Big moment at the TRAVIC User Group 2022 - payments as a service in double pack

After a three-year forced break the TRAVIC user group finally took place live again. Innovations of the TRAVIC suite and product-related workshops were presented, and any resulting needs and questions were addressed in the deep dive in a collaborative setting. However, that was not all – the eagerly awaited guest speakers Alexander Merkel (Deutsche Bundesbank) and Nico Frommholz (Hamburg Commercial Bank) made people sit up and take notice: Mr Merkel outlined the status quo and dared to look over the rim by shedding light on the expectations, opportunities and risks that need to be kept in mind when dealing with the topic of "crypto currencies / digital euro". Mr Frommholz, Director Head of Payment Operations, opened the main topic of payments as a service for discussion with the presentation "SEPA is live" – a topic that PPI AG is increasingly focusing on and, in addition to EBICS, is a major drive and cause for consideration.

With the go-live of HCOB, PPI AG has demonstrably succeeded in filling a significant gap in the payments as a service market. However, it gets even better: the British Internet direct bank Revolut relies on the data exchange solution TRAVIC-Interbank and also on the payment-as-a-service model – cloud-based and by PPI AG – for its expansion into the EU region. Founded in London in 2015, neobank Revolut currently has around 18 million private customers who use the company's finance app. In January of 2022 Revolut launched its banking service offering in Germany and nine other European countries. For the aggressive development of the EU market, Revolut, as a non-EU bank, needs a connection to the European Banking Authority (EBA) as well as the technical connection to EBA CLEARING – in particular to the real-time payments system RT1 for SEPA instant payments and the STEP2 platform for regular SEPA payments. This connection is realised through the TRAVIC-Interbank data exchange solution and the payments-as-a-service model. 

The Hamburg-based consulting and software company PPI AG thus becomes an all-round service provider in the European payments business. The payments as a service solution expands the consulting and software products divisions to include a complete offering and thus rounds off the service portfolio of the Hamburg-based company. PPI, with its teams of specialised consultants and its TRAVIC suite, is therefore one of the European market leaders in the payments sector. "We are now able to offer payments as a service across the full spectrum of the payments processing for financial institutions. This enables them to relieve their IT departments, use their resources efficiently and thus improve their competitiveness," said Dr Thorsten Völkel, CEO of PPI AG. It constitutes a prime example that the TRAVIC suite not only provides the central software solution for this, but above all serves as the future for a standardised, multi-client-capable, modern and hosted payments platform for the European banking market! With these services PPI AG enables financial institutions and insurance companies to operate entire value chains as a software as a service. The modular portfolio ranges from the provision and operation of the IT infrastructure to a wide variety of services and inspires not only because of its internationality, its technical complexity, but above all on the compliance and legal level.

These success stories clearly show what we have in common: a passion for excellent payments software and consulting services. We are very pleased to have shared this aspiration on the User Group 2022. As we have all learned, sharing facts and solutions to issues in digital meetings and calls has been a matter of course. But it was precisely the mutual and collaborative inspiration from which the further development of TRAVIC products has always benefited, characterised by the lively and face-to-face exchange, that we missed. All the greater was the pleasure of being able to continue this close cooperation in a festive manner and to honour the esteemed PPI customers for two days with a packed and varied programme: from the presentation of new TRAVIC product releases, to use cases and the latest treasure troves of experience, to in-depth discussions with customers in the context of the product-specific workshops.

Author: Andreas Löwe


Check of EBICS certificates in France without trusted third-party providers

Electronic certificate and applications
The electronic certificate is an essential element in setting up protected areas. It allows its holder to authenticate (authentication certificate), provide a signature (signature certificate), establish a secure connection, etc. For access and signature control functions, applications use a certificate to authenticate the holder and control information integrity. There are numerous certificate issuers today (banking sector, administration, companies ...).

The applications for the digitalisation of data streams are diverse and affect all sectors of the economy. They require the establishment of protected areas where it must be possible to technically identify and authenticate the various actors and verify the quality of the transactions and their issuers.
As a rule, an application must be able to accept certificates from different certification authorities, because in a global world it would be too costly and equally too restrictive to require one certificate per application from a holder.

EBICS and signed certificates
To communicate with financial institutions, EBICS users with a T or TS profile must use X.509 certificates. If the user has certificates signed by a certification authority (CA), these must be validated when downloading the keys and, for example, for orders of the order type FUL. The order types for the submission and amendment of certificates (INI, HIA, H3K, PUB, HCA and HCS) support both a single certificate and certificate chains.

Validation of the CA-based certificate
The validation of the CA-based certificate can be performed externally or internally (for EBICS TS). It is now possible to check internally submitted certificates in TRAVIC-Corporate. For this, the revocation list annotations are checked using certificate revocation lists (CRL). The certificate revocation lists must be downloaded from the Internet. To download the SWIFT certificate revocation lists, a client certificate is usually required for TLS communication.

Interface for checking internal certificates of TRAVIC-Corporate for EBICS TS
Among other parameters, TRAVIC-Corporate's provider interface includes the check of certificate, a caching strategy, the storage of non-repudiation files and a preliminary check of ES authorisations (EBICS TS) according to CFONB specifications. The provider can be specified and activated via the name of its class.

The certificates are checked against a truststore stored in TRAVIC-Corporate. The entire certificate chain is checked up to the valid root certificate. No external services are used to check certificates.
As components of TRAVIC-Corporate, a job server and a parser control this processing. The payment order is released if the signature profile of the EBICS user matches the signature profile configured at the level of the customer's order type.

The financial institution can thus rely entirely on its TRAVIC-Corporate solution without having to resort to third parties, thus simplifying the system architecture and reducing costs.

Zaher Mahfouz

Sources: PPI TRAVIC-Corporate, CFONB, X.509 standards