eIDAS Qualified Certificates supporting PSD2 ESI(17)000098

EBA RTS - Article 29 Certificates For the purpose of identification, as referred to in point (a) of Article 21(1), payment service providers shall rely on qualified certificates for electronic seals as defined in Article 3(30) of Regulation (EU) No 910/20144 or for website authentication as defined in Article 3(39) of that Regulation. For the purpose of this Regulation, the registration number as referred to in the official records in accordance Annex III (C) of Regulation (EU) No 910/2014 shall be the authorisation number of the payment service provider issuing card-based payment instruments the account information service providers and payment initiation service providers, including account servicing payment service providers providing such services, available in the public register of the home Member State pursuant to Article 14 of Directive (EU) 2015/2366 or resulting from the notifications of every authorisation granted under Article 8 of Directive 2013/36/EU5 in accordance with Article 20 of that Directive. For the purposes of this Regulation, qualified certificates for electronic seals or for website authentication referred to in paragraph 1 of this Article shall include in English additional specific attributes in relation to each of the following: (a) the role of the payment service provider, which maybe one or more of the following: an account servicing payment service provider; a payment initiation service provider; an account information service provider; a payment service provider issuing card-based payment instruments. (b) the name of the competent authorities where the payment service provider is registered. The attributes referred to in paragraph 3 shall not affect the interoperability and recognition of qualified certificates for electronic seals or website authentication

CERTIFICATE ISSUANCE PS or TPPS (PISP, AISP) MEMBER STATE BANK AUTHORITY 1. REGISTRATION PROCEDURE Information about certificate? 2. ENTRY MEBER STATE PUBLIC REGISTER 3. CERTYFICATE REQUEST 4a. IDENTITY VALIDATION DINAMIC REFERENCE? QUALIFIED CERTIFICATE with Registration No Role of PS or TPPS Reference to authority 4b. REGISTRATION CONFIRMATION QUALIFIED TSP CERTIFICATION AUTHORITY 5. CERITIFCATE ISSUANCE

CERTIFICATE USAGE MODEL 1 – BASED ON STANDARDS PS or TPPS (PISP, AISP) QUALIFIED CERTIFICATE with Registration No Role of PS or TPPS Reference to authority TRUSTING PARTY (eg. BANK, CLIENT) 1. My certificate 3. OK is TRUSTED MEMBER STATE BANK AUTHORITY 2. IS CERTIFICATE VALID? Revocation request MEBER STATE PUBLIC REGISTER QUALIFIED TSP CERTIFICATION AUTHORITY CERTIFICATE STATUS INFORMATION (CRL or OCSP) Registry changes notification and revocation request? REV information

CERTIFICATE USAGE MODEL 2 – DINAMIC LINK PS or TPPS (PISP, AISP) QUALIFIED CERTIFICATE with Registration No Role of PS or TPPS Reference to authority TRUSTING PARTY (eg. BANK, CLIENT) 1. My certificate 4. OK is TRUSTED 3. ENTRY IN REGISTRY VERIFICATION MEMBER STATE BANK AUTHORITY 2. IS CERTIFICATE VALID? Revocation request MEBER STATE PUBLIC REGISTER QUALIFIED TSP CERTIFICATION AUTHORITY CERTIFICATE STATUS INFORMATION (CRL or OCSP) REV information

CERTIFICATE REVOCATION FOR MODEL 1 Revocation request can origin from PS/TPPS or Banking Authority PS or TPPS (PISP, AISP) MEMBER STATE BANK AUTHORITY Any change in the registry to the data exposed in the certificate invokes the certificate revocation ENTRY MEBER STATE PUBLIC REGISTER 1a. REVOCATION REQUEST 1b. REVOCATION REQUEST QUALIFIED CERTIFICATE with Registration No Role of PS or TPPS Reference to authority QUALIFIED TSP CERTIFICATION AUTHORITY CERTIFICATE STATUS INFORMATION (CRL or OCSP) REV information

Michał Tabor michal@tabor.waw.pl +48 501 557 094