The Payment System Act, which came into force in July 2018, has transposed into the Croatian legislation the Payment Services Directive (EU) 2015/2366 (PSD2). Several important provisions of the Directive and the related Commission Delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (RTS) entered into force on 14 September 2019. Among other things, they govern the requirements for secure communication among payment service providers.
The RTS provides that payment service providers use qualified electronic certificates (eIDAS) for identification purposes when communicating with each other. In accordance with this, the European Telecommunications Standards Institute (ETSI) defined the technical specification ETSI TS 119 495, which defines qualified certificate profiles (hereinafter referred to as ‘PSD2 certificate’) meeting the specified requirements. In a PSD2 certificate, one of specific attributes for unique identification of payment service providers in the Republic of Croatia used is:
- a registration number assigned by the Croatian National Bank in the process of licensing or registering payment institutions, electronic money institutions or registered account information service providers – for these institutions; and
- a personal identification number assigned by the Ministry of Finance – for credit institutions.
Different record formats have so far been used for creating the organizationIdentifier attribute as part of the qualified certificate, depending on the unique identifier used. However, the new version of ETSI TS 119 495 v1.4.1, which was issued in November 2019, provides that the same record format of this attribute is used for all payment service providers (credit institutions, payment institutions, electronic money institutions and registered account information service providers). This record format may be used provided that a unique identifier is used for each payment service provider, entered in the register of a member state and the register of the European Banking Authority, regardless of whether the identifier has been issued by the authority competent for PSD2 implementation in the member state in question. Accordingly, as the competent authority for PSD2 implementation in the Republic of Croatia, the Croatian National Bank wishes to instruct all qualified trust service providers (qualified certificate issuers) to use the following record format when defining the organizationIdentifier attribute of payment service providers licensed or registered in the Republic of Croatia:
Use of the same record format with a PSD prefix for all payment service providers will allow easier recognition and handling of PSD2 certificates.
Therefore, it is suggested that qualified trust service providers use this record format when issuing new certificates.
As regards existing certificates, each payment service provider to which a PSD2 certificate has already been issued should assess whether its certificate should be reissued. However, at the time of the next regular issuance, providers should keep in mind that their certificates should have the specified record format.