Licences and certifications
Buypass holds a number of national and international certificates. Here you will find an overview.
Licence as an e-money company
Through its subsidiary Buypass Payment AS, Buypass has been granted an electronic money company licence from the Ministry of Finance under the terms of the Norwegian Financial Business Act. LOV-2015-04-10-17, § 2-11.
Qualified provider of trust services
Buypass is awarded the status of qualified provider of trust services by the National Communications Authority (Nkom) in accordance with the Electronic Trust Services Act (eIDAS). Buypass is the issuer of qualified electronic signature certificates (Qualified Certificates), Qualified Electronic Seal Certificates (Enterprise Certificates) and Qualified Site Certification Certificates (SSL/TLS Certificates).
Provider of eID means at assurance level high
Buypass is self-declared in accordance with national legislation (Selvdeklarasjonsforskriften) as a provider of electronic identification (eID) means at assurance level HIGH for Buypass ID, including:
- Buypass ID on Smart Card
- Buypass ID in Mobile (including Buypass ID@Work)
- Buypass ID FIDO2
Proof of Certifications
Buypass ETSI certifications including eIDAS
ETSI EN 319 411
Buypass is certified in accordance with the ETSI EN 319 411 standards for digital certificate issuers.
The standards cover all areas of digital certificate issuing and management, including the authentication registration process, issuing of digital certificates with private key protection, blocking service, and certificate status services (CRL, OCSP), and more. The certification process involves an accredited external auditor confirming that the certificate issuer has systems, processes and procedures that comply with the requirements set by the standard.
Part 1: ETSI EN 319 411-1
Covers digital certificates in general, including SSL/TLS certificates. Suppliers of browsers and operating systems, such as Microsoft, Apple, Google, Mozilla and Oracle (Java), accept this certification as one of their requirements to enter our root certificates. See ETS 018 for details.
Part 2: ETSI EN 319 411-2
Covers EU Qualified Certificates in accordance with the eIDAS Regulation, including Qualified Certificates for Electronic Signature (QC eSignature), Qualified Certificates for Electronic Seal (QC eSeal) and Qualified Web Site Authentication Certificates (QWAC). The certification meets the requirements of the eIDAS Regulation. With this, Buypass is certified as a Qualified Trusted Service Provider (QTSP). Such certification is a prerequisite to be registered as a qualified provider on the EU trust list. See ETS 053 for details.
Buypass is certified in accordance with ISO 27001 – Control / Management System for Information Security. The standard takes a comprehensive approach to information security. ISO 27001 ensures the protection of information as follows:
- Confidentiality ensures that information is only accessible to authorised parties.
- Integrity ensures that the methods of managing information are accurate and complete.
- Availability ensures that authorised users have access to information and associates assets when required.
ISO 27001 harmonises with other management systems that makes it easy to combine, for example with ISO 9001.
Buypass is certified in accordance with ISO 9001 – Control / Management System for Quality. ISO 9001 is the most common internationally recognised standard that ensures the quality of goods and services in a relationship between supplier and customer. The standard is process-oriented and emphasises continuous improvements and customer satisfaction.
Buypass is certified in accordance with the credit card companies’ data standard PCI DSS (Payment Card Industry Data Security Standard). With this, Buypass again shows that the company is at the forefront of information security.
PCI DSS is a set of comprehensive requirements developed by, among others, Visa, Master Card and American Express to increase the security of payment transactions and handling of cardholder information. All businesses that process, store or transfer cardholder data and/or transaction information from these companies are required to follow PCI DSS.