Authentication
Overview
The VoP Scheme requires mutual TLS (mTLS) authentication for all API communications between participants. This ensures secure and verified communication between Requesting and Responding PSPs.
Certificate Requirements
Qualified Certificates
-
Certificate Authority
- Must be issued by an approved Certificate Authority (CA)
- CA must be listed in the European Trusted Lists (ETL)
- Qualified certificates required for production
-
Certificate Properties
- Must include PSP identification
- Extended Key Usage for client authentication
- Valid for maximum of 2 years
- Must follow eIDAS requirements
Implementation
Mutual TLS Setup
Configure your client with both certificate and private key:
Certificate Validation
Your implementation must:
- Validate the certificate chain
- Check certificate revocation status
- Verify the PSP identifier
- Ensure certificate time validity
Directory Service Integration
EDS Lookup
- Query the European Directory Service (EDS)
- Retrieve the target PSP’s endpoint and certificate
- Validate the certificate before establishing connection
Security Requirements
Certificate Management
-
Private Key Protection
- Store in Hardware Security Module (HSM)
- Restrict access to authorized systems
- Regular key rotation (recommended annually)
-
Certificate Monitoring
- Monitor certificate expiration
- Implement automated renewal process
- Maintain certificate revocation lists
-
Incident Response
- Procedures for certificate compromise
- Emergency certificate revocation process
- Backup certificate availability
Error Handling
Common certificate-related errors:
Error Code | Description | Action Required |
---|---|---|
CERT_001 | Certificate has expired | Renew the certificate |
CERT_002 | Invalid certificate | Check the certificate format |
CERT_003 | Revoked certificate | Request a new certificate |
CERT_004 | Missing PSP identifier | Update the certificate |
Testing and Certification
Test Environment
- Use test certificates for development
- Available from the VoP test CA
- Follows the same format as production
Production Certification
- Complete certification testing
- Submit certificate request
- Receive qualified certificate
- Configure production environment
Authentication Steps
- Configure TLS settings
- Retrieve the endpoint and the certificate of the target Payment Service Provider
- Establish a secure connection