adorsys QWAC Assessor

Handy solution to check TPP certificates offline

We provide a framework for updating the data that is imported into QWAC Assessor. Only once the data is confirmed the TPP receives the X2SA access they’ve requested.

The challenge

To meet the security requirements of PSD2, banks and TPP account information service providers use qualified website authentication certificates (QWAC) and electronic seals (QSealC) to authorize legitimate access to sensitive customer data.

Because different entities confirm their identity and authorization, and because the validity of a certificate must be regularly updated in a bank’s system, there is a risk that a bank may have correctly identified a TPP, but that the authorization for certain services is no longer up to date.

Therefore, there must be a two-part verification process for each request. This avoids the risk of unauthorized access and disclosure of confidential information, as well as unauthorized payments.

So, how do you verify a TPP certificate and ensure that its identity matches the TPP request?

The solution

Run either as a stand-alone web service or as part of an API gateway, QWAC Assessor confirms the identity and function (AIS, PIS, PIIS) of the TPP and validates the request while encrypting and checking confidential data.

Our QWAC Assessor can run this test offline for you.

We provide a framework for updating the data that is imported into QWAC Assessor. Only once the data is confirmed the TPP receives the X2SA access they’ve requested.

The benefits

  • Offline TPP checks with no timeouts
  • Identity and authentication checks for PISP, AISP, or PIISP
  • Available as a standalone service or as an integrated solution in an API gateway