3. TPP onboarding
This document is addressed to the Third-Party Payment Service Providers (TPP) and it is aimed to describe the needed onboarding procedures to the CBI Globe.
Thereafter, the necessary steps are shown in detail.
- 1. ONBOARDING WITH QWAC EIDAS CERTIFICATE
- The steps to perform the onboarding phase are shown below, being in possession of a QWAC eIDAS certificate issued by a reliable certification authority. The loaded certificate will be used to access the SANDBOX environment.
- o Press the "I'm a TPP with a QWAC eIDAS cerificate" button (Step 1)
- Upload of the eIDAS certificate
- In this first phase there is the upload of the eIDAS certificate, required for the connection to the CBI Globe.
- The first screen shown to the TPP user is the one that allows to upload the certificate, previously obtained from the TPP from a Qualified Trusted Service Provider (QTSP) authorized to release eIDAS certificates.
- The procedure will start clicking on the “Upload” button, as shown in the picture 1:
- Looking for the file of certificate on your browser and upload the file, then clicking on the “next” button, the system verifies the validity of the shown certificate. If it results not valid, an error message will appear, and it will be needed to get in contact with the designated organization for the certificate release.
- It could also be employed an eIDAS test-certificate, released from an accredited QTSP. The CBI Globe will verify the presence of a started validation process through the National Competent Authority (NCA).
- Once the certificate has been loaded, the “Company Name”, “Country” and “City” fields will be auto-filled, note that the only mandatory filed is “Company name” (Step 3)
- Enter the fields required for registration in the “COMPANY REPRESENTATIVE INFORMATIONS” section, note that the only mandatory filed is “Email”
- To complete the registration phase, enter the value of the Captcha field displayed and press the "Confirm" button after accepting the "Data User Policy" (Step 5)
- At the end of the registration, the user will receive an e-mail for setting the password. By pressing the "Login" button (Step 6) the user will be redirected to the Login page where they can access the portal. After setting the password, the TPP user will receive a new email with the subject "CBI Globe - Welcome mail" and from that moment he/she will be able to access and navigate in the CBI Globe API portal.
- 2. ONBOARDING WITHOUT QWAC EIDAS CERTIFICATE
- If the TPP is not yet in possession of the QWAC certificate, it can proceed with registration on the CBI Globe API portal by pressing the "I'm a TPP without a QWAC eIDAS certificate" button. Through this registration the TPP will be able to navigate between the APIs exposed by the CBI Globe platform and download the relative technical documentation. In a second phase, the TPP will be able to upload the QWAC certificate from the user area.
- 3. CERTIFICATE REQUIREMENTS
- To ensure security requirements of confidentiality, authenticity and integrity, the CBI Globe platform implements:
- 1. Mutual TLS Authentication, at transport layer, to initialize a secure communication channel and ensure authenticity of both client and server;
- 2. HTTP Signature, at application layer, to ensure authenticity of the sender, and nonrepudiation and integrity of the request content.
- In order to provide these functionalities and meet the requirements of the PSD2 directive, the TPP must be equipped with a qualified QWAC - eIDAS certificate (Qualified Website Authentication Certificate) and a QSEAL (Qualified eSeal Certificate) certificate as specified by the PSD2 technical standards.
- 4. CERTIFICATE RENEWAL
- Starting from 29/5/2023, as the expiry date of the TPP’s certificate approaches, no action is needed, it will be sufficient to have the new valid certificate, in case it involves the use of the same registration number as the certificate uploaded during the onboarding phase. Otherwise, the TPP will need to upload the new certificate.