QWAC PSD2 certificates for VOP
Learn more about QWAC PSD2 certificates for VOP
An introduction to QWAC PS2D certificates
A QWAC (for qualified website authentication certificate) PSD2 certificate is a digital certificate that provides strong assurance of the identity of the entity behind a website or online service.
In the context of EU's VOP, a QWAC PS2D certificate plays a crucial role in securing the communication between PSPs and / or RVMs. It is used by the payer's PSP to authenticate itself to the payee's PSP and ensure that the request to verify the payee's information is legitimate and comes from a trusted source.
Every VOP participant's BIC registered in the EPC's EDS is associated with a single QWAC PSD2 certificate.
The EPC recommends using a dedicated QWAC PSD2 certificate for VOP.
Structure of a QWAC PSD2 certificate
A QWAC PSD2 certificate is comprised of two distinct but mathematically linked components: a private key and a certificate.
- The private key is a secure, secret file that you must protect; it is used to digitally sign your outgoing requests, proving they originate from you.
- The certificate is the public part, which contains your verified identity information and a corresponding public key.
These two elements form a cryptographic pair. The public key embedded within the certificate can verify signatures created by its unique private key. This link allows receiving parties to confirm that communications are authentic and have not been tampered with. Typically, both components are provided in the PEM format.
The private key is usually stored in a file with a .key extension, while the public certificate is commonly found in a file with a .crt, .cer, or .pem extension.
Purchasing a QWAC PSD2 certificate
Standard process
QWAC PSD2 certificates can be purchased from qualified trust service providers (QTSPs). The European Commission maintains a list of QTSPs.
Purchasing a QWAC PSD2 certificate requires submitting official documentation that proves the company's legal identity as well as its regulatory status and authorization number as a PSP from its national competent authority (NCA). Upon successful verification, the QTSP will issue the QWAC PSD2 certificate.
The NCA will ask you key information to generate a CSR certificate, includng:
- Country code
- Organisation name
- National Authority Number (NAN), composed of your National Competent Authority (NAC) and your identifier (example: PSDFR-ACPR-123456 for a PSP in France whose identifier is 123456 and has been granted by ACPR)
- Locality
- State or province
Fully-managed procurement by Mambu Payments
Mambu Payments offers a fully-managed service to procure your QWAC PSD2 certificate. We will need you to provide the following information:
- National Authority Number (NAN) (see above)
- Roles given by NCA (PSP_AS, PSP_PI, PSP_AI, PSP_IC)
- Organisation identification:
- Names (commercial and social)
- Registration numbers (SIREN, SIRET, EU VAT, etc.)
- Address
- Legal representative (first and last names, email, phone)
Mambu Payments has partnered with CertEurope for QWAC procurement
Managing a QWAC PSD2 certificate in Mambu Payments
In case you are managing your QWAC PSD2 certificate yourself, you can configure it using the Mambu Payments dashboard:
- Go to Settings > VOP
- Select your participant BIC
- Click Add QWAC PSD2 certificate
- Enter a descriptive name, for instance
- Copy paste the private key and certificate as text
- Choose if you want to enable the certificate now (and disable any existing certificate) or later
- Click Add QWAC PSD2 certificate
In order to enable certificate rotation with no service interruption, you can manage up to 2 QWAC PSD2 certificates in Mambu Payments.
As your existing QWAC PSD2 certificate nears its expiration date, you can purchase and add a new QWAC PSD2 certificate to be enabled when the existing QWAC PSD2 certificate expires.
Enabling this new QWAC PSD2 certificate requires a manual action from a Mambu Payments (formerly Numeral) dashboard admin user.
Updated 1 day ago