Skip to main content
This guide is required if you are an FPS merchant using App-to-App payment, especially for HSBC merchants.

When Do You Need an e-Cert?

If you are integrating FPS App-to-App using a merchant-specific Universal Link, an e-Cert (server certificate) is required to secure the domain. This applies to banks such as HSBC, which operate in direct integration mode and require domain validation and organisation name matching.

Important Notes for FPS App-to-App Certificate

The merchant organisation name (subject field in the X.509 certificate) must exactly match the payee name registered in the FPS Addressing Service.This requirement comes from FPS Technical Specification 6.9.2.Payment apps MUST validate that the organisation name in the merchant certificate matches the payee name returned from the FPS addressing service.The certificate domain name is assigned and configured by QFPay based on the integration context. Merchants do not select this domain themselves.Each distinct domain requires a separate e-Cert application (e.g. fps.payment.example-shop.com), which incurs additional cost and processing time.Merchants must also add the following CNAME record in their DNS configuration:

FPS e-Cert Application Overview


CSR Generation Requirements

Before submitting the certificate application, generate a Certificate Signing Request (CSR). Example OpenSSL command:

Parameter Breakdown

Notes
  • O= (organisation name) must exactly match the FPS payee name registered in the FPS Addressing Service.
  • CN= (common name) is the domain name configured by QFPay.
  • Leave OU= empty if no department is specified.

Documents Required

  • Completed CPos Form 798F
  • Business Registration (BR) copy
  • Company Incorporation (CI) copy
  • Domain ownership proof (invoice, DNS screenshot, or domain email confirmation)

Post-Issuance Responsibilities

Hongkong Post will send expiration reminders to the registered email 30 days and 14 days before expiry.
Merchants are responsible for timely renewal and notifying QFPay.
After certificate issuance:
  • Send the certificate (.cer / .crt) and private key (.key) to QFPay Technical Support.
  • QFPay will complete backend setup for the FPS payment endpoint.

FPS Specification Reference

Section 6.9.2 — Certificate Validation Logic The payment app (e.g. HSBC app) validates that the Organisation Name (O) in the X.509 certificate matches the FPS payee name. The comparison is:
  • Case-insensitive
  • Whitespace-insensitive
If the values do not match, the payment will be rejected.

Resources