[cabf_validation] Support for registered organisation identifier of EU payment service providers

[nhpe89 at gmail.com]

All,

 

Tim has kindly offered to discuss the EU requirements for identification of
organisations providing payment services in the EU in the next call of the
validation group.

 

As a starting point may I make the following points (as a personal
contribution to discussions).:

1)          There is a need in the EU in support of Open Banking to include
within a Website certificate a registered identifier for a payment service
provider which is used to reference authorisation information in EU national
registers for payment services under the 2nd EU Payment Service Directive
(PSD2).  It is required under PSD2 that this registered identifier is
authenticated by the Website certificate.  Some interpretations of the EU
requirements consider that this website certificate must be  a Publicly
Trusted Certificate.

2)          ETSI have published a standard for EU payment services (TS 119
495) which includes a web site certificate profile including the placement
of the payment service provider registered identifier in the X.520
organizationIdentifier in the Subject Distinguished Name.

3)          The EV Guidelines requirement on EV Certificate Subject
Information  9.2 includes a sub-section 9.2.8 on "other Subject Attributes"
which is assumed to allow the inclusion of X.520 organizationIdentifier to
carry the payment service provider registered identifier as specified in
ETSI TS 119 495.  As yet no one has clearly demonstrated this assumption is
incorrect.

4)          The CAB Forum validation group have indicated a desire to update
the EV guidelines to update the 9.2 requirements to be more explicit on the
requirements of "Other Subject  Attributes".

5)          The CAB Forum meeting in June requested the CABF validation
Group to work with ETSI to see if it can identify a solution to ensure any
update to EV 9.2 which still enables ETSI to meet the requirements of PSD2
as applied to PTC.

 

Starting point for choices:

 

a)          Recognise the current approach using X.520
organizationIdentifier in the Subject Distinguished Name

-            From ETSI viewpoint this is the preferred approach

 

b)          Carry the PSD2 payment service provider registered identifier as
an Registered Identifier

-            This may not be considered the intent of equivalence to
Incorporation

 

c)           Carry PSD2 payment service provider registered identifier in
another field

-            This requires changes to ETSI specifications and also
acceptance by PSD2 community who need to support the regulation in test mode
by March 2019.

 

Regards

 

Nick Pope

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181204/ac6a9fa4/attachment.html>