Software solution that makes authorization and authentification to TPPs based on their certificate offline. In accordance with the EU PSD2 Directive, registered Third Party Providers (TPPs) are authorized to access customer bank accounts as well as execute payments. The regulatory standards require processing of transactions via secure channels, in order to protect data in terms of authenticity and confidentiality.
Certificates for the protection of sensitive customer data
In order to meet the PSD2 security requirements, banks and TPPS Account Information Service Providers, use qualified QWAC certificates and electronic seals. These serve as authentication for authorized access to sensitive customer data.
Key challenge for banks
The provision of a public interface requires banks to check every request from a Third Party Provider from the outset, in order to protect the information of their customers. However, identity and authorization are confirmed by different entities. Therefore, there is the risk that a bank may well have identified the Third Party Provider correctly, but that TPP’s authorisation for certain services is no longer valid.
Therefore, any request from a Third Party Provider requires a two-part check to prevent the following dangers:
• Unauthorized access, and as a result disclosure of sensitive information
• Unauthorized initiation of payments
The adorsys TPP Validator (QWAC Assessor) handles the check for you
The validity of the certificates is subject to constant changes and adjustments, which have to be updated daily in your system. The Qwac Assessor can be run as a standalone web service or it can be integrated into an API gateway.
How the Qwac Assessor works
A Third Party Provider (TPP) makes a request to the bank to obtain account information or initiate a payment initiation. It is imperative that the bank checks the validity of the TPP certificate. This ensures that no customer data is mistakenly issued to third parties. This is where the QWAC Assessor comes in. The QWAC Assessor validates the identity and role (AIS, PIS, PIIS) of the TPP and then releases the call of the TPP. Only after this confirmation does the TPP receive the requested XS2A access.