Earlier this year we blogged that on 13 March 2018 there was published in the Official Journal of the EU, Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing the revised Payment Services Directive (PSD2) with regard to regulatory technical standards (RTS) for strong customer authentication and common and secure open standards of communication. The RTS, with the exception of paragraphs 3 and 5 of Article 30, apply from 14 March 2019.
Article 34(1) of the RTS specifies that “for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 (eIDAS Regulation) or for website authentication as referred to in Article 3(39) of that Regulation”.
To ensure supervisory convergence across the EEA the European Banking Authority (EBA) has now published an opinion to clarify specific aspects of the use of qualified certificates for electronic seals and qualified certificates for website authentication under the RTS.
The EBA opinion is addressed to Member State competent authorities but given the supervisory expectations it conveys it should also prove useful for payment service providers (PSPs), technical service providers, and industry initiatives, such as the application programming interface initiatives, to allow the identification of account information service providers, payment initiation service providers, and card-based payment instrument issuers towards the account servicing payment service providers, as well as the establishment of a secure communication between PSPs.