QWAC Assessor

The challenge

To meet PSD2 security requirements, banks and TPP account information service providers make use of qualified website authentication certificates (QWAC) and electronic seals (QSealC) which authorise them to access sensitive customer data legitimately.

Given that different entities confirm their identity and authorisation and that a certificates’ validity has to be regularly updated in a bank’s system, there is the risk that while a bank has correctly identified a TPP, the authorisation for certain services is no longer up to date.

Therefore, there has to be a two-part check process for every inquiry.  This avoids any risk of unauthorised access and the related disclosure of confidential information as well as unauthorised payments being made.

So, how can you check a TPP certificate and ensure that its identity matches the request made by the TPP?

The solution

Our QWAC Assessor can run this test offline for you.

Run either as a stand-alone web service or as part of an API gateway, QWAC Assessor confirms the identity and function (AIS, PIS, PIIS) of the TPP and validates the request while encrypting and checking confidential data.

We provide a framework for updating the data that is imported into QWAC Assessor. Only once the data is confirmed the TPP receives the X2SA access they’ve requested.