Share This
  1. Frequently asked questions
  2. Verification Of Payee scheme
  3. API Specifications

How can the validity of the Extended Validation Transport Layer Security (EV-TLS) certificate be validated by the VoP Requesting PSP or RVM? Which Certificate Authority of EV-TLS needs to be trusted?

EPC FAQ:  —  Last updated: 14/10/2025

The security model of the EPC VOP API is built on mutual authentication, using a Qualified Web Authentication Certificate (QWAC) issued for use in the PSD2 Open Banking  on client side (VoP Requesting PSP) and a EV TLS certificate on server side (VOP Responding PSP or RVM). Please refer to the EPC API Security Framework (ASF) for details here.

The VOP API Security Framework (ASF) mandates an EV-TLS certificate for authentication on the API server-side (Responding PSP or its RVM).

To verify an EV-TLS certificate, the API-client (Requesting PSP or its RVM) requires the root certificate of the corresponding Certification Authority (CA) that issued the EV certificate to be included in its trust store, since there is no onboarding between the VOP Requesting PSP (or RVM) and VOP Responding PSP (or RVM) .

Note: 

  1. The ASF does not specify which CAs can issue EV TLS certificates for VOP.
  2. No single public source is available listing the root certificates of CAs issuing EV-TLS certificate.

EPC recommends:

  1. API-servers (VOP Responding PSPs and RVMs) obtain their EV-TLS certificate from a “commonly known CA” in the European financial industry.
  2. API-clients (VOP Requesting PSPs and RVMs) integrate in their trust store the commonly used CAs that are used to obtain EV-TLS certificates.
  3. API-servers provide the trust chain (i.e. including intermediate certificates) to the API-client when they present the EV certificate during the TLS handshake (an existing general practice).

The table below provides a list of CA used in VOP, based on the URI included in EDS (status 6 October 2025); this list is non-exhaustive, for indicative purposes only and intends not to endorse any specific vendor.

For information, the EPC would also like to share the link to the Common CA Database (CCADB); a common repository of public root CAs. It provides the lists of trusted root certificates for the major browser’s root stores (e.g. Mozilla’s Root Store). It is worth noting that these lists include all commonly used root and intermediate CAs for EV TLS certificates that are being used in the context of VOP, at the time of this publication.