Introduction

Access to Environments

Nomo

Status Live
Certificate Production
URL https://priora.saltedge.com
Provider code nomo
Launch date 10 March 2022

Nomo Sandbox

Status Sandbox
Certificate Test/Production
Provider code nomo_sandbox
URL https://priora.saltedge.com
Creation date 11 August 2021
Test credentials Oauth

Kind: oauth

Email

Copy to clipboard
nomoooz@example.com

Passcode

Copy to clipboard
274928

Changelog

Timestamp Change/note
30 Sep 2022 Following the FCA recommendation under PS21/19, this dedicated interface enables the SCA exemption under SCA-RTS Article 10A for AISPs. This feature is enabled within the Sandbox and Production environment since 30 Sep 2022 allowing the AISPs to create a consent longer than 90-days, not limited. AISPs must reconfirm customer consent under Article 36(6) of the SCA-RTS, and must not access information without the customer actively requesting it unless the customer has reconfirmed the consent within the previous 90 days. When a customer fails to reconfirm consent on the AISP side after 90 days, AISP must stop accessing the customer’s account information
23 Dec 2021 The CBC-mode cipher encryption will be disabled on PSD2 APIs and the following cipher suites will no longer be supported since 3rd February 2022:
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Please find below the list of supported ciphers and make sure you support any of the below to keep the connection with the PSD2 APIs:
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
In case you need any assistance on the above please contact us at: compliance@saltedge.com

Definitions

Term Definition
API Application Programming interface. A set of definitions, protocols, and tools that can be used to create applications, interact with other applications, and exchange data.
Provider Represents the ASPSP. A bank or financial institution that offers payment accounts with online access.
ASPSP Account Servicing Payment Service Provider. Provides and maintains a payment account for a payer as defined by the and, with customer consent, payments initiated by third party providers and/or make their customers’ account transaction data available to third party providers via their API endpoints.
TPP Organisations or natural persons that use APIs developed to Standards to access customer’s accounts, in order to provide account information services and/or to initiate payments. Third Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).
PSU Payment Service User. Natural or legal person making use of a payment service as a payee, payer or both.
AISP Account Information Service Provider. Provides account information services as an online service with consolidated information on one or more payment accounts held by a payment service user with one or more payment service provider(s).
PISP Payment Initiation Service Provider. Provides an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.
CBPII Card Based Instrument Issuer. A Card Based Payment Instrument Issuer is a payment services provider that issues card-based payment instruments that can be used to initiate a payment transaction from a payment account held with another payment service provider.
SCA Strong Customer Authentication. Authentication based on the use of two or more elements designed in such a way as to protect the confidentiality of the authentication data.
PSR Payment Services Regulations 2017. The UK's implementation of PSD2, as amended or updated from time to time and including the associated Regulatory Technical Standards as developed by the EBA.
Session Any activity that is forwarded by Salt Edge PSD2 Compliance on behalf of a Customer.
Consent A range of rules on security, providing access to accounts, and enabling traceability and the mitigation of fraud risks.
Scopes A set of permissions granted to a TPP application.
Authorization The API will allow an ASPSP to implement OAuth2 as a support for the authorisation of the PSU towards the TPP for the payment initiation and/or account information service. In this case, the TPP will be the client, the PSU the resource owner and the ASPSP will be the resource server in the abstract OAuth2 model.
eIDAS Electronic Identification, Authentication and trust Services. A set of standards for electronic identification and trust services for electronic transactions in the European Single Market.
OBSEAL OBIE issued Electronic Seal Certificate.

Registration

The process of TPP registration is made via an API request to TPP Register endpoint. In order to access Provider Sandbox you need to use OBSEAL test certificate.

After adding a certificate, the registered TPP will have assigned a set of scopes based on the provided certificate.

The available scopes can be seen when creating an TPP Application.

Scopes Definition

Type Description
accounts grants TPP access to Customer's accounts data
payments grants TPP right to initiate payment orders on behalf of Customer
fundsconfirmations grants TPP right to check availability of funds under specific account which belongs to Customer