Major browsers will no longer accept public TLS certificates with client authentication option. What is the impact of for the use of QWAC PSD2 certificates for the authentication of the VOP Requesting PSP?
The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP) a
How should the VOP Responder validate the QWAC PSD2 certificate of the VOP Requester?
The security model of the EPC VOP API is built on mutual authentication using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP) a
How can the validity of the Extended Validation Transport Layer Security (EV-TLS) certificate be validated by the VoP Requesting PSP or RVM? Which Certificate Authority of EV-TLS needs to be trusted?
The security model of the EPC VOP API is built on mutual authentication, using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking on client side (VoP Requesting PSP)
Regarding the schemeNameCode enumeration values that are listed under the ExternalOrganisationIdentification1Code list and while format validations are provided for SREN and SRET, we could not find format details for the other codes such as: BANK, CBID, CHID, CINC, COID, CUST, DUNS, EMPL, GS1G, TXID, BDID, and BOID. Could you please confirm if there are any format validations or constraints available for these remaining codes? And provide them to us, if possible.
For the codes such as BANK, CBID, CHID, CINC, COID, CUST, DUNS, EMPL, GS1G, TXID, BDID and BOID, ISO 20022 does not provide explicit format validations.
Multiple URIs in the EDS : When more than a URI is indicated by a VOP participant in the EDS, which URI should be used by the Requesting PSP? Which policy should be used to select the URI?
Priority 1 URI should always be used by the Requesting PSP as the “default” URI.
URI(s) with lower priorities may be used e.g. as alternative backup reachability endpoints, in case Priority 1 URI is not reachable.
How is the execution time technically calculated? The rulebook says that the execution time is the subtraction between the requested date-time and the responding date-time. There is no rule about the synchronization of the clocks. Can the execution time be accurate?
• The rulebook does not say that the calculation requires a subtraction between the requested date-time and the responding date-time.
What do I need to consider when requesting a QWAC PSD2 certificate from a QTSP?
As described in detail in the VOP API specifications and the
In case both the Requesting and Responding PSPs use the same RVM is it mandatory to use the published VOP APIs?
All VOP scheme participants must at least support the inter-PSP API specifications set by the EPC. This ensures SEPA wide reachability and interoperability.
Is it possible for a group-head PSP (acting as RVM, or partnering with a selected third-party RVM) to use its own QWAC PSD2 certificate and NAN number, when acting as Requesting PSP also on behalf of other PSPs of the same community?
This means one QWAC PSD2 certificate (and one NAN) would be shared within a community of VOP scheme participants, and be used to identify, authenticate and authorise all VOP scheme participants of the same community, when acting