-demand viewing. We highly recommend you watch it to get details of the PSD2 requirements. You should also read the Entrust Datacard white paper on PSD2 that is available from their comprehensive PSD2 Open Banking web page.
In summary PSD2 requires actions in either, or both, of the following areas:
- Protection for financial transaction data at rest - this relies on the implementation and use of Qualified Electronic Seal certificates (QSealC) that are used to sign files electronically. This allows anyone accessing a file to be sure it is from the organisation they expect, and that it has not been altered since it was electronically signed. This is the electronic equivalent of a traditionally signed document.
- Protection for financial transaction data in transit - PSD2 builds on existing Extended Validation (EV) Certificates to provide a Qualified Website Authentication Certificate (QWAC). A QWAC certificate has extensions to EV Certificates that allow for the reliable identification of the organisation using the certificate for trust in the financial sector. QWAC enables full TLS encryption in both directions on financial transactions.
Most organisations are implementing QWAC to comply with PSD2, but both it and QSealC should be considered to provide full compliance for data in transit, and at rest.
It should be noted that PSD2 requires QWAC and QSealC certificates for organisations operating in the EU member states, to be issued by a certificate authority that is based in the EU. Entrust Datacard issue their certificates for PSD2 via their Spanish subsidiary and so are fully compliant.
The PSD2 compliance deadline is only eight weeks away. While there are no EU wide PSD2 sanctions mandated by the European Banking Authority, any data breach that happens under PSD2 will likely also be a breach under GDPR or NIS as well. Complying with the PSD2 directive is required for organisations operating in the EU FinTech sector. Watch the Entrust Datacard webinar, read the white paper, and the open banking website. Then contact Renaissance to discuss how Entrust Datacard can help you implement PSD2 compliance before the September deadline, or as soon as possible after.