This document is an excerpt from the EUR-Lex website
Document 02018R0389-20230912
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)Text with EEA relevance
Consolidated text: Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)Text with EEA relevance
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)Text with EEA relevance
02018R0389 — EN — 12.09.2023 — 002.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (OJ L 069 13.3.2018, p. 23) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
COMMISSION DELEGATED REGULATION (EU) 2022/2360 of 3 August 2022 |
L 312 |
1 |
5.12.2022 |
|
COMMISSION DELEGATED REGULATION (EU) 2023/1650 of 15 May 2023 |
L 208 |
1 |
23.8.2023 |
COMMISSION DELEGATED REGULATION (EU) 2018/389
of 27 November 2017
supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication
(Text with EEA relevance)
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
This Regulation establishes the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:
apply the procedure of strong customer authentication in accordance with Article 97 of Directive (EU) 2015/2366;
exempt the application of the security requirements of strong customer authentication, subject to specified and limited conditions based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution;
protect the confidentiality and the integrity of the payment service user's personalised security credentials;
establish common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services in application of Title IV of Directive (EU) 2015/2366.
Article 2
General authentication requirements
Those mechanisms shall be based on the analysis of payment transactions taking into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials.
Payment service providers shall ensure that the transaction monitoring mechanisms take into account, at a minimum, each of the following risk-based factors:
lists of compromised or stolen authentication elements;
the amount of each payment transaction;
known fraud scenarios in the provision of payment services;
signs of malware infection in any sessions of the authentication procedure;
in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.
Article 3
Review of the security measures
However, payment service providers that make use of the exemption referred to in Article 18 shall be subject to an audit of the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The auditor performing this audit shall have expertise in IT security and payments and be operationally independent within or from the payment service provider. During the first year of making use of the exemption under Article 18 and at least every 3 years thereafter, or more frequently at the competent authority's request, this audit shall be carried out by an independent and qualified external auditor.
The entire report shall be made available to competent authorities upon their request.
CHAPTER II
SECURITY MEASURES FOR THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION
Article 4
Authentication code
The authentication code shall be only accepted once by the payment service provider when the payer uses the authentication code to access its payment account online, to initiate an electronic payment transaction or to carry out any action through a remote channel which may imply a risk of payment fraud or other abuses.
For the purpose of paragraph 1, payment service providers shall adopt security measures ensuring that each of the following requirements is met:
no information on any of the elements referred to in paragraph 1 can be derived from the disclosure of the authentication code;
it is not possible to generate a new authentication code based on the knowledge of any other authentication code previously generated;
the authentication code cannot be forged.
Payment service providers shall ensure that the authentication by means of generating an authentication code includes each of the following measures:
where the authentication for remote access, remote electronic payments and any other actions through a remote channel which may imply a risk of payment fraud or other abuses has failed to generate an authentication code for the purposes of paragraph 1, it shall not be possible to identify which of the elements referred to in that paragraph was incorrect;
the number of failed authentication attempts that can take place consecutively, after which the actions referred to in Article 97(1) of Directive (EU) 2015/2366 shall be temporarily or permanently blocked, shall not exceed five within a given period of time;
the communication sessions are protected against the capture of authentication data transmitted during the authentication and against manipulation by unauthorised parties in accordance with the requirements in Chapter V;
the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes.
The payer shall be alerted before the block is made permanent.
Where the block has been made permanent, a secure procedure shall be established allowing the payer to regain use of the blocked electronic payment instruments.
Article 5
Dynamic linking
Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements:
the payer is made aware of the amount of the payment transaction and of the payee;
the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;
the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;
any change to the amount or the payee results in the invalidation of the authentication code generated.
For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:
the amount of the transaction and the payee throughout all of the phases of the authentication;
the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.
For the purpose of paragraph 1(b) and where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366 the following requirements for the authentication code shall apply:
in relation to a card-based payment transaction for which the payer has given consent to the exact amount of the funds to be blocked pursuant to Article 75(1) of that Directive, the authentication code shall be specific to the amount that the payer has given consent to be blocked and agreed to by the payer when initiating the transaction;
in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.
