Qualified Certificates

eIDAS and PSD2 standards are aimed at enhancing trust in electronic transactions across the EU. eIDAS applies to any business, whereas PSD2 rules are specific to EU banking/financial services institutions.

Qualified Certificates can only be issued by a Qualified Trust Service Provider (QTSP) recognized under eIDAS. Entrust Europe is recognized as a QTSP and has undergone the appropriate eIDAS conformity assessments in order to be able to provide Qualified Certificates for Website Authentication. View Entrust Europe on the EU Trust List.

European organizations can secure their communications with an eIDAS-compliant QWAC to demonstrate their compliance with European eIDAS guidelines. Qualified Certificates are available across all EU countries

PSD2-compliant Qualified Website Authentication Certificates (QWACs) provide secure, encrypted communications as required by the EU RTS standards.

PSD2 QWACs enable organizations – specifically financial services institutions
and PSPs – to get the highest level of trust and identity assurance in accordance with PSD2 regulations.

• Highest level of authentication is required to secure the open banking APIs used for transferring private data when making payments or transferring money.
• PSD2 QWACs are required for website authentication so Account Servicing Payment Services Providers (ASPSPs) and Third Party Providers (TPPs) can be certain of each other’s identity.

Verification requirements

PSD2 QWAC certificates follow the EV verification guidelines and require the
following additional information:

1. Authorization number of the TPP, found in the public registers of the NCA (National Competent Authority)
2. The role(s) of the TPP, which may be one or more of the following:
   • ASPSP (Account-Servicing Payment Service Provider)
   • PSIP (Payment Initiation Service Provider)
   • AISP (Account Information Service Provider)
   • Issuing of card-based payment instruments
3. Name of the competent authorities where the TPP is registered
4. Name of the issuing CA/QTSP is listed on the certificate
5. Traditional EV certificate requirements:
   • Name of certificate owner
   • Domain verification
   • Organization identity
   • Legal identity of organization controlling the website
   • Validity period

eIDAS QWACs:

• Enable all organizations to provide high assurance certificates for online
  transactions in accordance with eIDAS standards.
• Encrypt sensitive data and identify European organizations to users.

Verification requirements:

eIDAS QWACs follow the same EV verification guidelines as PSD2 QWACs,
plus they require a face-to-face validation with a company’s legal representative.