SEPA Direct Debit (SDD)
EPC Approval of Certification Authorities
The European Payments Council (EPC) has established a board, which will handle applications from certification authorities who wish to become EPC approved in offering e-mandate services. The board is called the Certification Authority Supervisory Board (CASB). The relevant documents pertaining to the approval process are published on this page. The first stage in the process is to send a letter of application to CASB@epc-cep.eu, using the model letter supplied.
To learn more about the role of certification authorities, please see the section on this page titled 'The Security Architecture of the EPC e-Mandates e-Operating Model'.
The term 'e-mandate' describes the option included in the SEPA Direct Debit (SDD) Schemes to issue a mandate electronically. The SEPA mandate is completed by the payer (debtor) to authorise the biller (creditor) to collect payments via SDD*. At the same time, the SEPA mandate includes the authorisation of the payer's bank to pay these collections. To learn more about the e-mandate option, refer to this dedicated page on the EPC Website: The SEPA Direct Debit Mandate.
* The technical terms used in the SDD Rulebooks refer to the payer as 'debtor' and to the biller as 'creditor'.
The security architecture of the EPC e-mandates e-operating model
The payer's bank (debtor bank) validates the e-mandates issued by a payer (debtor) wishing to make payments by SDD either itself or through a validation service provider acting on behalf of the payer's bank (debtor bank). The routing service, necessary to facilitate the communication between all parties involved in the process, is supplied to the biller (creditor) by the biller's bank (creditor bank) or by one or more routing service provider(s) acting on behalf of the biller's bank (creditor bank). The biller (creditor) and his bank should have an agreement on the conditions for use of routing service(s).
The messages sent from the biller (creditor), via the routing service to the validation service of the payer's bank (debtor bank), are routed via open networks by making use of the internet. In order to make this message exchange both reliable and secure, the EPC has defined a standard for this messaging called the 'EPC e-Mandates e-Operating Model' (see 'Related files' below). This is a high-level definition describing message flows, a data model and general requirements as regards the solution itself and the parties executing it. In addition, the detailed specifications of the EPC e-Mandates e-Operating Model, facilitate consistent implementation of the e-mandate feature by the parties involved in the process. Last but not least, the EPC e-Mandates e-Operating Model establishes a secure environment based on defined security requirements. The messages exchanged via the EPC e-Mandates e-Operating Model must be compliant with the ISO 20022 standards set out in the e-Mandate-Service Implementation Guidelines for the SEPA Core Direct Debit (SDD Core) Scheme and the SEPA Business to Business Direct Debit (SDD B2B) Scheme, respectively. Links to these Implementation Guidelines are set out below.
The EPC e-Mandates e-Operating Model also spells out the requirements to be met by EPC-approved certification authorities (CAs). It is the role of the EPC-approved CAs to securely qualify legitimate validation service providers and routing service providers. The CAs will issue certificates to validation service providers and routing service providers that meet the requirements of the EPC e-Mandates e-Operating Model. The EPC-approved CAs provide a common trust (and hence liability) model enabling secure message flows between the validation service providers and the routing service providers facilitating the e-mandate service. Thanks to the CAs, there is no need for the parties involved in the e-mandate process flow to establish bilateral agreements.
The EPC will allow any CA approved by the EPC, according to a dedicated approval process and based on well accepted international standards, to provide certificates to validation service providers and routing service providers. The public key certificates identifying EPC-approved CAs for SEPA e-mandate services are published in the Trust-Service Status List (TSL) for e-mandate services. The EPC has contracted MULTICERT - Serviços de Certificação Electrónica, S.A. as Approved TSL Provider to publish and maintain this TSL on their website on its behalf.
Any CA that wants to get EPC-approval can submit its registration request to the EPC with indication of its auditor. If the auditor is not yet recognised by the EPC, the auditor must be approved by the EPC according to the requirements outlined in the EPC document 'Approval Scheme for EPC Approved CAs' (see 'Related files' below). If the registration application is accepted by the EPC, the candidate CA will sign an agreement with the EPC, clarifying the liabilities between the EPC and the applicant CA. The auditor prepares an audit report for the CA, confirming that the examination was conducted in accordance with the standards and specifications published by the EPC. The CA then submits the report to the EPC. If the report is satisfactory, the EPC will approve the applicant CA, which will then finalise an agreement with the EPC on the terms and conditions of the EPC approved CA mark. Once the EPC has granted approval, the CA will be published in the list of 'EPC-approved CA for e-Mandates' on the EPC Website and included in the TSL of EPC approved CAs.
Links to more pages:
EPC technical documents
- Approval Scheme for EPC Approved CAs for e-Mandate Services
- Model Letter for CA applicants
- Requirements and Specifications for EPC Approved Server CAs for e-Mandate Services
- Model Agreement for EPC Recognised Auditors for the e-Mandate Feature of the SDD Schemes
- Model CA Audit Report for Certifying Compliance of a CA to EPC Requirements and Specification
- Model Agreement for EPC Applicant CAs for the e-Mandate Feature of the SEPA Direct Debit Schemes
- Model Agreement for EPC Approved CAs - Use of EPC CA Mark
- EPC e-Mandates e-Operating Model - High Level Definition
- The EPC e-Operating Model for e-mandates: Security Concept
- EPC e-Mandates e-Operating Model - Detailed Specification
- SEPA Direct Debit Core Scheme e-Mandate Service Implementation Guidelines Version 6.0
- SEPA Direct Debit Business to Business Scheme e-Mandate Service Implementation Guidelines Version 4.0