SEPA Direct Debit (SDD)

EPC Approval of Certification Authorities


The European Payments Council (EPC) has established a board, which will handle applications from certification authorities who wish to become EPC approved in offering e-mandate services. The board is called the Certification Authority Supervisory Board (CASB). The relevant documents pertaining to the approval process are published on this page. The first stage in the process is to send a letter of application to, using the model letter supplied.

To learn more about the role of certification authorities, please see the section on this page titled 'The Security Architecture of the EPC e-Mandates e-Operating Model'.

The term 'e-mandate' describes the option included in the SEPA Direct Debit (SDD) Schemes to issue a mandate electronically. The SEPA mandate is completed by the payer (debtor) to authorise the biller (creditor) to collect payments via SDD*. At the same time, the SEPA mandate includes the authorisation of the payer's PSP to pay these collections. To learn more about the e-mandate option, refer to this dedicated page on the EPC Website: The SEPA Direct Debit Mandate.

* The technical terms used in the SDD Rulebooks refer to the payer as 'debtor' and to the biller as 'creditor'.

The security architecture of the EPC e-mandates e-operating model

The payer's PSP (debtor bank) validates the e-mandates issued by a payer (debtor) wishing to make payments by SDD either itself or through a validation service provider acting on behalf of the payer's PSP (debtor bank). The routing service, necessary to facilitate the communication between all parties involved in the process, is supplied to the biller (creditor) by the biller's PSP (creditor bank) or by one or more routing service provider(s) acting on behalf of the biller's PSP (creditor bank). The biller (creditor) and his PSP should have an agreement on the conditions for use of routing service(s).

The messages sent from the biller (creditor), via the routing service to the validation service of the payer's PSP (debtor bank), are routed via open networks by making use of the internet. In order to make this message exchange both reliable and secure, the EPC has defined a standard for this messaging called the 'EPC e-Mandates e-Operating Model' (see 'Related files' below). This is a high-level definition describing message flows, a data model and general requirements as regards the solution itself and the parties executing it. In addition, the detailed specifications of the EPC e-Mandates e-Operating Model, facilitate consistent implementation of the e-mandate feature by the parties involved in the process. Last but not least, the EPC e-Mandates e-Operating Model establishes a secure environment based on defined security requirements. The messages exchanged via the EPC e-Mandates e-Operating Model must be compliant with the ISO 20022 standards set out in the e-Mandate-Service Implementation Guidelines for the SEPA Core Direct Debit (SDD Core) Scheme and the SEPA Business to Business Direct Debit (SDD B2B) Scheme, respectively. Links to these Implementation Guidelines are set out below.

The EPC e-Mandates e-Operating Model also spells out the requirements to be met by EPC-approved certification authorities (CAs). It is the role of the EPC-approved CAs to securely qualify legitimate validation service providers and routing service providers. The CAs will issue certificates to validation service providers and routing service providers that meet the requirements of the EPC e-Mandates e-Operating Model. The EPC-approved CAs provide a common trust (and hence liability) model enabling secure message flows between the validation service providers and the routing service providers facilitating the e-mandate service. Thanks to the CAs, there is no need for the parties involved in the e-mandate process flow to establish bilateral agreements.

The EPC will allow any CA approved by the EPC, according to a dedicated approval process and based on well accepted international standards, to provide certificates to validation service providers and routing service providers. The public key certificates identifying EPC-approved CAs for SEPA e-mandate services are published in the Trust-Service Status List (TSL) for e-mandate services.  The EPC has contracted MULTICERT - Serviços de Certificação Electrónica, S.A. as Approved TSL Provider to publish and maintain this TSL on their website on its behalf.

Any CA that wants to get EPC-approval can submit its registration request to the EPC with indication of its auditor. If the auditor is not yet recognised by the EPC, the auditor must be approved by the EPC according to the requirements outlined in the EPC document 'Approval Scheme for EPC Approved CAs' (see 'Related files' below). If the registration application is accepted by the EPC, the candidate CA will sign an agreement with the EPC, clarifying the liabilities between the EPC and the applicant CA. The auditor prepares an audit report for the CA, confirming that the examination was conducted in accordance with the standards and specifications published by the EPC. The CA then submits the report to the EPC.  If the report is satisfactory, the EPC will approve the applicant CA, which will then finalise an agreement with the EPC on the terms and conditions of the EPC approved CA mark. Once the EPC has granted approval, the CA will be published in the list of 'EPC-approved CA for e-Mandates' on the EPC Website and included in the TSL of EPC approved CAs.

Links to more pages:


Free EPC newsletter
Blog and Discussion Board
Read more
Follow us

Latest Tweet

Read this interesting itw with @DHUSACorp representative regarding #InstantPayments, #PSD2 and #blockchain