QS-DIW is a Digital Identity Wallet (DIW) app. The app is used by people to authenticate and sign payments and/or contracts as well as present verifiable information (attributes) about themselves. The person must perform Strong Customer Authentication (SCA) to complete all eID transactions.
A DIW app can be used by a person to:
- Log into a web site.
- Gain access to e.g. a secure area, hotel room, sports or entertainment venue.
- Open a bank account remotely, involving Know Your Customer (KYC).
QS-DIW also meets the PSD2 requirement to perform SCA on payments. When eID credentials are issued to the person by a bank, the app can also be used to:-
- Make payments at a POI (e.g. browser) / POS (in a shop).
- Sign a contract and/or a direct debit mandate simultaneously.
- Review and approve personal and corporate payment requests.
- Perform multi-user approvals on payments.
Users can review summary information and optionally drill into the detail of an eID or payment order. They can approve or cancel orders and also monitor ongoing status. Status is categorised with red/amber/green colour coding. All rejects are clearly flagged, with reason information.
The user SCA credentials are represented by an asymmetric (public/private) key pair, backed by X.509 (identity and attribute) certificates. The private key element resides within and never leaves the Secure Element of the smartphone. The private key is unlocked via the use of either the device’s biometric sensor and/or a PIN. The user’s biometric data also never leaves the smartphone. The SCA proof is represented by an Advanced Electronic Signature (AdES). The SCA proof is dynamically linked to the eID/payment/consent data, plus audit trail and device attestation information.
The following payment formats are fully supported:-
- PAIN.001 v3 - Credit Transfer
- PAIN.008 v2 - Direct Debit
- PAIN.002 v3 - Payment Status
- ACMT.007 v1 - Account Opening
- PAIN.009 v1 - E-Mandate
- Berlin Group NextGenPSD2 JSON formats
PSD2 = DIRECTIVE (EU) 2015/2366 on payment services in the internal market
GDPR = REGULATION (EU) 2016/679 on the protection of natural persons