Guides
Start typing to search…
  1. VOP

QWAC PSD2 certificates for VOP

Learn more about QWAC PSD2 certificates for VOP

A QWAC (Qualified Website Authentication Certificate) PSD2 certificate authenticates PSPs to each other during VOP requests. Every VOP participant's BIC registered in the EPC Directory Service (EDS) is associated with a single QWAC PSD2 certificate.

⚠️

Note: The EPC recommends using a dedicated QWAC PSD2 certificate for VOP, separate from certificates used for other PSD2 services.

How QWAC PSD2 certificates work

A QWAC PSD2 certificate consists of two cryptographically linked components:

Private key. A secret file used to digitally sign outgoing requests, proving they originate from you. Store it securely. Typically provided in PEM format with a .key extension.

Certificate. The public part, containing your verified identity information and a corresponding public key. The receiving PSP uses it to verify that your requests are authentic and unaltered. Typically provided in PEM format with a .crt, .cer, or .pem extension.

⚠️

Security: Protect your private key. Do not share it, commit it to version control, or expose it in logs.

Purchase a certificate

Standard process

Purchase a QWAC PSD2 certificate from a Qualified Trust Service Provider (QTSP). The European Commission maintains a list of QTSPs.

The QTSP requires documentation proving your legal identity and your regulatory status as a PSP from your National Competent Authority (NCA). Provide the following information to generate a Certificate Signing Request (CSR):

  • Country code
  • Organisation name
  • National Authority Number (NAN) – composed of your NCA code and your identifier (for example, PSDFR-ACPR-123456 for a French PSP with identifier 123456 authorised by ACPR)
  • Locality
  • State or province

Managed procurement by Mambu Payments

Mambu Payments offers a managed procurement service through its partnership with CertEurope. Provide the following information to get started:

  • National Authority Number (NAN)
  • Roles granted by your NCA: PSP_AS, PSP_PI, PSP_AI, or PSP_IC
  • Organisation identification: names (commercial and legal), registration numbers (SIREN, SIRET, EU VAT), and address
  • Legal representative: first name, last name, email, and phone number

Contact the Mambu Payments team to initiate managed procurement.

Configure a certificate in the dashboard

If you manage your QWAC PSD2 certificate yourself, configure it in the dashboard:

  1. Go to Settings > VOP.
  2. Select your participant BIC.
  3. Select Add QWAC PSD2 certificate.
  4. Enter a descriptive name for the certificate.
  5. Paste the private key (PKCS1 or PKCS8 format) and certificate as text.
  6. Choose whether to enable the certificate immediately (disabling any existing certificate) or enable it later.
  7. Select Add QWAC PSD2 certificate to save.
💡

Tip: To rotate certificates without service interruption, add a new certificate before the existing one expires. Mambu Payments supports up to two QWAC PSD2 certificates at the same time. Enable the new certificate when the existing one approaches its expiration date.

Related

Updated about 7 hours ago