Bank Interfaces for Standardised Payments- BISTRA

CCBank • Bulgaria

open-banking-directory-BISTRA-technoxander-dot-com

BISTRA provides Bulgaria’s national API profile for PSD2-style access, harmonising bank interfaces to support standard payment services and account access while incorporating national transfer practices. It is intended for banks implementing XS2A-compatible endpoints.

Cost: Paid

Topic: Open Banking

Approach: Hybrid, Market Driven, Regulated

General Info

Owner

CCBank

Region

Bulgaria

Scope

Banking

Payment initiation
Account information

Principles

Since the framework adopts the Berlin Group model, all consent for accessing account information must go through the XS2A interface, whether the data involves account lists, transaction histories, or similar details.

The TPP is required to clearly communicate the permissions being granted, and the PSU must undergo strong authentication. After consent is secured, the TPP must notify the PSU of the results.

If the XS2A interface cannot verify the TPP’s identity, the access request is automatically declined.

Products

Credit Cards | Wallets or Prepaid | Current Accounts

Technical Details

Data Format

JSON | YAML

Approach

Regulated

Access

To access the interface, a Third Party Provider (TPP) must meet the following requirements:

Hold authorization from a National Competent Authority under PSD2 to provide the relevant services.
Possess a valid PSD2-compliant Qualified Web Authentication Certificate (QWAC) in accordance with ETSI TS 119 495.2. This certificate must be issued by a trusted provider listed in the EU Trusted List and must clearly indicate the roles the provider is authorized for:
- 1. Payment initiation (PSP_PI)
  2. Account information (PSP_AI)
  3. Issuing card-based payment instruments (PSP_IC)

Access to the development or production environment is granted by emailing support@ccbank.bg with the public part of the QWAC attached.

If you require access to the development environment using a test certificate, please also include the full certificate chain.

Mandated Premium

Mandated

Key Features

Since it is largely based on the Berlin Group’s standard to comply with PSD2 requirements, the specification includes provisions for retrieving balance information, initiating payments, and managing consent.

Trust Framework

Certificates

Security Model

OAuth

Consent

Browser Redirect | Decoupled | Embedded

Swagger UI (ccbank.bg)

The process for consent management is explicitly defined. A TPP must request consent by specifying the access rights for particular accounts linked to a given PSU-ID, and these accounts must be clearly identified as parameters within the method. Consent can also be revoked. It is the TPP’s responsibility to clearly inform the PSU about the permissions they are agreeing to.

Payment Initiation

Bulk Payments | Single Domestic Payments | Single International Payments | Standing Orders | Other

PIS includes a ‘signature basket’ to allow a single authorization for multiple different payments.

Account Information

Accounts | Cards | Balances | Transactions | Confirmation of Funds

Developer Resources

Developer Portal (Swagger Developer Sandbox)

Compliance & Governance

History

The Second Payment Services Directive (PSD2), which took effect in January 2016, was introduced to regulate electronic payment services and payment service providers across the EU. It succeeded the initial PSD adopted in 2007.

PSD2 aimed to align APIs with the wide range of banking payment services, online banking features, local regulatory obligations, and authentication practices.