Security for Direct Connection
For connecting to iDEAL Hub Direct Connection APIs, Merchant/CPSPs need:
a certificate used for message signing, issued by Currence iDEAL
a short lived iDEAL access token, issued by Acquirer
an mTLS client certificate, issued by Currence iDEAL
1. JWS - Signing and validation
In the messaging between the iDEAL Hub and any connecting party, all parties authenticate (application level) by providing the signature in the signature header using JSON Web Signatures (JWS). The use of JWS serves as a mechanism for authentication and guarantees the integrity of all requests that are sent to and from iDEAL. The following specifications apply:
For requests and responses to iDEAL
The JWS MUST be included in all API requests and responses using a signature header.
The only exceptions are the response to the
callback
APIs (transaction-callback
,user-token-callback
andqr-callback
). No signature needs to be provided in the response of these callbacks.
All requests and responses to the iDEAL Hub MUST be signed using a Detached JWS Signature.
Merchants/CPSPs MUST provide the certificate used for signing in JSON Web Key (JWK) format as part of JWS in each request. Only the leaf certificate must be included in the x5c parameters of the JWK.
The signing certificates used by Merchants/CPSPs MUST be issued by Currence. These certificates can be requested via your Acquirer using a CSR. See below section on CSR requirements for more details.
JWS Header content requirements
{
"typ": "jose+json",
"x5c": "leaf certificate for signing according to [rfc7517](https://datatracker.ietf.org/doc/html/rfc7517#section-4.7)",
"alg": "ES256(ECDSA using P-256 and SHA-256. Corresponding keysize 256 bit) or ES384 (ECDSA using P-384 and SHA-384. Corresponding keysize 384 bit (https://tools.ietf.org/html/rfc7518#section-3.1)",
"https://idealapi.nl/sub" : "equal to `JWT_Access_Token.sub`",
"https://idealapi.nl/iss" : "equal to `JWT_Access_Token.sub`",
"https://idealapi.nl/scope" : Enum (MERCHANT,CPSP),
"https://idealapi.nl/acq" : "{acquirerId} as provided in in `JWT_Access_Token.iss`",
"https://idealapi.nl/iat" : "{Current creation date time in [ISODateTime standard](https://www.iso20022.org/standardsrepository/type/ISODateTime), expressed in UTC time format(YYYY-MM-DDThh:mm:ss.sssZ), expressed in UTC time format(YYYY-MM-DDThh:mm:ss.sssZ)},
"https://idealapi.nl/jti" : "{Request-ID}",
"https://idealapi.nl/token-jti" : "{jti} as provided in in `JWT_Access_Token.jti`",
"https://idealapi.nl/path": "request path e.g. /v2/merchant-cpsp/transactions, excluding base url https://merchant-cpsp-mtls.idealapi.nl"
"crit": ["https://idealapi.nl/sub", "https://idealapi.nl/iss", "https://idealapi.nl/acq", "https://idealapi.nl/iat", "https://idealapi.nl/jti", "https://idealapi.nl/path", "https://idealapi.nl/scope", "https://idealapi.nl/token-jti"]
}
Example JWS Header
{
"typ": "jose+json",
"x5c": [
