Skip to content

Authentication

Overview

The VoP Scheme requires mutual TLS (mTLS) authentication for all API communications between participants. This ensures secure and verified communication between Requesting and Responding PSPs.

Certificate Requirements

Qualified Certificates

  1. Certificate Authority

    • Must be issued by an approved Certificate Authority (CA)
    • CA must be listed in the European Trusted Lists (ETL)
    • Qualified certificates required for production
  2. Certificate Properties

    • Must include PSP identification
    • Extended Key Usage for client authentication
    • Valid for maximum of 2 years
    • Must follow eIDAS requirements

Implementation

Mutual TLS Setup

Configure your client with both certificate and private key:

const https = require('https');
const fs = require('fs');
const options = {
cert: fs.readFileSync('qualified_certificate.pem'),
key: fs.readFileSync('private_key.pem'),
ca: fs.readFileSync('ca_certificate.pem'),
rejectUnauthorized: true,
requestCert: true
};
const client = https.createServer(options);

Certificate Validation

Your implementation must:

  1. Validate the certificate chain
  2. Check certificate revocation status
  3. Verify the PSP identifier
  4. Ensure certificate time validity
const tls = require('tls');
function validateCertificate(cert) {
// Check certificate validity period
const now = new Date();
if (now < cert.validFrom || now > cert.validTo) {
throw new Error('Certificate is not valid at the current time');
}
// Verify PSP identifier
if (!cert.subject.organizationIdentifier) {
throw new Error('Certificate is missing the PSP identifier');
}
// Additional checks as required by the scheme
}

Directory Service Integration

EDS Lookup

  1. Query the European Directory Service (EDS)
  2. Retrieve the target PSP’s endpoint and certificate
  3. Validate the certificate before establishing connection
async function getTargetPSPDetails(pspId) {
const edsClient = new EDSClient({
cert: process.env.VOP_CERT,
key: process.env.VOP_KEY
});
const pspDetails = await edsClient.lookup(pspId);
return {
endpoint: pspDetails.endpoint,
certificate: pspDetails.certificate
};
}

Security Requirements

Certificate Management

  1. Private Key Protection

    • Store in Hardware Security Module (HSM)
    • Restrict access to authorized systems
    • Regular key rotation (recommended annually)
  2. Certificate Monitoring

    • Monitor certificate expiration
    • Implement automated renewal process
    • Maintain certificate revocation lists
  3. Incident Response

    • Procedures for certificate compromise
    • Emergency certificate revocation process
    • Backup certificate availability

Error Handling

Common certificate-related errors:

Error CodeDescriptionAction Required
CERT_001Certificate has expiredRenew the certificate
CERT_002Invalid certificateCheck the certificate format
CERT_003Revoked certificateRequest a new certificate
CERT_004Missing PSP identifierUpdate the certificate

Testing and Certification

Test Environment

  1. Use test certificates for development
  2. Available from the VoP test CA
  3. Follows the same format as production

Production Certification

  1. Complete certification testing
  2. Submit certificate request
  3. Receive qualified certificate
  4. Configure production environment

Authentication Steps

  1. Configure TLS settings
  2. Retrieve the endpoint and the certificate of the target Payment Service Provider
  3. Establish a secure connection