Subscribe to the Non-Human & AI Identity Journal
Authentication, Authorisation & Trust

QWAC

← Back to Glossary
By NHI Mgmt Group Updated July 11, 2026 Domain: Authentication, Authorisation & Trust

A qualified website authentication certificate used to prove the identity of organisations and secure communications between financial systems. It supports mutual authentication, encrypted transport, and integrity protection for regulated payment APIs and related service connections.

Expanded Definition

A QWAC is a qualified website authentication certificate issued under a regulated trust framework to bind an organisation to a domain or service endpoint. In NHI and payment-security practice, it is used to support strong server identity, mutual authentication, and encrypted sessions for machine-to-machine traffic that must satisfy regulatory expectations. This differs from an ordinary TLS certificate because the emphasis is not only on transport encryption, but also on qualified identity assurance, auditability, and reliance rules defined by the applicable trust scheme. In European payment and trust-service contexts, practitioners often align QWAC handling with controls described in NIST SP 800-53 Rev 5 Security and Privacy Controls for certificate lifecycle, access protection, and secure communications. Definitions vary across vendors and national implementations, but the operational intent is consistent: prove the website or API endpoint belongs to the named organisation. The most common misapplication is treating a QWAC as a generic website certificate, which occurs when teams ignore the qualified trust and identity requirements that make it suitable for regulated financial exchange.

Examples and Use Cases

Implementing QWACs rigorously often introduces certificate governance overhead, requiring organisations to weigh stronger regulated identity assurance against renewal, validation, and trust-list management costs.

  • A payment service provider uses a QWAC to authenticate a settlement API to a bank, ensuring both parties can validate the endpoint identity before exchanging instructions.
  • A fintech integrates a merchant onboarding service with a regulated gateway, where the QWAC anchors the organisation’s legal identity and reduces endpoint impersonation risk.
  • A platform operator pairs QWAC-based server identity with mutual TLS to limit brokered traffic to approved counterparties, while documenting certificate issuance and revocation steps in line with the Ultimate Guide to NHIs.
  • A treasury application validates a counterparty’s QWAC before sending payment status updates, using the certificate as one factor in a broader trust decision rather than as a stand-alone security control.
  • An operations team rotates and reissues certificates during service migration, preserving regulated identity continuity while changing hosting infrastructure or load balancer paths.

For implementation detail, teams often map certificate lifecycle steps to identity and access control guidance in the NIST control catalog and to trust-service requirements that apply in their jurisdiction.

Why It Matters in NHI Security

QWACs matter because they turn an API endpoint into a verifiable organisational identity, which is essential when payment flows, partner connections, and service-to-service trust cannot rely on user prompts or interactive sign-in. If a QWAC is misissued, poorly rotated, or confused with a standard certificate, adversaries can exploit the resulting trust gap to impersonate a counterparty or intercept regulated traffic. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and that kind of visibility gap extends to certificates and other machine identities when inventory is weak. The Ultimate Guide to NHIs also highlights that 90% of IT leaders see proper NHI management as essential to zero trust, which is especially relevant when the trust boundary is a partner API rather than a human login. Practitioners should treat QWACs as part of a broader NHI lifecycle that includes issuance, pinning, renewal, revocation, and offboarding. Organisations typically encounter QWAC-related risk only after a partner outage, failed certificate validation, or a suspicious endpoint swap, at which point the certificate lifecycle becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, and PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01QWACs are machine identities that must be inventoried and governed like other NHIs.
NIST SP 800-63Digital identity assurance principles inform trust in organisational certificates.
NIST CSF 2.0PR.AC-1Identity and credential management covers service authentication material used by systems.
NIST Zero Trust (SP 800-207)SC-?Zero Trust requires authenticated, continuously validated machine communications.
PCI DSS v4.04.2.1Strong cryptography and trusted certificates support protected payment communications.

Protect payment API traffic with validated certificates and enforce renewal and revocation discipline.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org