Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
In- en Uitvoer
Home

Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)Text with EEA relevance

Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)Text with EEA relevance

CHAPTER I GENERAL PROVISIONS

Article 1 Subject matter

This Regulation establishes the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:

  1. apply the procedure of strong customer authentication in accordance with Article 97 of Directive (EU) 2015/2366;

  2. exempt the application of the security requirements of strong customer authentication, subject to specified and limited conditions based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution;

  3. protect the confidentiality and the integrity of the payment service user's personalised security credentials;

  4. establish common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services in application of Title IV of Directive (EU) 2015/2366.

Article 2 General authentication requirements

1.

Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions for the purpose of the implementation of the security measures referred to in points (a) and (b) of Article 1.

Those mechanisms shall be based on the analysis of payment transactions taking into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials.

2.

Payment service providers shall ensure that the transaction monitoring mechanisms take into account, at a minimum, each of the following risk-based factors:

  1. lists of compromised or stolen authentication elements;

  2. the amount of each payment transaction;

  3. known fraud scenarios in the provision of payment services;

  4. signs of malware infection in any sessions of the authentication procedure;

  5. in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.

Article 3 Review of the security measures

1.

The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the payment service provider by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.

2.

The period between the audits referred to in paragraph 1 shall be determined taking into account the relevant accounting and statutory audit framework applicable to the payment service provider.

However, payment service providers that make use of the exemption referred to in Article 18 shall be subject to an audit of the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The auditor performing this audit shall have expertise in IT security and payments and be operationally independent within or from the payment service provider. During the first year of making use of the exemption under Article 18 and at least every 3 years thereafter, or more frequently at the competent authority's request, this audit shall be carried out by an independent and qualified external auditor.

3.

This audit shall present an evaluation and report on the compliance of the payment service provider's security measures with the requirements set out in this Regulation.

The entire report shall be made available to competent authorities upon their request.

CHAPTER II SECURITY MEASURES FOR THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION

Article 4 Authentication code

Article 5 Dynamic linking

Article 6 Requirements of the elements categorised as knowledge

Article 7 Requirements of the elements categorised as possession

Article 8 Requirements of devices and software linked to elements categorised as inherence

Article 9 Independence of the elements

CHAPTER III EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION

Article 10 Access to the payment account information directly with the account servicing payment service provider

Article 10a Access to the payment account information through an account information service provider

Article 11 Contactless payments at point of sale

Article 12 Unattended terminals for transport fares and parking fees

Article 13 Trusted beneficiaries

Article 14 Recurring transactions

Article 15 Credit transfers between accounts held by the same natural or legal person

Article 16 Low-value transactions

Article 17 Secure corporate payment processes and protocols

Article 18 Transaction risk analysis

Article 19 Calculation of fraud rates

Article 20 Cessation of exemptions based on transaction risk analysis

Article 21 Monitoring

CHAPTER IV CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS' PERSONALISED SECURITY CREDENTIALS

Article 22 General requirements

Article 23 Creation and transmission of credentials

Article 24 Association with the payment service user

Article 25 Delivery of credentials, authentication devices and software

Article 26 Renewal of personalised security credentials

Article 27 Destruction, deactivation and revocation

CHAPTER V COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION

Section 1 General requirements for communication

Article 28 Requirements for identification

Article 29 Traceability

Section 2 Specific requirements for the common and secure open standards of communication

Article 30 General obligations for access interfaces

Article 31 Access interface options

Article 32 Obligations for a dedicated interface

Article 33 Contingency measures for a dedicated interface

Article 34 Certificates

Article 35 Security of communication session

Article 36 Data exchanges

CHAPTER VI FINAL PROVISIONS

Article 37 Review

Article 38 Entry into force

ANNEX