Released in October 2024, the EPC API Security Framework (EPC164-22) version 2.0 defines standardized API security requirements across multiple EPC schemes, including the VOP scheme. EPC has reused the PSD2 authentication mechanism using eIDAS/ QWAC PSD2 certificates. EPC expects this approach is best suited to improve the interoperability across the scheme participants
If the PSP already has an open banking certificate, it can be reused for VOP. However, it is recommended to have a dedicated certificate for VOP.
EPC VOP Authentication and Authorization
The EPC framework mandates mutual TLS authentication between scheme participants with Client certificates. The Requestor uses a Qualified Website Authentication Certificate (QWAC) PSD2 certificate for client authentication, while the responder can use an Extended Validation (EV) TLS /SSL certificate to complete the server authentication and set up a secure tunnel.
For authorization, VOP responder servers must validate the requestor details on the QWAC certificate with the details held on the EPC directory service (EDS) with respect to the BIC and its National Authorisation Numbers (NAN).
eIDAS Cert concerns from PSPs when using RVM
The QWAC PSD2 certificates of the requesting PSPs must be used for client authentication. When using the RVM, the PSP must share its eIDAS/PSD2 certificate (Private Key and Public Certificate), which is bestowed with a lot of privileges, with the RVM. This introduces major risks for the security posture of the bank due to the possibility of misuse if the RVM doesn’t have adequate safeguards and controls.
RVM also has operational challenges when it represents hundreds of PSPs on its VOP infrastructure, and it poses a threat to the security posture at times of breach. The PSPs must do thorough due diligence during their RVM selection.
Banfico has robust controls to safeguard the certificate from potential misuse and mitigate security risks. We have been managing PSD2 and Confirmation of Payee solutions for many large & small banks across Europe.
Procure eIDAS Certificate through Banfico
The conventional procurement cycle for an eIDAS certificate for a PSP may generally take around 4 – 6 weeks and these certificates are expensive. Banfico being an agent of InfoCert S.p.A. (QTSP) can help PSPs procure the eIDAS certificate through our web portal in a matter of 2 business days subject to pre-validation carried out by Banfico. Thanks to our automation workflow to support the procurement process through integration with InfoCert QTSP – making it the most cost-effective offering in the market.
Do you Need any Assistance? Let us Connect!
Want to know more about how we can help you with the EPC VOP security requirements? Get in touch with Banfico or register for one of our breakfast events across Europe this February by using the link below.
Banfico periodically sends newsletters on various topics related to EPC Verification of Payee implementation. Visit this page to read the previous newsletters.