CaixaBank, SA is developing an adaptation of the United Kingdom branch interface to give access to third-party payment service providers (TPP and CBPII) in order for them to use such interface for authentication and communication with payment services users (PSUs).
The solution is being developed with the aim of fulfilling the requirements and functionalities established by the RTS Regulation, on the established date of 14 September 2019 (Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication” (“RTS Regulation”).
The RTS Regulation requires the use of eIDAS certificates for the identification of TPP. The eIDAS specifications are embodied in the ETSI TS 119 495 standard.
All requests to the PSU accounts are required to be signed in order to ensure TPP identification. HTTP Signatures provide an authentication approach, and it allows verification that the communication between client and server was not tampered with. This approach is being standardized by the IETF.
TPP will need to take the following steps to correctly sign the request:
1. Use of signing certificate: An eIDAS QSEAL certificate issued by a qualified trust service provider is required.
2. Digest creation: A base64 encoded hash of http headers of the request needs to be generated. Allowed hashing algorithm methods are to be confirmed and final components of digest creation are still to be defined.
3. Signing string: The signing string containing the date and digest headers needs to be created. It is still pending if other headers will be added to the string.
4. Sign with private key: The signing string obtained in the former step will be signed with the private key.
5. Signature header creation: The signature header added to the request will contain the signed string obtained in step 4. Final components of signature header are still to be defined.