"MIIC4TCCAcmgAwIBAgIUU3AqHfDzGioJPqqTB/57vxQUobYwDQYJKoZIhvcNAQELBQAwADAeFw0yNDAxMDkxNzA1NDVaFw0yNDAyMDgxNzA1NDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8stSeHLng9j+yinejEVFRyTaupkyYQquuv8FHhqtj43M8WoEEBRB+iIcgKklMd4CW8T1OJBTTr8av1KReR1FKoAzAHoVDMBvlx/Q9jHCjqyXcixx/BxHFdA3/8Lj1MR7p40c89QU7vNZa9Zchu67rVtuvbOZx8mob2h2SH4wL8xMIf8DfM+oZQ4uJCgwFrD0+as5dx1kNqbzP4OAotisXfwwa+w4mWtl61kMGgkMxS3EoZAPVBZwy1absZIjb206eSi153r7xlRqunMS5VmZBk58yuHyZM1Jkj8PkqZIUbt2uC6BGsxK1Dcl0YqgnF6LzmeSA9m0asQxqH+V2e3kzAgMBAAGjUzBRMB0GA1UdDgQWBBRPyrSHvEZyTuZEIqbSbUCaWd6pojAfBgNVHSMEGDAWgBRPyrSHvEZyTuZEIqbSbUCaWd6pojAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUBaY8NYyddG1ubNHDrgiSs5koSVOuFFFogSaUkrIXBAP5WboCJeKYNNjpuGuLAYI6Biy6ICHm2B9QF3b8r4gcInjJdz9HdcAaSmIY2PE76wcuDNh+iN3wOlw3PkoD2SdzmpbXlrT2j/hvhq8kTQJsRnCQStE2RWgbMknufs+D5Due6kjCPYoTZTS1d+2o+J5EeHqK+q3VrfuHz9eaVMJiW5v98bXctGVWCnNoisJ5LFEX6CzXpPOl47BXi5FpyoK+/DUzzLZSGDiRzbgZYpmmURRmfGSkHnf2c7E3OnN4mW6uVZUV8qo4r5RX9QKpUFuEKBHLOALvGmc+2VhNWXvg"
],
"alg": "ES256",
"https://idealapi.nl/sub": "005112345",
"https://idealapi.nl/iss": "005112345",
"https://idealapi.nl/iat": "2024-01-09T17:02:03.948Z",
"https://idealapi.nl/jti": "3bdf6416-db1c-4d0f-80fb-e3a948122780",
"https://idealapi.nl/token-jti": "59b9bac5-c062-4aa2-9f8b-9f52a682f51a",
"https://idealapi.nl/scope": "MERCHANT",
"https://idealapi.nl/acq": "0051",
"https://idealapi.nl/path": "/v2/merchant-cpsp/transactions",
"crit": ["https://idealapi.nl/sub", "https://idealapi.nl/iss", "https://idealapi.nl/acq", "https://idealapi.nl/iat", "https://idealapi.nl/jti", "https://idealapi.nl/path", "https://idealapi.nl/scope", "https://idealapi.nl/token-jti"]
}
For requests and responses from iDEAL
All requests and responses from iDEAL MUST be authenticated by verifying signatures. This includes the body, path and certain headers of each request/response.
For verifying the signatures, iDEAL shares a JSON Web Key Set (JWKS) through a publicly hosted URL (see below for for the URLs).
For ease of key exchange, the Merchant/CPSP should fetch the JWKS from the specified URL frequently (at least every 1 hour) and cache the latest data.
Merchants/CPSP MUST verify the signature in messages from iDEAL Hub by validating the used JWK against the ones shared on the JWKS URL.
The JWK used for signature verification will be identified by the Key Id (kid) which, for messages coming from iDEAL, is part of the JSON Object Signing and Encryption (JOSE) Header of the JWS
The kid MUST NOT be hardcoded in any way. iDEAL may use different Keys for signing each response, therefore it is important to specifically use the kid in the headers to fetch the right public key from JWKS.
You can find the JWKS URLs under “Connection and Security info” below
After fetching the iDEAL JWKS data from iDEAL, each party MUST perform the following validation steps before it can trust and use the X509 certificates:
The iDEAL JWKS URL is served with a valid TLS certificate
The X509 certificates in the JWKS data must have valid data:
Type is Organization Validation (OV) (the certificate has at least one of its policy OIDs on 2.23.140.1.2.2)
Validity must not be in the past or future
countryName
(C) MUST match ‘LU’organizationName
MUST be ‘Payconiq International S.A.’Either one of
localityName
(L) MUST be 'Luxembourg'stateOrProvinceName
(ST/S) MUST be 'Luxembourg'
In line with the RFC on JWKS, each leaf certificate (first position in the
x5c
property in each JWK),
must be signed with the next one, and so on, until trust can be validated against the trusted CA list (see Trusted CA list ).
The certificate must not be pinned; static trust is derived as described above. Pinning certificates or public keys will brake dynamic rotation of certificates.
