The EPC API Security Framework mandates PSD2 QWAC certificates for client identification in the Verification of Payee (VOP) scheme. While straightforward in principle, implementation has revealed significant operational challenges. This newsletter outlines key challenges and shares lessons learned to help financial institutions prepare for successful VOP deployment.
Regulatory Requirements
The EPC API Security Framework requires:
- PSD2 QWAC certificates for Requesting PSP identification
- Implementation of extensions per ETSI TS 119 495 Standards section 5.1 in those certificates
These Qualified Web Authentication Certificates (QWAC), issued under EU eIDAS regulation, serve as the cornerstone of the VOP scheme’s security and participant authentication.
Implementation and Operational Challenges
ART Platform Issues
The implementation phase revealed several platform-related issues that affected testing quality and project timelines:
- ART testing excluded eIDAS validation test cases
- ART-generated certificates consistently failed eIDAS validation, as Certificate Revocation List (CRL) endpoints experienced infrequent updates
- As a result, RVMs implementing eIDAS validation encountered persistent errors requiring ongoing support escalation
This resulted in testing delays and increased coordination overhead between RVMs and certificate authorities.
RVM Preparedness
The RVM preparedness varied across providers, highlighting strengths as well as areas of concern:
- RVMs with PSD2 compliance backgrounds demonstrated strong eIDAS validation capabilities
- Some RVMs lacked comprehensive eIDAS validation awareness, leading to implementation and testing delays
- Despite the EPC recommendation, some RVMs declined to support ART certificates during buddy testing due to certificate quality concerns
Certificate Role Configuration Complexities
- PSD2 role specification in the certification application has proven complex. EPC recommends the use of an “Unspecified” role designation, but some Qualified Trust Service Providers (QTSP) refuse to issue certificates with this classification.
- In addition, multiple payment institutions, including credit unions, central banks, and various payment service providers, lack defined PSD2 roles in the NCA registers (AISP or PISP role missing in the NCA register).
Procurement Challenges
- Industry benchmarks show that the average procurement time is around six weeks, based on PSD2 implementation survey data.
- This is mainly due to the process complexity, which involves legal representatives’ involvement, stringent KYC procedures, and comprehensive application vetting.
- Through our QTSP partnership and integrated platform, Banfico has reduced certification procurement time to just two to three business days.
Security Challenges and Risk Management
- Payment Service Providers express legitimate security concerns regarding sharing certificates with RVMs.
- Risk mitigation strategies to address their concerns include using dedicated certificates without Payment Initiation roles, partnering with RVMs that demonstrate robust security controls, and leveraging experienced providers such as Banfico, which has been managing PSD2 certificates since September 2019.
Get in touch with us
Contact Banfico at vop@banfico.com for your eIDAS procurement and validation needs.