Bank Interfaces for Standardized Payments – BISTRA

CCBank

Bulgaria

As the standard is modelled on the Berlin Group’s standard, the XS2A interface is mandatory in the gaining of consent to access account information. Such information may include a transaction history, or a list of accounts.

The TPP must clearly inform the PSU about the rights they are consenting for. The PSU must be strongly authenticated, and then once the TPP has acquired the right for further account information, they must give the PSU information about the result.

If the TPP cannot be identified at the XS2A interface, then the transaction will be rejected.

API Marketplace (rbinternational.com)

Raiffeisen Bank International has included BISTRA standard APIs alongside other European standards in its API Marketplace, a portal for certified Third Parties to use to retrieve key information about Raiffeisen customers’ payment accounts, such as account balance and transaction data, including amounts, dates and counterparties. 

Sofia-based Borica Bank has, through its use of the BISTRA standard, built a hub connecting with all Account Servicing Payment Service Providers (ASPSP) on the territory of Bulgaria that have published specialized interface to access their customers’ accounts as required by the PSD2. Upon the customer’s request, the hub may be integrated with other banks outside the territory of Bulgaria.

BISTRA v4.3.0 based on the BISTRA API v1.3 (28.04.2020) and Berlin Group NextGen PSD2 v1.3.12 (01.07.2020)

To access the interface, a Third Party Provider (TPP) has to meet the following requirements:

• Authorization to provide services by by a National Competent Authority under PSD2;
• Valid PSD2-compliant Qualified Web Authentication Certificate (QWAC) according to (ETSI TS 119 495.2). The certificate must be issued by one of the EU list of trusted providers and must specify the roles for which the provider is authorized:
  • Payment initiation (PSP_PI);
  • Account information (PSP_AI);
  • Issuing of card-based payment instruments (PSP_IC).
• Access to the development or production environment is done by sending an e-mail to support@ccbank.bg with the attached public part of the QWAC. If you would like to have access to the development environment with a test certificate, you also need to provide the certificate chain.

As it is formed majorly from the Berlin Group’s standard to conform to the PSD2 regulation, the standard contains stipulations for balance information and creating payments, combined with consent management.

• Account information
• Payment initiation

Swagger UI (ccbank.bg)

Consent management is clearly outlined. Consent must be requested, defining access rights to dedicated accounts of a given PSU-ID. These accounts must be addressed explicitly in the method as parameters. Consent can also be deleted. The TPP must clearly inform the PSU about the rights they are consenting for.

PIS includes a ‘signature basket’ to allow a single authorization for multiple different payments.

Developer portal Swagger developer sandbox.

The Second Payment Services Directive (PSD2) was a European legislation that came in to force in January 2016 to regulate electronic payment services and payment service providers throughout the EU. This followed on from the original PSD which was adopted by the EU in 2007.

The PSD2 legislation was to bring APIs into line with the diversity of the banking payment services, online banking functionalities, local regulatory requirements and authentication methods.

Law on Payment Services and Payment Systems (LPSPS) and Directive (EU) 2015/2366 (PSD2).