Qualified Website Authentication Certificates (QWAC)


Verification Requirements

PSD2 certificates require the applicant to provide the following information:

  1. Authorization number of the TPP (third-party payment provider
    • Found in the public registers of the national competent authorities
  2. The role(s) of the TPP, which may be one or more of the following:
    • ASPSP
    • PSIP
    • AISP
    • Issuing of card-based payment instruments
  3. Name of the competent authorities where the TPP is registered
  4. Name of Qualified Trust Provider (QTSP)

Traditional certificate requirements include:

  1. Name of the certificate owner
  2. Domain verification
  3. Organization identity
  4. The legal identity of the organization controlling the website
  5. Validity period

PSD2 Certificate Requirements for Third-Party Providers and Banks

What can a third-party provider do with a PSD2 certificate?

A third-party provider that wants to access customer bank accounts within the EU or their associated data needs to obtain a license and unique PSD identifier from its National Competent Authority (NCA) in the EU member state with regulatory authority over the third-party provider. There are different types of licenses that each determine the data access rights or “roles” of the third-party provider in accordance with their business model.

Technical Requirements for Third-Party Providers and Banks

A third-party provider that wants to gain access to bank accounts, and a bank that is providing third-parties with access to customer account data, must each identify themselves with one or more PSD2 certificates, which are built on the foundation of Qualified Web Authentication Certificates (QWACs).  Entrust EU will offer both types of certificates.

Requirements for banks

Banks must also make an API available to Third-Party Providers that enables access to customer bank accounts or account information. A bank’s identity will be confirmed through its own Qualified Website Certificate.

Application Process for a PSD2 Certificate

Before applying for a PSD2 certificate a third party must first register as a payment service provider with its National Competent Authority (NCA). After the third party receives its NCA license, Entrust EU can then complete verification (including all verification required for Extended Validation or EV certificates) and issue the third party with a PSD2 certificate.