QWAC Certificate (Qualified Website Auhtentication Certificate) is a TLS server certificate that represents a mix between a CA / B Forum compliant EV SSL certificate and PSPs (Payment Service Provider) -specific fields according to the Payment Services Directive (PSD2).This regulation helps modernize electronic exchanges in the banking world.
Establishments identified as PSPs must use PSD2 compliant certificates. These PSPs must be authorized by a National Banking Authority (NCA).
This Directive introduces two new types of certificates described in ETSI TS 119 495 which includes elements of qualified eIDAS certificates.
In the PSD2 scheme, banks offering an online service must offer each other API access to other PSPs via the TLS protocol. Any client network connection request is via a QWAC certificate for the server it can use a QWAC or TLS-compliant certificate.
PSD2 recommends in terms of proof the use of the QSeal server cachet to sign end-to-end information: for retention and identification. If the QSeal is generated and exploited on QSCD cryptographic material, such as eIDAS then the signature is qualified otherwise it has the status of validated.
The life cycle of QWACS certificates is identical to those of SSL certificates.
QWACs are issued by a qualified trust service provider and meet the requirements of Annex IV of the eIDAS Regulation. BlueCerts as the registration authority of AC InfoCert qualified eIDAS for ETSI TS 119 495.
QWACs certificates do not provide legally supposed evidence of a transaction unlike the other type of PSD2 certificate the QSeal.