JWS Header content from iDEAL
{
"typ": "jose+json",
"kid": "JWK kid",
"alg": ""ES256(ECDSA using P-256 and SHA-256. Corresponding keysize 256 bit) or ES384 (ECDSA using P-384 and SHA-384. Corresponding keysize 384 bit (https://tools.ietf.org/html/rfc7518#section-3.1),
"https://idealapi.nl/sub" : "{creditorId} as provided in JWT_Access_Token.sub",
"https://idealapi.nl/iss" : "iDEAL",
"https://idealapi.nl/iat" : "{Current creation date time in [ISODateTime standard](https://www.iso20022.org/standardsrepository/type/ISODateTime), expressed in UTC time format(YYYY-MM-DDThh:mm:ss.sssZ), expressed in UTC time format(YYYY-MM-DDThh:mm:ss.sssZ)},
"https://idealapi.nl/jti" : "{Request-ID}",
"https://idealapi.nl/path": "request path e.g. /v2/merchant-cpsp/transactions, excluding base url https://mercaht-cpsp-mtls.idealapi.nl"
"crit": ["https://idealapi.nl/sub", "https://idealapi.nl/iss", "https://idealapi.nl/iat", "https://idealapi.nl/jti", "https://idealapi.nl/path"]
}
Example JWS Header from iDEAL
2. iDEAL Access Token
Merchants/CPSPs must provide an iDEAL Access Token with every request to the iDEAL Hub. This JWT token is issued and signed by their Acquirer, and contains information such as validity period and creditor details. The iDEAL Hub will validate the integrity of the Access Token using the Acquirer’s certificate. In the API specifications, the token is referred to as JWT Access Token
.
The iDEAL Access Token:
serves as an extra level of authentication by including the domain of the Merchant/CPSP in its contents. The iDEAL Hub validates that the domain provided by the Acquirer in the Access Token matches with the domain of the provided Merchant/CPSP certificate.
serves as authorization by the Acquirer for the Merchant/CPSP to initiate transactions with the iDEAL Hub.
guarantees the integrity and validity of the creditor details of the Merchant/CPSP by including them in the signed token payload.
The Acquirer regularly provides the signed iDEAL Access Token to the Merchant/CPSP.
It is up to the Acquirer and Merchant/CPSP to define how the token is exchanged. An automated process is highly recommended.
The Merchant/CPSP shares the iDEAL Access Token with the iDEAL Hub in the Authorization header of every request.
The iDEAL Hub verifies the signature of the iDEAL Access Token using the Acquirer’s certificate and checks the validity time.
The Acquirer is in control of the token validity time. The maximum validity period is 24 hours.
Token structure
The Access Token is structured as follows:
base64URLEncode(Header).base64URLEncode(Payload).base64URLEncode(Signature)
Header
Payload (example Merchant)
Payload (example CPSP)
Token specifications
For the payload of the Access Token, the following detailed specifications apply:
It is up to the Acquirer to determine the Access Token expiration time. The Access Token expiration time MUST NOT be later than 24 hours after the Access Token creation time (i.e. tokens have a maximum validity period of 24 hours)
In case of
scope:Merchant
themcc
MUST be provided in the Access TokenIn case of
scope:cPSP
themcc
MUST NOT be provided in the Access Token and thecpspSchemeId
MUST be provided in the Access TokenAny subCreditor details (if applicable) are not included in the Access Token, as these will be provided by the Merchant / CPSP in the transaction initiation
Token exchange
It is up to the Acquirer to define the process and technical interface for exchanging the iDEAL Access Token with their Merchants / CPSPs. Since tokens must be exchanged regularly (at least once every 24 hours), an automated process is highly recommended.
3. Establishing Secure Connection using mTLS
General message encryption requirements
All requests to and from the iDEAL Hub MUST be encrypted using TLS and be made over HTTPS.
TLS 1.3 SHOULD be used, TLS 1.2 MAY be used. Anything below TLS 1.2 MUST NOT be used nor supported by all parties.
