Documentation

Documentation

 

Introduction

Here you can find information about how to get access to PSD2 regulated services and information using our web and mobile customer facing interfaces.

Please notice:

We plan to replace this solution with a solution based on dedicated API’s before end of 2021. But you don’t have to wait - You can already now be a part of the fast growing community of companies that are using our dedicated API’s. The API’s are only missing the features “app-to-app switching” and “Single SCA” from being fully PSD2 compliant, and we are guaranteeing at least the same availability and response time as you will experience in the customer facing solutions.

You can find all the details about the dedicated APIs here

 

Mobile bank services

Bankdata offer a mobile banking solution for both private and corporate customers.
The solution is offered using a native Android and iOS app communicating with middleware hosted by Bankdata. 

Security elements

Every request from the app to the middleware is validated for presenting a valid mobile bank session.
To obtain a valid session, which includes a set of mandatory cookies, the customer needs to enroll with NemID once to create a device binding linking a token to the device that must be provided on every login together with user id and mobile code. The NemID login page is loaded in a WebView and the solution is only designed and tested to run in a mobile app.

All calls regarding customer authentication are encrypted/decrypted with a secret that is randomly generated on the mobile device.
The secret is encrypted with a public key and exchanged with the backend. Bankdata will offer any approved TPP with this public key.

To be able to create payments a public/private key pair needs to be generated on the mobile device.
The private key is stored on the mobile device and is used to sign the payment data.
The corresponding public key needs to be provided during first time enrollment with NemID.

All traffic need to be secure using TLS 1.2.

 

Architecture

The native apps access the middleware which is a set of REST-services.

 

E.g. for private customers.

/mobilbank/accounts/rename

 

E.g. for corporate customers.

/mobilbankerhverv/accounts

 

The current set of middleware services can be requested by contacting api-dev-support(a)bankdata.dk.

Online bank services

Bankdata offer an online banking solution for private and corporate customers.
The solution is offered by utilizing two types of portlets (IBM Portlet API or JSR-286) to give a web portal experience.

 

Security elements

Every request from the client to the backend is validated for presenting a valid online bank session.
A valid session includes a valid NemID session key and a set of mandatory cookies.
The current set of needed cookies can be requested by contacting api-dev-support(a)bankdata.dk.

All traffic need to be secure using TLS 1.2.

Architecture

An interface is implemented as a JSF portlet. This requires you to introspect the client html to utilize the relevant forms and actions, to activate the backend accordingly.

The JSF portlet interface rely heavily on the use of specific urls, and them being statefull means that one cannot rely on using static urls.
Details on this can be offered by contacting api-dev-support(a)bankdata.dk, as we cannot detail the use due to security.

 

Identification of Third party

In order to be identified as a third party you must follow the list of rules stated below. These rules apply to both the Mobile Bank Service and the Online Bank Service.

This is how the TPP should make itself known:

  • TPP’s must always identify themself by presenting their eIDAS certificate as part of all request.
  • The eIDAS certificate must always be stated under the request parameter "x-bd-tppcert".

 

This is how the eIDAS certificate should be formatted::

  • The eIDAS certificate must always be delivered Base64-encoded.