Knowledge Base
What is eIDAS Seal & QWAC PSD2 Certificate Validation?
Overview
This article provides a high-level explanation of eIDAS Seal and QWAC PSD2 certificate validation and its role within the European Union’s regulatory framework for secure electronic transactions and regulated payment services. It explains what information is validated, how the validation process works, and why this validation is critical for compliance with the eIDAS Regulation and PSD2 requirements.
How eIDAS Seal & QWAC PSD2 Validation Works
eIDAS Seal and Qualified Website Authentication Certificates (QWACs) are issued following a rigorous validation process designed to establish organizational identity, regulatory authorization, and request legitimacy.
The validation begins by confirming that the organization is legally registered and operating in good standing. Official government registries and authoritative business databases are used to validate the organization’s legal name, registration details, and business address.
To meet PSD2 requirements, the organization’s regulated roles are verified against data published by the National Competent Authority (NCA), such as a central bank or financial supervisory authority. These roles may include Account Information Services (AIS), Payment Initiation Services (PIS), or other Payment Service Provider (PSP) functions.
Request authentication is another critical part of validation. Sectigo confirms that the certificate request was legitimately submitted and authorized by the organization. This may involve contacting the organization via a verified business phone number or email address.
For certain certificate types, the applicant’s identity is verified through a secure video-based identity verification process using a government-issued, unexpired identification document. This helps detect document alteration, misrepresentation, or falsification.
Key Components of the Validation Process
Organization Legal Registration
Verification that the organization is legally registered and active using national trade registers, VAT registries, or equivalent official sources.
Organization Identity Details
Confirmation of the legal organization name, any DBA (Doing Business As) name, and the physical business address where operations are conducted.
PSD2 Role Verification
Validation of the organization’s authorized payment service roles through documentation or public listings from the National Competent Authority, including a Competent Authority ID where applicable.
Contact Information Validation
Verification of a legitimate business phone number or email address using trusted public and commercial databases. This information is used to confirm authorization of the certificate request.
Request and Domain Control Authentication
Confirmation that the certificate request was submitted by an authorized party. For QWAC certificates, control over the listed domain(s) is validated. (Domain validation is not applicable for Seal certificates.)
Applicant Identity Verification
Where required, the certificate requester completes a video-based identity verification to confirm personal identity and prevent impersonation or fraud.
Supporting Documentation Review
Review of signed documents to ensure they remain unaltered after execution and that all regulatory requirements are met.
What to Expect During Validation
While validation is in progress, organizations are expected to participate actively in completing required steps. These may include signing the subscriber agreement, ensuring submitted organization details match official records, and responding promptly to requests for additional documentation or clarification.
Organizations may also be required to complete video-based identity verification and respond to confirmation calls or emails from the validation team. If PSD2 role information is not publicly available, customers may need to obtain confirmation directly from the relevant National Competent Authority.
Use Cases
eIDAS Seal and QWAC PSD2 certificates are commonly used for:
-
Authenticating regulated payment service providers under PSD2 when interacting with banks and financial institutions
-
Securing API and website communications for open banking and financial services using strong, regulated authentication
-
Establishing legal trust and non-repudiation for electronic transactions within the EU internal market
-
Demonstrating regulatory compliance with eIDAS and PSD2 requirements for supervised entities
Additional Notes About Validation
If Sectigo is unable to verify your organization’s name, address, phone number, or email address using trusted sources, a Validation Specialist will contact you via phone or email with guidance on how to resolve the issue.
In certain scenarios, verification of the certificate requester’s identity may be required. If applicable, Sectigo will provide instructions and a secure option to complete this identity verification step.
Your order confirmation email includes a link to the Validation Manager, where you can monitor validation progress and complete any required actions for each validation requirement.
QSCD certificate versions require a USB token for secure key storage and usage.
Organization Identification Structures
During validation, one or more of the following organization identifiers may be used:
-
National Trade Register (NTR)
Example: NTRBE-0876866142
Format: Country code – Registration number
-
National Value Added Tax (VAT)
Example: VATBE-0876866142
Format: Country code – Registration number
-
Global Legal Entity Identifier (LEI)
Example: LEIXG-0876866142
-
Payment Service Provider Identifier (PSD) – PSD2 only
Example: PSDFI-FINFSA-1234567-8
Format: Country code – NCA initials – Registration number
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