For requests to the iDEAL Hub (so for iDEAL - Merchant/CPSP API) the TLS authentication method used is two-way (mTLS), where both the connecting party validates the iDEAL Hub and the Hub validates the connecting party, to ensure that it receives data from the intended system.
For requests from the iDEAL Hub to connecting parties (so for Merchant/CPSP Callback API), the TLS authentication method used can be either one-way or two-way using mTLS. More information is provided in the next section on mTLS.
All parties MUST refuse any connections without TLS encryption, such as plain HTTP.
mTLS
For requests to iDEAL (calls to iDEAL - Merchant/CPSP API )
Merchants/CPSPs MUST be able to support mTLS (TLS with Mutual Authentication).
Acquirers request an mTLS certificate with iDEAL on behalf of the Merchant/CPSP via a Certificate Signing Request (CSR) and must (securely) share this certificate with the Merchant/CPSP.
See below section on Security for Direct Connection | CSR requirements
For requests from iDEAL (calls to Merchant/CPSP Callback API )
Merchants/CPSPs MAY whitelist IP addresses of iDEAL Hub to ensure that they receive data from the intended system. iDEAL offers a fixed list of IP addresses for both the Sandbox and Production Environment.
See “Connection and Security info” below for IP addresses used by iDEAL Hub for callbacks
Merchants/CPSPs MAY ask for a client certificate (mTLS) to ensure that they receive data from the intended system.
See “Connection and Security info” below for client certificate details that can be used for validation
Merchants/CPSPs MUST do one of the above and SHOULD do both.
CSR requirements
To request an iDEAL issued certificate (either mTLS client certificate or Signing certificate), the Merchant/CPSP must provide a Certificate Signing Request (CSR) to its Acquirer, who can use this as input for requesting a certificate with iDEAL. The CSR has the following specifications:
The Distinguished Name (DN). The DN (or Subject) has to match with the official/legal details of the Merchant/CPSP that submitted the CSR. The following fields should be filled out:
CN
: CommonNameO
: OrganizationOU
: OrganizationalUnitL
: LocalityS
: StateOrProvinceNameC
: CountryNameEMAIL
: EmailAddress (optional)
The Public Key Algorithm: field needs to be “id-ecPublicKey” or “rsaEncryption” (only for mTLS client certificates with with RSA)
The CSR contains “-----BEGIN CERTIFICATE REQUEST-----“, “-----END CERTIFICATE REQUEST-----” blocks and it has new line characters after every 64 characters.
The CSR must be generated by using one of the Supported Algorithms:
Supported Algorithms | |
Private key algorithms | Signing algorithms |
EC_prime256v1 EC_secp384r1 RSA_2048 (only for mTLS client certificates) RSA_4096 (only for mTLS client certificates) | SHA256WITHECDSA SHA384WITHECDSA SHA256WITHRSA (only for mTLS client certificates) SHA384WITHRSA (only for mTLS client certificates) SHA512WITHRSA (only for mTLS client certificates) |
Connection and Security info
Host names
Acceptance (EXT): https://merchant-cpsp-mtls.ext.idealapi.nl/v2
Production (PROD): https://merchant-cpsp-mtls.idealapi.nl/v2
JWKS URLs
Acceptance (EXT): https://ext.idealapi.nl/acquirer-certificates
Production (PROD): https://idealapi.nl/acquirer-certificates
IP addresses
Acceptance: (EXT):
3.124.104.48
,52.59.104.179
Production (PROD):
35.157.56.77
,35.157.143.122
,3.64.143.99
,99.81.182.17
,34.251.231.175
,54.155.63.1
,15.188.142.37
,35.180.183.3
,13.36.6.41
iDEAL mTLS client certificate details (can be used for validation)
CommonName used in iDEAL mTLS client certificate (for callbacks)
EXT: mtls.ext.idealapi.nl
Root Certificate: AAACertificateServices
PROD: acquirer.mtls.idealapi.nl
Root Certificate: R5 GlobalSign Root Certificate
Copyright © Currence iDEAL B.V. All rights reserved.