The VoP scheme relies on mutual authentication through TLS certificates issued by trusted third parties named “QWAC PSD2” (Qualified Web Authentication Certificates) widely used in PSD2 Open Banking.

To authorize a VOP request, the Responding PSP verifies in the EDS if the Requesting PSP is adhering to the VOP EPC scheme, by using a combination of National Authorization Number (NAN, extracted from the QWAC certificate) and BIC code.

The QWAC certificate

Qombo need to access your QWAC PSD2 certificate to call other participants on your behalf (public and private key).

If you don’t have QWAC PSD2 certificates, you can reach out to a qualified provider which offers official QWAC PSD2 certificates for PSD2 compliance. Obtaining these certificates may take a few weeks, so make sure to plan ahead. We recommend the company CertEurope. Here is the email contact you can use to order the certificate: [email protected]

To get your QWAC certificate, a few information will be required included the PSD2 NAN - National Autorisation Number. If you are a french PSP, the structure is ‘PSDFR-ACPR-XXXXX’ → XXXXX is the “CIB – code interbancaire”.

For French PSP, the CIB code is available in the REGAFI website.

More info about the PSD2 NAN structure on the EPC Website.

PSD2 QWAC issuance checklist

Your PSD2 QWAC certificate must follow these guidelines in order to be used in the context of VOP:

Certificate validity & trust

• [ ] Validity period is correct
• [ ] Issuer is a Qualified Trust Service Provider (QTSP) listed in the EU Trusted List (LOTL)

Certificate type & profile

• [ ] Certificate is a Qualified Web Authentication Certificate (QWAC)

Subject & identification

• [ ] Organization Identifier (PSD2) is present and matches the competent authority register (Format: PSD<CC>-<NCA>-<AuthorizationNumber>)

PSD2 regulatory attributes (QCStatements)

• [ ] QCStatement for Open Banking is present (1.3.6.1.5.5.7.1.3)
• [ ] PSP roles extension present (0.4.0.19495.2)