Article 6
Requirements of the elements categorised as knowledge
Article 7
Requirements of the elements categorised as possession
Article 8
Requirements of devices and software linked to elements categorised as inherence
Article 9
Independence of the elements
For the purposes of paragraph 2, the mitigating measures shall include each of the following:
the use of separated secure execution environments through the software installed inside the multi-purpose device;
mechanisms to ensure that the software or device has not been altered by the payer or by a third party;
where alterations have taken place, mechanisms to mitigate the consequences thereof.
CHAPTER III
EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION
Article 10
Access to the payment account information directly with the account servicing payment service provider
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
the balance of one or more designated payment accounts;
the payment transactions executed in the last 90 days through one or more designated payment accounts.
By way of derogation from paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where one of the following conditions is met:
the payment service user is accessing online the information specified in paragraph 1 for the first time;
more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 and strong customer authentication was applied.
Article 10a
Access to the payment account information through an account information service provider
Payment service providers shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
the balance of one or more designated payment accounts;
the payment transactions executed in the last 90 days through one or more designated payment accounts.
By way of derogation from paragraph 1, payment service providers shall apply strong customer authentication where one of the following conditions is met:
the payment service user is accessing online the information specified in paragraph 1 for the first time through the account information service provider;
more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 through the account information service provider and strong customer authentication was applied.
Article 11
Contactless payments at point of sale
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:
the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and
the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.
Article 12
Unattended terminals for transport fares and parking fees
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates an electronic payment transaction at an unattended payment terminal for the purpose of paying a transport fare or a parking fee.
Article 13
Trusted beneficiaries
Article 14
Recurring transactions
Article 15
Credit transfers between accounts held by the same natural or legal person
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a credit transfer in circumstances where the payer and the payee are the same natural or legal person and both payment accounts are held by the same account servicing payment service provider.
Article 16
Low-value transactions
Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:
the amount of the remote electronic payment transaction does not exceed EUR 30; and
the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed five consecutive individual remote electronic payment transactions.
Article 17
Secure corporate payment processes and protocols
Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by Directive (EU) 2015/2366.
Article 18
Transaction risk analysis
An electronic payment transaction referred to in paragraph 1 shall be considered as posing a low level of risk where all the following conditions are met:
the fraud rate for that type of transaction, reported by the payment service provider and calculated in accordance with Article 19, is equivalent to or below the reference fraud rates specified in the table set out in the Annex for ‘remote electronic card-based payments’ and ‘remote electronic credit transfers’ respectively;
the amount of the transaction does not exceed the relevant exemption threshold value (‘ETV’) specified in the table set out in the Annex;
payment service providers as a result of performing a real time risk analysis have not identified any of the following:
abnormal spending or behavioural pattern of the payer;
unusual information about the payer's device/software access;
malware infection in any session of the authentication procedure;
known fraud scenario in the provision of payment services;
abnormal location of the payer;
high-risk location of the payee.
Payment service providers that intend to exempt electronic remote payment transactions from strong customer authentication on the ground that they pose a low risk shall take into account at a minimum, the following risk-based factors:
the previous spending patterns of the individual payment service user;
the payment transaction history of each of the payment service provider's payment service users;
the location of the payer and of the payee at the time of the payment transaction in cases where the access device or the software is provided by the payment service provider;
the identification of abnormal payment patterns of the payment service user in relation to the user's payment transaction history.
The assessment made by a payment service provider shall combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authentication.
Article 19
Calculation of fraud rates
The overall fraud rate for each type of transaction shall be calculated as the total value of unauthorised or fraudulent remote transactions, whether the funds have been recovered or not, divided by the total value of all remote transactions for the same type of transactions, whether authenticated with the application of strong customer authentication or executed under any exemption referred to in Articles 13 to 18 on a rolling quarterly basis (90 days).
