Developer 7 min read

QWAC & eIDAS certificates for Verification of Payee

Verification of Payee moves sensitive answers between banks, so its API is built on strong mutual authentication. That trust rests on QWAC certificates. Here is what they are and what running them involves.

By Verification of Payee EU · powered by RoxPay

QWAC & eIDAS certificates for Verification of Payee

Key takeaways

  • The VoP API uses mutual TLS, with each side authenticating via a QWAC (eIDAS) certificate.
  • It is the same PSD2 certificate type already used in open banking — issued by a qualified trust service provider.
  • Issuance, renewal and revocation checking are ongoing tasks; a provider can carry the certificate burden for you.

A Verification of Payee response reveals whether a name matches an account — information only the right parties should exchange. So the scheme's API does not rely on API keys alone: it uses mutual TLS, where both the requesting and responding side present a certificate that proves they are a regulated PSP. The certificate type is the QWAC.

What a QWAC is

  • QWAC stands for Qualified Website Authentication Certificate, defined under the EU eIDAS regulation.
  • It is the same PSD2 certificate already used in open banking to identify regulated payment players.
  • It is issued by a Qualified Trust Service Provider (QTSP) and carries the holder's regulatory identity.

What managing it involves

A certificate is not set-and-forget. It has a validity period, must be renewed before it expires, and the other side must be able to check it has not been revoked — all without breaking the 24/7 availability the scheme requires.

  1. 1 Obtain a QWAC from a qualified trust service provider.
  2. 2 Present it on every connection and validate the counterparty's certificate in return.
  3. 3 Track expiry, rotate ahead of time, and check revocation so verification never stalls.

Certificates fail quietly

An expired or unrenewed certificate does not warn your users — it just starts rejecting connections. Proactive rotation is what keeps VoP available.

RoxPay manages the certificate trust model for you — issuance, presentation, validation and renewal — so you get rulebook-compliant, mutually authenticated VoP without operating an eIDAS certificate lifecycle yourself.

All articles
FAQ

Frequently asked

A Qualified Website Authentication Certificate under eIDAS, used for mutual TLS so the requesting and responding PSPs can prove they are regulated parties before exchanging a VoP answer.

Yes — the VoP trust model reuses the PSD2 QWAC already established in open banking, issued by a qualified trust service provider.

Connections start failing, which can stall verification. Certificates must be renewed and rotated before expiry, and revocation must be checkable, to keep the 24/7 service available.

Keep reading

Securing the VoP API The wider security model. The VoP API, end to end How a request and response flow.

Skip the certificate lifecycle

Talk to RoxPay about mutually authenticated VoP without managing eIDAS certificates.

Talk to an expert Explore RoxPay VoP