How does Offline Data Hosting work?

Bank account information is delivered to SurePay through encrypted files (*.PGP) via SFTP (Secure File Transfer Protocol). These files are regularly pushed to a location provided by SurePay, ensuring secure transmission and storage of sensitive data. Files must be uploaded in encrypted form and will remain encrypted within the system to protect your data at all times.

If an account previously sent to SurePay is missing in a subsequent file, it will be deleted from the SurePay database. Any request containing the corresponding IBAN will return the response "IBAN inactive", signaling that the account has been removed from the system.

Document History

VersionDateDescription
1.015 Jan 2025Original Digital Version. Aligned with PDF V1.1
1.110 Feb 2025Added 'Environments' section, updated 'Delivery Format' section, added 'Checklist' section
2.020 Mar 2025Format and grammar changes, image added, nothing impacting implementation

Go directly to

Functional Overview

  1. Account Data File Upload: The process begins when a Responding PSP uploads an Account Data file to SurePay's SFTP. This interface supports full dataset deliveries only — incremental updates are not supported. As a result, the complete dataset must be provided with each delivery to ensure consistency and eliminate the need for partial updates.
  2. Process Account Data: The SurePay data hosting system processes the uploaded data files and integrates the information into its dataset, enabling efficient retrieval and access to account details. Encryption measures are applied throughout the entire process, both at rest and in transit. The files remain encrypted during storage and are only decrypted during processing, ensuring end-to-end data protection.
  3. API Request Initiation: A Requesting PSP sends a request to SurePay through either the IBAN Name Check API or the VoP Gateway API. This request is made to verify the payee’s identity by matching the provided account details.
  4. Account Data Retrieval: SurePay retrieves the relevant account information from its data storage and passes it to the algorithm for processing.
  5. Verification and Response: Using the retrieved account data, the SurePay algorithm verifies the payee’s information. Based on the matching results, SurePay provides feedback on whether the entered details align with the account data, allowing the requesting PSP to inform its Payment Service User (PSU).

image

Environments

SurePay operates in two environments:

  • Acceptance (Pre-Production) Environment for testing purposes (ACC)
  • Production environment (PRD)

Initially, the connection is established to the acceptance environment. This serves as an intermediary stage to ensure that the data provided by the Responding PSP and the quality of the responses are processed as expected. It allows for thorough testing and validation of the integration before moving to the production environment. During the testing phase, SurePay will provide the PSP with a specific endpoint and username for the acceptance environment. The PSP should use the designated private SSH key associated with the acceptance environment for the SFTP connection.

Connection

  • The files are uploaded to SurePay using the Secure File Transfer Protocol (SFTP), ensuring a secure data transmission process.
  • Communication between the PSP and SurePay is protected by the SSH protocol, which provides a secure channel.
  • For authentication, a 4096-bit private key is used. It is essential that the PSP generates a compatible key pair for use with the AWS SFTP Server.
  • The PSP then shares the public key with SurePay to enable a secure connection.

Delivery Format

To begin with the delivery format, it is important to understand the folder and file structure expected from both sides once the connection has been established.

Folder Structure

For data hosting, each PSP will have a dedicated folder on SurePay's SFTP (Secure File Transfer Protocol) server. The Account Data file should be uploaded directly to the PSP’s home directory.

  • The PSP must configure /AccountFiles as the destination directory for the SFTP connection.
  • Note: The PSP is not permitted to create new directories under the home directory. All files must be placed directly within the home directory.

File Delivery Frequency and Timing

Files should be delivered to SurePay at least once a day. The current file delivery frequency is set to one, with a maximum of two files per day, depending on their size. If the PSP wishes to increase this frequency, please contact your Implementation Manager.

File Delivery for Multiple Countries

All data hosted by SurePay is strictly segregated by PSP and by country. A PSP operating in multiple countries must establish a separate SFTP connection and send a separate data file for each country in which they operate.

PGP Key Pair for Signing

PGP (Pretty Good Privacy) signing involves using the private key from the PGP key pair created by the PSP to generate a digital signature for a file or message. This signature ensures the authenticity and integrity of the data. The PSP will sign the file using the private key, and the public key will be shared with SurePay for verification after the file is received.

PGP Key Pair for File Encryption

A PGP key pair generated by SurePay is used for data encryption during the offline data hosting process between the PSP and SurePay. This encryption adds an extra layer of security, ensuring that sensitive account information remains protected during both transmission and storage. The PSP will encrypt the file using the public key provided by SurePay. Once the file is received, SurePay will decrypt it using the private key.

Note on PGP vs GPG

Although this specification refers to PGP key pairs for both signing and encryption, it’s important to note that the tool we use for handling these keys is GPG (GNU Privacy Guard). GPG is fully compatible with the OpenPGP standard, which is why you will find references to "GPG keys" in our "Getting Started" page. Essentially, GPG is a software implementation that supports PGP key pair generation and management, and for all practical purposes, GPG keys and PGP keys can be used interchangeably in this context. Therefore, while the terminology on the "Getting Started" page refers to GPG, the underlying principles and processes are the same for PGP key pairs, as described above.

Checklist

The PSP will share the following with SurePay:

  • Public SSH key
    • Length: 4096 bit
    • Protocol: openSSH
  • Public PGP key for signing
    • Length: 4096 bit
    • Protocol: OpenPGP
    • 2 year expiration date
  • Email address for notification emails

SurePay will share the following with the PSP:

  • SFTP username
  • SFTP connection
  • Public PGP key for encryption
    • Length: 4096 bit
    • Protocol: OpenPGP
    • 2 year expiration date

We always look to improve the implementation experience of our customers, so if you have any questions or feedback on the documentation or the process, please let us know at info@SurePay.nl.

Previous
Next