PSD2 QWAC is an abbreviation of The Second Payment Services Directive (PSD2) and Qualified Website Authentication Certificate (QWAC). The PSD2 pertains to the European Union (EU) members and demands legacy banks to open access to their consumer data collectively with payment channels to Third Party Providers (TPPs) and Payment Service Providers (PSPs). The PSD2 strives to eliminate the data monopoly that legacy banks had formed and encourage novel advanced services to emerge. Simultaneously, PSD2 is there to guarantee high industry standards and consumer data safeguarding.

One of the means to comply with PSD2 is to acquire a QWAC - a digital certificate that belongs to the characterisation of trust services defined in the Electronic Identification And Trust Services (eIDAS Regulation). According to eIDAS Regulation trust services are usually delivered by Trust Service Providers (TSPs) and include, but are not limited to, electronic signatures, various seals, time stamps, website authentication data and delivery services. QWAC here is employed to assure authentication between a website and a legally obliged body. If a website possesses QWAC it signals that it is a legitimate website with a defended way of business.

In other words, a Qualified Website Authentication Certificate ensures sensitive data encryption and the identification of PSPs and other financial institutions. It also identifies their functions and compliance with PSD2.


PSD2 QWAC certificate  

As mentioned above Qualified Website Authentication Certificate is utilised in two ways - to verify the involved parties and affirmation of the use of Transport Layer Security Encryption (TLS). The standards applied by QWAC are somewhat based on the CA/Browser Forum’s standard for Extended Validation certificates (EV). The EV implements high assurance identity vetting procedures, therefore, is considered to be the most distinguished form of assurance for consumers. Additionally, PSD2 QWAC Certificate consists of the data with the holder’s regulatory authorisation and roles under PSD2.

According to PSD2 Regulatory Technical Standards (RTS), QWAC is used to support the PSP’s identity and ensure secure communication. PSD2 QWAC certificate has corresponding safeguarding for both the means of communication and the payment transaction data.

The deadline to ensure compliance with PSD2 was set for September 2019 and the majority of involved parties had followed it through. There were some delays and signals of impediment like in the case of the UK. However, failure to comply with PSD2 may bring penalties that financial institutions and other payment providers prefer to bypass.

If enterprises select to steer clear of eIDAS certificates they will dissipate legal protection offered by the PSD2 directive. Payment Service Providers should purchase QWAC certificates only from eIDAS - qualified Trust Service Providers. Before issuing the certificate TSP will confirm the applicant’s license information with National Competent Authority (NCA) which is a financial regulator.

Even though PSD2 QWAC is an insignificant change enforced by the PSD2 it is required for all the member states of the EU and will agitate the payment ecosystem. Nevertheless, the certification process and the QWAC itself represent a consequential step forward for the eIDAS qualified certificates. These certificates might evolve and shortly conquer other regulated industries.


Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.