Recently, Open Banking Exchange Europe (OBE) has received several enquiries around how trust is managed in the EU for PSD2 security and how this differs from that conventionally used by commercial applications such as web browsers. The following description is aimed at illustrating the difference.
The trust in identities for PSD2 is based on well-established technology called public key certificates (or just certificates) that are used to prove the identity of PSD2 payment service providers. Certificates are issued by Certification Authorities (CA) which are commonly organised in a hierarchy with a ‘root CA’ certifying the ‘intermediate CAs’ that issue certificates for different purposes. This is illustrated in the example below with a Root CA certifying two Intermediate CAs: one intermediate CA issues certificates for identifying the creator of a digital signature, another issues qualified certificates for authenticating a website.