Article 20
Cessation of exemptions based on transaction risk analysis
Article 21
Monitoring
In order to make use of the exemptions set out in Articles 10 to 18, payment service providers shall record and monitor the following data for each type of payment transactions, with a breakdown for both remote and non-remote payment transactions, at least on a quarterly basis:
the total value of unauthorised or fraudulent payment transactions in accordance with Article 64(2) of Directive (EU) 2015/2366, the total value of all payment transactions and the resulting fraud rate, including a breakdown of payment transactions initiated through strong customer authentication and under each of the exemptions;
the average transaction value, including a breakdown of payment transactions initiated through strong customer authentication and under each of the exemptions;
the number of payment transactions where each of the exemptions was applied and their percentage in respect of the total number of payment transactions.
CHAPTER IV
CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS' PERSONALISED SECURITY CREDENTIALS
Article 22
General requirements
For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication;
personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text;
secret cryptographic material is protected from unauthorised disclosure.
Article 23
Creation and transmission of credentials
Payment service providers shall ensure that the creation of personalised security credentials is performed in a secure environment.
They shall mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software following their loss, theft or copying before their delivery to the payer.
Article 24
Association with the payment service user
For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
the association of the payment service user's identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider's responsibility comprising at least the payment service provider's premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;
the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.
Article 25
Delivery of credentials, authentication devices and software
For the purpose of paragraph 1, payment service providers shall at least apply each of the following measures:
effective and secure delivery mechanisms ensuring that the personalised security credentials, authentication devices and software are delivered to the legitimate payment service user;
mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user by means of the internet;
arrangements ensuring that, where the delivery of personalised security credentials is executed outside the premises of the payment service provider or through a remote channel:
no unauthorised party can obtain more than one feature of the personalised security credentials, the authentication devices or software when delivered through the same channel;
the delivered personalised security credentials, authentication devices or software require activation before usage;
arrangements ensuring that, in cases where the personalised security credentials, the authentication devices or software have to be activated before their first use, the activation shall take place in a secure environment in accordance with the association procedures referred to in Article 24.
Article 26
Renewal of personalised security credentials
Payment service providers shall ensure that the renewal or re-activation of personalised security credentials adhere to the procedures for the creation, association and delivery of the credentials and of the authentication devices in accordance with Articles 23, 24 and 25.
Article 27
Destruction, deactivation and revocation
Payment service providers shall ensure that they have effective processes in place to apply each of the following security measures:
the secure destruction, deactivation or revocation of the personalised security credentials, authentication devices and software;
where the payment service provider distributes reusable authentication devices and software, the secure re-use of a device or software is established, documented and implemented before making it available to another payment services user;
the deactivation or revocation of information related to personalised security credentials stored in the payment service provider's systems and databases and, where relevant, in public repositories.
CHAPTER V
COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION
Article 28
Requirements for identification
Article 29
Traceability
For the purpose of paragraph 1, payment service providers shall ensure that any communication session established with the payment services user, other payment service providers and other entities, including merchants, relies on each of the following:
a unique identifier of the session;
security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;
timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
Article 30
General obligations for access interfaces
Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements:
account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider;
account information service providers are able to communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions;
payment initiation service providers are able to communicate securely to initiate a payment order from the payer's payment account and receive all information on the initiation of the payment transaction and all information accessible to the account servicing payment service providers regarding the execution of the payment transaction.
The interface shall at least meet all of the following requirements:
a payment initiation service provider or an account information service provider shall be able to instruct the account servicing payment service provider to start the authentication based on the consent of the payment service user;
communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned shall be established and maintained throughout the authentication;
the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider shall be ensured.
Account servicing payment service providers shall also ensure that the technical specification of any of the interfaces is documented specifying a set of routines, protocols, and tools needed by payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments for allowing their software and applications to interoperate with the systems of the account servicing payment service providers.
Account servicing payment service providers shall at a minimum, and no less than 6 months before the application date referred to in Article 38(2), or before the target date for the market launch of the access interface when the launch takes place after the date referred to in Article 38(2), make the documentation available, at no charge, upon request by authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments or payment service providers that have applied to their competent authorities for the relevant authorisation, and shall make a summary of the documentation publicly available on their website.
Payment service providers shall document emergency situations where changes were implemented and make the documentation available to competent authorities on request.
However, no sensitive information shall be shared through the testing facility.
