Friday, February 22, 2019

eIDAS and PSD2, what's new for PKI and what can you do?

What does PSD2 have to do with eIDAS?

With the introduction of the Revised Payment Service Directive (PSD2) in EU there are many changes for Payment Service Providers, but there are also some changes for eIDAS (Trust Service Providers (TSPs). Payment service Providers (PSPs) will be required to use Qualified Certificates for electronic seals and website authentication. Specifically for PSPs there are new fields in the QC statement in certificates issued to for this purpose. With PSD2 the QC statement is an interesting mix of issuer specific field (static) and subject specific fields (dynamic). For general eIDAS QC statement information see our earlier blog post.

PSD2 Specific Certificate Fields

The PSD2 specific fields are specified in the recently released ETSI Technical Specification ETSI TS 119 495 in section 4.

Lets look at the new fields and what they mean. There are four required fields in TS 119 495:
  • Authorization number
  • Roles of PSP
  • NCAName
  • NCAId
The authorization number is a registration number of the payment service provider. This number must be included in the Subject DN of the certificate, in the organizationIdentifier DN attribute. This is a dynamic field, different for each certificate issued to different PSPs, but the same for multiple certificates issued to the same PSP. OrganizationIdentifier is supported in EJBCA Enterprise PKI from version 6.5.2. The other three elements are part of the QC statement.

PSD2 Qualified Certificate Statement

The PSD2 specific fields in the qualified certificate statement are specified in ETSI Technical Specification ETSI TS 119 495 in section 5.

Every PSD2 Third Party Payment Service Provider can have one or more of four different roles (described in section 4.2 of TS 119 495). This means this must be a dynamic field to be set by the TSP when issuing the certificate to the PSP. The four roles are account servicing (PSP_AS), payment initiation (PSP_PI), account information (PSP_AI) and issuing of card-based payment instruments (PSP_IC).

The NCAName and NCAId is the name and ID of the National Competent Authority (NCA). This is for example BaFin in Germany. These are specific to the country where the PSP is registered. Since TSPs can issue certificates within any country in EU, this also means that the NCAName and NCAId fields must be dynamic fields to be set by the TSP when issuing the certificate to the PSP.

PSD2 QC Statements is supported out of the box in EJBCA Enterprise PKI from version 7.0.0. In earlier versions they can be created with custom extensions in order to produce test certificates.

Creating PSD2 Certificates with EJBCA

To issue PDS2 certificates with EJBCA Enterprise (7.0.0 and later):
  • Check the ETSI PSD2 QC Statement checkbox in the Certificate Profile
  • Include the PSD2 specific fields when issuing the certificate

./ EjbcaWsRaCli edituser psd2 foo123 true "CN=PSD2 eSeal Certificate,organizationIdentifier=12345678-9876,O=PrimeKey,C=SE" NULL NULL ManagementCA 1 PEM NEW User Client NULL  NULL NULL "QCETSIPSD2ROLESOFPSP=;PSP_AS" "QCETSIPSD2NCANAME=PrimeKey Solutions AB, Solna Access, Plan A8, SundbybergsvÀgen 1, SE-17173 Solna" "QCETSIPSD2NCAID=SE-PK"
You can also set PSD2 specific fields in the web UI (EJBCA 7.0.1 and later), by specifying those to be used in the End Entity Profile:
After that you will be able to enter PSD2 fields in the Admin UI and the RA UI:

PSD2 Certificate Timeline

Payment services must provide account information and payment services with adequate documentation of the technical interface and a corresponding test environment that works with PSD2 certificates from March 14th 2019. From September 14 2019, all service providers must be PSD2-compliant.

EJBCA Enterprise

We strive to support all relevant open PKI standards and it is important to keep EJBCA Enterprise up to date with new and emerging standards. Since EJBCA 6.5.2 eIDAS compliance should be easily achieved on the level of PKI, and the new PSD2 specific QC statement is fully supported in EJBCA 7.0.1.

Tomas Gustavsson

 EJBCA Enterprise PKI and PKI Appliance developed by PrimeKey.

EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.

No comments: