Security Requirements
Comprehensive security requirements for PSD2 and Open Banking compliance.
🔐 Certificates
- QWAC Certificate
- QSealC Certificate
- Certificate Management
Qualified Website Authentication Certificate
Purpose: TLS client authentication for API requests
Requirements:
- ✅ Issued by qualified trust service provider (QTSP)
- ✅ Contains TPP authorization number
- ✅ Valid for maximum 2 years
- ✅ Must be registered with Paysera
Key Fields:
organizationIdentifier: PSDLT-BOL-123456
commonName: Your Company Name
serialNumber: 1234567890
validFrom/validTo: Certificate validity period
Usage Example:
const options = {
cert: fs.readFileSync('qwac-cert.pem'),
key: fs.readFileSync('qwac-key.pem'),
ca: fs.readFileSync('ca-bundle.pem')
};
Qualified Seal Certificate
Purpose: Request signing for payment initiation
Requirements:
- ✅ Used for digital signatures
- ✅ Contains organization identifier
- ✅ Secure storage mandatory
- ✅ Required for PIS operations
Signing Process:
POST /v1/payments HTTP/1.1
Digest: SHA-256=base64(hash(body))
X-Request-ID: unique-request-id
Signature: keyId="serial",algorithm="rsa-sha256",
headers="digest x-request-id",signature="..."
Certificate Lifecycle
Best Practices:
- 📅 Monitor expiry dates (alert 30 days before)
- 🔄 Rotate certificates before expiration
- 🔒 Store private keys securely (HSM recommended)
- 📊 Maintain certificate inventory
- 🚨 Have emergency replacement procedure
Strong Customer Authentication (SCA)
🛡️ SCA Requirements & Implementation
Two-Factor Authentication
SCA requires at least 2 of 3 factors:
| Factor | Type | Examples |
|---|---|---|
| 🧠 Knowledge | Something you know | Password, PIN, security question |
| 📱 Possession | Something you have | Phone, token, smart card |
| 👤 Inherence | Something you are | Fingerprint, face, voice |
SCA Exemptions
Low-value transactions:
- Payments under €30
- Cumulative limit €100 or 5 transactions
Other exemptions:
- Recurring payments (after initial SCA)
- Trusted beneficiaries (whitelist)
- Corporate payments (B2B)
- Merchant-initiated transactions
Dynamic Linking
For payment transactions:
- Link authentication to specific amount
- Link to specific payee
- Generate unique authentication code
- Display transaction details to user
Data Protection
🔒 Data Security Requirements
Encryption Standards
In Transit:
- TLS 1.2 minimum (1.3 recommended)
- Strong cipher suites only
- Certificate pinning for mobile apps
At Rest:
- AES-256 encryption
- Secure key management
- Database encryption
- File system encryption
Data Handling
Storage:
- Minimize data retention
- Implement secure deletion
- Regular data purging
- Audit trail maintenance
Access Control:
- Role-based permissions
- Multi-factor admin access
- Regular access reviews
- Principle of least privilege
GDPR Compliance
- Privacy by design
- Data minimization
- User consent management
- Right to erasure
- Data portability
- Breach notification (72h)
API Security
- Authentication
- Rate Limiting
- Monitoring
OAuth 2.0 Security
Token Management:
- Short-lived access tokens (1 hour)
- Secure token storage
- Token rotation on refresh
- Revocation endpoints
PKCE Implementation:
// Generate code verifier and challenge
const verifier = base64url(crypto.randomBytes(32));
const challenge = base64url(sha256(verifier));
// Use in authorization request
const authUrl = `${baseUrl}/authorize?
code_challenge=${challenge}&
code_challenge_method=S256`;
API Rate Limits
Default Limits:
- 10 requests per second per endpoint
- 1000 requests per hour per client
- Burst allowance: 20 requests
Headers:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200
Error Response:
{
"error": "rate_limit_exceeded",
"message": "Too many requests",
"retry_after": 60
}
Security Monitoring
Log Everything:
- API access attempts
- Authentication events
- Certificate usage
- Error responses
- Consent operations
Alert Triggers:
- Multiple failed authentications
- Unusual traffic patterns
- Certificate near expiry
- Unauthorized access attempts
- Data breach indicators
Audit Requirements:
- Immutable log storage
- 5-year retention minimum
- Regular audit reviews
- Compliance reporting
Consent Management
📋 Consent Requirements
Consent Lifecycle
Consent Rules
Validity Period:
- Maximum 90 days for AIS
- One-time use for PIS
- Explicit renewal required
User Rights:
- View active consents
- Revoke at any time
- Clear consent history
- Granular permissions
Display Requirements:
- Show requested permissions clearly
- Display data recipient info
- Explain data usage
- Provide contact information