How Khatim PKI Server support PSD2 Transactions

PSD2, or the Payment Services Directive 2, is a European Union regulation that aims to enhance security and innovation in the electronic payments landscape. It came into effect in 2018 and applies to all payment service providers (PSPs) operating within the EU and the European Economic Area (EEA).

Here are the key aspects of PSD2:

Strong Customer Authentication (SCA)

Requires two or more independent factors for authentication during online payments, making it harder for fraudsters to steal your information. This typically involves a combination of something you know (password), something you have (phone, token), or something you are (fingerprint, facial recognition).

Open Payment Services

Promotes competition and innovation by requiring Payment Service Providers to open up their data to authorized third-party providers (TPPs) with your consent. This allows you to use new services, like budgeting apps or payment initiation services, without having to share your login credentials with them directly.

Enhanced Consumer Protection

Strengthens your rights and protections related to online payments, including clearer information about fees and charges, easier switching of payment providers, and improved dispute resolution mechanisms.

Benefits of PSD2

  • Increased security and reduced fraud

  • Greater choice and innovation in financial services

  • More control over your financial data

  • Improved transparency and protection

Types of qualified certificates for PSD2

Under PSD2, two specific types of qualified certificates play a crucial role in achieving strong customer authentication (SCA):

Qualified Certificate for Website Authentication (QWAC)

  • Function: Authenticates the identity of a website or online service provider (OSP) during an online transaction.
  • How it works: When you visit a website for online payment, the QWAC ensures you connect to the genuine website of the intended service provider, preventing impersonation and phishing attacks.
  • Example: Imagine accessing your payment service provider’s website for a payment. The QWAC verifies that you’re on the website and not a fake one designed to steal your information.

Qualified Certificate for Electronic Seals (QSeal)

  • Function: Creates a digital signature on data related to a transaction, ensuring its authenticity and integrity.
  • How it works: When you initiate a payment, the QSeal generates a digital signature attached to the transaction data, guaranteeing its origin and preventing tampering by unauthorized entities.
  • Example: When you authorize a payment, the QSeal attaches a digital signature to the transaction data, confirming your consent and protecting the data from manipulation during processing.

These two qualified certificates work together to achieve robust SCA transactions:

  • QWAC confirms the legitimacy of the website or service provider.

  • QSealC ensures the authenticity and integrity of your transaction data.

Additionally, some specific use cases might require other types of qualified certificates not directly mandated, such as:

  • Qualified Certificate for Email Protection (QCert-EP): Can be used for secure email communication between financial institutions and third-party providers.

  • Qualified Certificate for Time Stamping (QTimeStamp): Provides proof of the exact time a transaction occurred, potentially useful for dispute resolution.

Remember, the specific type of qualified certificate used might vary depending on the transaction type, service provider, and regulatory requirements.

It’s important to understand that qualified certificates are just one part of the SCA puzzle. Other factors like dynamic linking, transaction monitoring, and risk-based authentication also contribute to achieving secure online payments.

How Khatim PKI Server support PSD2

PSD2 initiative requires certain type of certificate extensions to be added in the X.509 certificate. These are defined by ETSI Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Certificate Profiles and TSP Policy Requirements for Open Banking

Khatim PKI Server support for PSD2 can can be summarized as follows:

  • Setup of PSD2 certificates

  • Provisioning of certificates

Setup of PSD2 certificates

PKI Admin can setup X.509 certificate templates which configures:

  • PSD2 roles:

    • PSP_IC

    • PSP_AI

    • PSP_PI

    • PSP_AS

  • National Competent Authority Information

  • Type of Qualified certificate

    • QWAC

    • QSeal


Once the type of certificate is configured, PKI admin can also setup the PDF2 roles and NCA information.


Note that the certificate templates also allow overriding parameters such as roles & nca names. If set business applications can send these using restful APIs and generate X.509 certificates without having to create new certificate templates.

Provisioning of PSD2 certificates

Once certificates templates are setup, these can configured inside Certificate Provider.


Admin should also setup the Subject DN with proper values for organizationIdentifier (OID: which are also parameterized.


Codegic recognizes the importance of PSD2 and its impact on TSPs. By providing qualified certificates, secure communication solutions, and regulatory expertise, Khatim PKI Server empowers TSPs to play a vital role in building a more secure and innovative online payment landscape. Khatim PKI Server can issue Qualified Certificates for Website Authentication (QWAC) and Qualified Certificates for Electronic Seals (QSealC), crucial for secure online transactions and data integrity.


How does PSD2 impact smaller payment service providers (PSPs)?

PSD2 affects smaller and larger payment service providers (PSPs) differently, primarily in terms of resources and capabilities for implementing strong customer authentication (SCA). Larger PSPs often have more robust systems and budgets to adapt to PSD2 requirements, while smaller PSPs might face challenges in terms of investment and technical expertise. Understanding these disparities can shed light on how different PSPs navigate compliance and innovation under PSD2.

Are there any specific challenges or complexities associated with the setup and provisioning?

The setup and provisioning of PSD2 certificates using Khatim PKI Server may entail specific challenges or complexities for users. For instance, users might encounter issues with configuring the X.509 certificate templates to accurately reflect PSD2 roles and national competent authority (NCA) information. Additionally, parameterizing the Subject DN with proper values for organizationIdentifier could pose challenges if not properly understood or implemented. Identifying and addressing these potential complexities can help users effectively utilize Khatim PKI Server for PSD2 compliance.

I want to know more about X.509 Digital Certificates and its types?

To learn more checkout our blog on PKI & Certificates.

Can you provide examples of how Khatim PKI Server's support for PSD2?

Real-world examples of how Khatim PKI Server’s support for PSD2 has been utilized by payment service providers (PSPs) can provide valuable insights into its practical applications. For instance, PSPs may leverage Khatim PKI Server to issue Qualified Certificates for Website Authentication (QWAC) and Qualified Certificates for Electronic Seals (QSealC), thereby enhancing the security and integrity of online transactions under PSD2. Exploring such use cases can illustrate the tangible benefits and outcomes of employing Khatim PKI Server in the context of PSD2 compliance and secure online payments.