An introduction to QWAC

A QWAC (for qualified website authentication certificate) is a digital certificate that provides strong assurance of the identity of the entity behind a website or online service.

In the context of EU's VOP, a QWAC plays a crucial role in securing the communication between PSPs and / or RVMs. It is used by the payer's PSP to authenticate itself to the payee's PSP and ensure that the request to verify the payee's information is legitimate and comes from a trusted source.

Every VOP participant's BIC registered in the EPC's EDS is associated with a single QWAC.

ℹ️
The EPC recommends using a dedicated QWAC for VOP.

Purchasing a QWAC

QWACs can be purchased from qualified trust service providers (QTSPs). The European Commission maintains a list of QTSPs.

Purchasing a QWAC requires submitting official documentation that proves the company's legal identity as well as its regulatory status and authorization number as a PSP from its national competent authority (NCA). Upon successful verification, the QTSP will issue the QWAC.

ℹ️
Mambu Payments (formerly Numeral) offers a fully-managed service to procure your QWAC. Please contact your account manager to know more.

Managing a QWAC in Mambu Payments (formerly Numeral)

In case you are managing your QWAC yourself, you can configure it using the Mambu Payments dashboard:

Go to Settings > VOP
Select your participant BIC
Click Add QWAC
Enter the name, private key, and content of the QWAC
Choose if you want to enable the certificate now (and disable any existing certificate) or later
Click Add QWAC

ℹ️
In order to enable certificate rotation with no service interruption, you can manage up to 2 QWACs in Mambu Payments (formerly Numeral).
As your existing QWAC nears its expiration date, you can purchase and add a new QWAC to be enabled when the existing QWAC expires.
Enabling this new QWAC requires a manual action from a Mambu Payments (formerly Numeral) dashboard admin user.