EBA publishes an Opinion on the use of eIDAS certificates under PSD2
The European Banking Authority (EBA) published an Opinion on the use of eIDAS certificates under the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication (SCA&CSC). In the Opinion, the EBA clarifies specific aspects on the use of qualified certificates for electronic seals (QSealCs) and qualified certificates for website authentication (QWACs) for the purpose of identification of payment service providers (PSPs) under the RTS, the content of these certificates, and the process for their revocation.
The Opinion aims at addressing questions and concerns raised by market participants related to the use of eIDAS certificates. More specifically, the Opinion clarifies that ASPSPs are the party that should choose which kind of certificate has to be used for identification purposes, because they are providing the interface and ensuring the security of the communication. In addition, in the Opinion, the EBA highlights three potential alternative approaches for the use of eIDAS certificates, but it recommends that QSealCs and QWACs should be used in parallel.
Furthermore, the Opinion identifies a few measures that competent authorities may apply in order for all payment service providers (PSPs) to be in a position to rely on the eIDAS certificates. However, the EBA acknowledges that the validity of the information contained in the certificates is within the responsibility of PSPs and qualified trust service providers that issue the certificates.
The Opinion is addressed to national competent authorities, but it is also useful for payment service providers and industry initiatives, including initiatives of application of programming interface (API).