Modified Customer Interface
Modified Customer Interface

On this page

MCI Information

Modified Customer Interface

On this page

 

Introduction

Our MCI solution is based on a single proxy server solution, which serves as a gateway into the browser based internet banking channel for each brand. Each brand has a dedicated URL on the proxy server which must be called in order to establish a secure connection. 

A valid PSD2 SCA-RTS compliant eIDAS (QWAC) or OB (OBWAC) certificate must be presented. OBWACs are only accepted for our UK brand MCIs.

Once a secure connection has been established, your application is routed to the login page of the corresponding in scope channel, where you can login on a customer’s behalf and perform the activities required in order to provide AIS or PIS in line with the consent provided. A customer’s personal security credentials must be used to ensure that strong customer authentication requirements are met.

This documentation provides details on how to establish a secure connection and should be read in conjunction with MCI Channel Documentation, which provides details on how to login and interact with each channel. Separate documents have been produced for each brand and are available on request by sending us a message using the Support form found under the Resources menu.

MCI URLs

The following URLs must be used to access our MCIs:

United Kingdom

HSBC Private Banking https://mci.www1.hsbcprivatebank.com
HSBC MiVision https://mci.mivision.hsbc.co.uk
M&S Bank https://mci.www7.marksandspencer.com/1/2

France

HSBCnet https://mci.www.hsbcnet.com
HSBC MiVision https://mci.mivision.hsbc.co.uk

Malta

HSBC Personal Banking  https://mci.www.hsbc.com.mt/security
HSBCnet https://mci.www.hsbcnet.com

Luxembourg

HSBC Private Banking https://mci.www.privatebanking.hsbc.lu/login/

 

Germany, Luxembourg, Spain, Italy, Poland, Netherlands, Ireland, Czech Republic, Belgium

HSBCnet https://mci.www.hsbcnet.com

Certificate presentation

In order to establish a secure connection a valid eIDAS (QWAC) or OB (OBWAC) certificate must be presented. OBWACs will be accepted from 1 January 2021 and for our UK-brand MCIs only. QWACs must be issued by a qualified trusted authority (QTSP) and OBWACs must be issued by the OBIE in the UK.

The certificate must be presented as a part of a two-way HTTPS (SSL/TLS) handshake procedure.

  1. TPP will initiate HTTPS session with the direct channel by sending an initial request (Client Hello message) to port 443 of the respective MCI proxy URL, for example https://mci.www.hsbc.com.
  2. The MCI proxy will reply to the handshake with a request for the certificate issued with a verified Certificate Authority (including Server Certificate and Key Exchange).
  3. Certificate exchange and key exchange will happen as required by SSL/TLS specifications.
  4. The certificate will be validated by the MCI proxy and accepted or rejected based on the certificate information and other checks as specified below.

The above procedure is a standard TLS 1.2 handshake similar to what is initiated by a client browser during the browsing session.

The following TLS 1.2 ciphers should be used by TPP during the handshake procedure to complete the successful certificate exchange:

  • ECDHE-RSA-AES256-GCM-SHA512
  • DHE-RSA-AES256-GCM-SHA512
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384

HTTP header

To pass validation, the following information must be provided in the HTTP header of every request to the MCI proxy:

Header X-HSBC-SS-User-IP
Description The IP address of the end-user (i.e. the customer) - this header must only pass IPv4 addresses.
Example value 151.227.205.20 

Error messages

The following error messages may be triggered by the MCI proxy server. 

  • 400 Bad Request – is triggered when the MCI proxy server cannot or will not process the request due to something that is perceived to be a TPP error (e.g. malformed request syntax, invalid request message framing, or deceptive request routing).
  • 401 Unauthorised – is triggered when TPP authentication fails e.g. invalid QWAC/OBWAC.
  • 403 Forbidden Error – is triggered in the following scenarios:
    • an attempt is made to establish a connection with the MCI proxy from an IP address – either TPP or underlying customer - located in a sanctioned country;
    • an attempt is made to access a screen in a direct channel, which has been blocked by the MCI proxy as it only contains data a TPP has no need to request as part of the provision of AIS or PIS under PSD2 or because it is subject to GDPR restrictions;
    • an attempt is made to access a direct channel which only supports AIS – MiVision – but a TPP is not authorised as an AISP.
  • 404 Not Found - is triggered when the requested resource is not found on the server. 
  • 503 Service Unavailable – is triggered  when the MCI proxy is temporarily unavailable. This can be caused by scheduled maintenance or a temporary overload, which will likely be restored after some delay. 

Channel documentation

Channel specific documentation is available on request and provides further details on how to login and interact with each of our MCIs.

  • Login Procedure – details of the login procedure and credentials required to login to each channel 
  • Error Messages - list of the error / pop-up messages which can be triggered in each channel
  • Accessible Pages - list of web pages in each channel which may legitimately be accessed to provide AIS, PIS and for Funds Confirmation checks
  • Eligible Accounts - list of PSD2 eligible payment accounts in each channel
  • Funds Confirmation - details of the available balance fields in each channel to be used as inputs for Funds Confirmation checks
     

Return to top

© HSBC Bank plc 2026