Article 31
Access interface options
Account servicing payment service providers shall establish the interface(s) referred to in Article 30 by means of a dedicated interface or by allowing the use by the payment service providers referred to in Article 30(1) of the interfaces used for authentication and communication with the account servicing payment service provider's payment services users.
Article 32
Obligations for a dedicated interface
Article 33
Contingency measures for a dedicated interface
For this purpose, account servicing payment service providers shall ensure that the payment service providers referred to in Article 30(1) can be identified and can rely on the authentication procedures provided by the account servicing payment service provider to the payment service user. Where the payment service providers referred to in Article 30(1) make use of the interface referred to in paragraph 4 they shall:
take the necessary measures to ensure that they do not access, store or process data for purposes other than for the provision of the service as requested by the payment service user;
continue to comply with the obligations following from Article 66(3) and Article 67(2) of Directive (EU) 2015/2366 respectively;
log the data that are accessed through the interface operated by the account servicing payment service provider for its payment service users, and provide, upon request and without undue delay, the log files to their competent national authority;
duly justify to their competent national authority, upon request and without undue delay, the use of the interface made available to the payment service users for directly accessing its payment account online;
inform the account servicing payment service provider accordingly.
Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism described under paragraph 4 where the dedicated interface meets all of the following conditions:
it complies with all the obligations for dedicated interfaces as set out in Article 32;
it has been designed and tested in accordance with Article 30(5) to the satisfaction of the payment service providers referred to therein;
it has been widely used for at least 3 months by payment service providers to offer account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments;
any problem related to the dedicated interface has been resolved without undue delay.
Article 34
Certificates
For the purposes of this Regulation, qualified certificates for electronic seals or for website authentication referred to in paragraph 1 shall include, in a language customary in the sphere of international finance, additional specific attributes in relation to each of the following:
the role of the payment service provider, which maybe one or more of the following:
account servicing;
payment initiation;
account information;
issuing of card-based payment instruments;
the name of the competent authorities where the payment service provider is registered.
Article 35
Security of communication session
Account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments with the account servicing payment service provider shall contain unambiguous references to each of the following items:
the payment service user or users and the corresponding communication session in order to distinguish several requests from the same payment service user or users;
for payment initiation services, the uniquely identified payment transaction initiated;
for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the card-based payment transaction.
In case of loss of confidentiality of personalised security credentials under their sphere of competence, those providers shall inform without undue delay the payment services user associated with them and the issuer of the personalised security credentials.
Article 36
Data exchanges
Account servicing payment service providers shall comply with each of the following requirements:
they shall provide account information service providers with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly requesting access to the account information, provided that this information does not include sensitive payment data;
they shall, immediately after receipt of the payment order, provide payment initiation service providers with the same information on the initiation and execution of the payment transaction provided or made available to the payment service user when the transaction is initiated directly by the latter;
they shall, upon request, immediately provide payment service providers with a confirmation in a simple ‘yes’ or ‘no’ format, whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer.
Where the account servicing payment service provider offers a dedicated interface in accordance with Article 32, the interface shall provide for notification messages concerning unexpected events or errors to be communicated by any payment service provider that detects the event or error to the other payment service providers participating in the communication session.
Account information service providers shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service in either of the following circumstances:
whenever the payment service user is actively requesting such information;
where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user's consent.
CHAPTER VI
FINAL PROVISIONS
Article 37
Review
Without prejudice to Article 98(5) of Directive (EU) 2015/2366, EBA shall review by 14 March 2021 the fraud rates referred to in the Annex to this Regulation as well as the exemptions granted under Article 33(6) in relation to dedicated interfaces and, if appropriate, submit draft updates thereto to the Commission in accordance with Article 10 of Regulation (EU) No 1093/2010.
Article 38
Entry into force
This Regulation shall be binding in its entirety and directly applicable in all Member States.
ANNEX
|
Reference fraud rate (%) for: |
|
ETV |
Remote electronic card-based payments |
Remote electronic credit transfers |
EUR 500 |
0,01 |
0,005 |
EUR 250 |
0,06 |
0,01 |
EUR 100 |
0,13 |
0,015 |
( 1 ) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).