The EU directive opening banking APIs to third-party providers while mandating Qualified Website Authentication Certificates (QWACs) and Qualified Seals for secure open banking communications.
PSD2 (Directive 2015/2366) revolutionized European payments by requiring banks to open their APIs to licensed Third-Party Providers (TPPs). This directive created the open banking ecosystem, enabling account information services, payment initiation services, and card-based payment instruments from third parties.
The Regulatory Technical Standards (RTS) on strong customer authentication mandate the use of QWACs under eIDAS for TPP identification. Article 34 of the RTS requires that every API call between banks and TPPs must be authenticated using qualified certificates — creating a massive PKI demand across the European financial sector.
With thousands of TPPs operating across the EU, each requiring QWACs and Qualified Electronic Seal Certificates (QSealC), PSD2 has become one of the largest drivers of qualified certificate issuance and lifecycle management in the European market. The upcoming PSD3 and PSR are expected to build on these foundations.
Third-Party Providers must use Qualified Website Authentication Certificates to identify themselves when accessing bank APIs, ensuring trusted and authenticated open banking communications.
Payment service providers must use Qualified Electronic Seal Certificates to sign API messages, guaranteeing the origin and integrity of data exchanged between financial institutions.
Payment transactions require multi-factor authentication using at least two of three elements: knowledge, possession, and inherence — underpinned by secure certificate-based infrastructure.
All communications between banks and third-party providers must use secure, encrypted channels with mutual authentication to protect payment data in transit.
Third-Party Providers must register with national authorities and obtain qualified certificates containing their authorization number, roles, and NCA details for API access.
Banks must validate TPP certificates in real time for every API call, checking revocation status via OCSP or CRL to ensure only authorized providers access account data.
The revised Payment Services Directive (PSD2) is adopted in November 2015, mandating open banking APIs and strong customer authentication.
Member states transpose PSD2 into national law by January 2018. Banks must begin preparing APIs for third-party provider access.
The Regulatory Technical Standards on Strong Customer Authentication take effect in September 2019, mandating QWACs for TPP identification.
The European Commission proposes PSD3 and the Payment Services Regulation (PSR) in June 2023 to further harmonize and strengthen payment services rules.
The new PSD3 directive and PSR regulation are expected to be finalized, building on PSD2's foundations with enhanced digital payment protections.
PSD2 has created one of the most certificate-intensive regulatory environments in the EU. Here are the critical PKI implications:
With thousands of TPPs across the EU each requiring QWACs, PSD2 drives large-scale qualified certificate issuance — demanding robust infrastructure from Trust Service Providers.
Every API message exchanged between banks and TPPs must be signed with Qualified Electronic Seal Certificates, ensuring data integrity and non-repudiation in payment transactions.
Banks must validate TPP certificates in real time for each API call via OCSP or CRL, requiring high-availability validation infrastructure that can handle millions of daily checks.
Managing certificate renewals and rotations across thousands of TPP relationships requires automated lifecycle management to prevent API authentication failures and service disruptions.
QWAC and QSealC issuance — Stream provides the sovereign PKI infrastructure to issue QWACs and QSealC as a qualified Trust Service Provider tool, with HSM-backed key protection and ANSSI-certified security.
Lifecycle management at banking scale — Horizon manages the lifecycle of thousands of banking certificates, providing a centralized view of all QWACs and QSealC across your TPP ecosystem.
Automated renewal prevents API failures — Automated certificate renewal and rotation prevents API authentication failures that could disrupt payment services and impact customer experience.
OCSP/CRL for real-time validation — Stream provides high-availability OCSP and CRL services for real-time certificate validation, supporting the millions of daily API calls in the PSD2 ecosystem.
