Mar 24, 2023

PSD2 Qualified Website Authentication Certificate (QWAC) Onboarding Guide

Introduction

 The revised Payment Services Directive (PSD2) applies to all member states of the European Union (EU) and mandates that financial institutions must open access to their customer information and payment networks to Payment Service Providers (PSPs) and other Third Party Providers (TPPs). The goal of the directive is to remove the monopoly financial institutions have on their users’ data, increase competition, and encourage new, innovative financial solutions, while at the same time establishing standards to ensure interoperability and the security of user data.
Organizations that must comply with PSD2 may wish to purchase a Qualified Website Authentication Certificate (QWAC), which is a type of qualified digital certificate under the trust services defined in the eIDAS Regulation. In the eIDAS Regulation, trust services are defined as electronic services, normally provided by trust service providers (TSPs, of which GlobalSign is one), which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. For website authentication, QWACs are issued to assure authentication between a website and a natural or legal person, offering website visitors proof that any business conducted on the site is protected, and there is a legitimate entity behind the website.

How to Order a PSD2 QWAC

Ordering a PSD2 QWAC is similar to ordering an ExtendedSSL Certificate through the GlobalSign Certificate Center (GCC) retail order process, but with a few changes to the order flow:

1. In the Products section at the top of the Certificate Application, select ExtendedSSL.

   
   QWAC Validity Period
   We require QWACs to have a 1-year validity, so please select 1 year from the Validity Period section. 

2. Near the middle of the page you will see, Request a Qualified Website Authentication Certificate (QWAC), follow the following steps:

a. Select the Yes radio button.

b. Select I want a PSD2 QWAC.

c. Select your National Competent Authority (NCA). Your NCA is the entity that provided you with your Payment Service Provider number.

d. Enter your PSP Identifier provided by your NCA. 

e. Enter your PSP Role. You may select more than one. 
 

When you finish placing your order, be sure to save the information on the confirmation screen for future reference, and to walk through the steps of retrieving your Certificate once you have cleared all Vetting tasks.

Vetting Process for PSD2 QWACs

GlobalSign's role as a TSP dictates we comply with the eIDAS Regulation and PSD2, and validate the entity behind the Certificate under a specific, standardized process. Once you submit your Certificate order, you will receive an email from the GlobalSign Vetting Department with information on what other materials you need to submit, for us to process your order.

Domain Control Validation

We validate the Organization’s ownership or control of the domain. We will do this by sharing a random value with you to install on specific locations, or by performing a response challenge to pre-approved email addresses.

Authorized Representative Validation

As part of the vetting process, we are required to perform a face-to-face verification of your Authorized Representative. This is usually carried out by a Third Party in accordance with national law. For this step, we will require the following:
Signed Personal Statement	Photo ID	Copy of Secondary Documentation	Notarization of your Application
A personal statement signed by the Authorized Representative. Will include certain attestations, including that the information contained in the Application and the Certificate Request is true and correct, and acceptance of our terms and conditions. We will send the form to your Authorized Representative to sign.	The Authorized Representative will need to bring a Government Issued Photo ID to the Third Party who performs the face-to-face validation. We provide a list with the acceptable documents.	We do not require a copy of your Authorized Representative’s Government Issued Photo ID for our files. Instead, we require copies of two Secondary documentations. We provide a list with the acceptable documents.	The Third Party will notarize your application. We will provide more information about who can carry out this notarization in your jurisdiction. We will send you the form the Third Party must use for this notarization.

Organization Validation

Don't worry, we will take care of this part of the validation. We will validate the information provided in the Certificate Request. We confirm most of these elements in our independent sources. We may reach out if more information is required.
Organization's Identity	Organization's Address	The Authority to represent the Organization	Organization's Authorization to Issue
This includes the Organization Full Legal name and the Organization Identifier. It also includes the Organization’s ability to do business, which is implied if the Organization has been in existence over three years.	We verify the physical address of your Organization. This is the address where the business operates, and can’t be a postbox or a “care of” address.	We verify that the Authorized Representative has the authority to represent the Organization.	We check with the Authorized Representative that they approve the issuance of the Certificate.

PSD2 Attribute Validation

This section is relevant for PSD2 Certificates. This is a special type of Certificate, required by the Payment Services Directive, for Payment Service Providers who provide online services within the European Union. We will take care of this part of the validation, but may need some additional information.
NCA Information	Payment Provider Type	Payment Provider Number
A national competent authority in Europe with the designated authority to register and authorize Payment Service Providers.	There are only a limited number of types of Payment Service Providers: • Payment Initiation Services (PIS) for initiating credit transfers online. • Account Information Services (AIS) for providing consolidated account information online. • Card Based Payment Instruments Issuing (CBPII) for issuing instruments/acquiring transactions online.	A registration or authorization number that has been assigned to the Payment Service Provider by the National Competent Authority where the Payment Service Provider is registered or authorized.