icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) (Text with EEA relevance)RecitalsChapter I General provisions (arts. 1-3)Article 1 Subject matterArticle 2 General authentication requirementsArticle 3 Review of the security measuresChapter II Security measures for the application of strong customer authentication (arts. 4-9)Article 4 Authentication codeArticle 5 Dynamic linkingArticle 6 Requirements of the elements categorised as knowledgeArticle 7 Requirements of the elements categorised as possessionArticle 8 Requirements of devices and software linked to elements categorised as inherenceArticle 9 Independence of the elementsChapter III Exemptions from strong customer authentication (arts. 10-21)Article 10 Access to the payment account information directly with the account servicing payment service providerArticle 10a Access to the payment account information through an account information service providerArticle 11 Contactless payments at point of saleArticle 12 Unattended terminals for transport fares and parking feesArticle 13 Trusted beneficiariesArticle 14 Recurring transactionsArticle 15 Credit transfers between accounts held by the same natural or legal personArticle 16 Low-value transactionsArticle 17 Secure corporate payment processes and protocolsArticle 18 Transaction risk analysisArticle 19 Calculation of fraud ratesArticle 20 Cessation of exemptions based on transaction risk analysisArticle 21 MonitoringChapter IV Confidentiality and integrity of the payment service users' personalised security credentials (arts. 22-27)Article 22 General requirementsArticle 23 Creation and transmission of credentialsArticle 24 Association with the payment service userArticle 25 Delivery of credentials, authentication devices and softwareArticle 26 Renewal of personalised security credentialsArticle 27 Destruction, deactivation and revocationChapter V Common and secure open standards of communication (arts. 28-36)Section 1 General requirements f or communication (arts. 28-29)Article 28 Requirements for identificationArticle 29 TraceabilitySection 2 Specific requirements for the common and secure open standards of communication (arts. 30-36)Article 30 General obligations for access interfacesArticle 31 Access interface optionsArticle 32 Obligations for a dedicated interfaceArticle 33 Contingency measures for a dedicated interfaceArticle 34 CertificatesArticle 35 Security of communication sessionArticle 36 Data exchangesChapter VI Final provisions (arts. 37-38)Article 37 ReviewArticle 38 Entry into forceAnnexDone at
Related
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Whole document
Selected pages
Consolidated PDF of the entire document as of 25th January 2025
Original PDF
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This document
Manage bookmarks
Search within this document
View previous searches
Share
Original source link (1)
Original source link (2)
Get page link
Share via email application
Next
Version status: Applicable | Document consolidation status: Updated to reflect all known changes
Published date: 13 March 2018

Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) (Text with EEA relevance)

Recitals
Chapter I General provisions (arts. 1-3)
Article 1 Subject matter
Article 2 General authentication requirements
Article 3 Review of the security measures
Chapter II Security measures for the application of strong customer authentication (arts. 4-9)
Article 4 Authentication code
Article 5 Dynamic linking
Article 6 Requirements of the elements categorised as knowledge
Article 7 Requirements of the elements categorised as possession
Article 8 Requirements of devices and software linked to elements categorised as inherence
Article 9 Independence of the elements
Chapter III Exemptions from strong customer authentication (arts. 10-21)
Article 10 Access to the payment account information directly with the account servicing payment service provider
Article 10a Access to the payment account information through an account information service provider
Article 11 Contactless payments at point of sale
Article 12 Unattended terminals for transport fares and parking fees
Article 13 Trusted beneficiaries
Article 14 Recurring transactions
Article 15 Credit transfers between accounts held by the same natural or legal person
Article 16 Low-value transactions
Article 17 Secure corporate payment processes and protocols
Article 18 Transaction risk analysis
Article 19 Calculation of fraud rates
Article 20 Cessation of exemptions based on transaction risk analysis
Article 21 Monitoring
Chapter IV Confidentiality and integrity of the payment service users' personalised security credentials (arts. 22-27)
Article 22 General requirements
Article 23 Creation and transmission of credentials
Article 24 Association with the payment service user
Article 25 Delivery of credentials, authentication devices and software
Article 26 Renewal of personalised security credentials
Article 27 Destruction, deactivation and revocation
Chapter V Common and secure open standards of communication (arts. 28-36)
Section 1 General requirements f or communication (arts. 28-29)
Article 28 Requirements for identification
Article 29 Traceability
Section 2 Specific requirements for the common and secure open standards of communication (arts. 30-36)
Article 30 General obligations for access interfaces
Article 31 Access interface options
Article 32 Obligations for a dedicated interface
Article 33 Contingency measures for a dedicated interface
Article 34 Certificates
Article 35 Security of communication session
Article 36 Data exchanges
Chapter VI Final provisions (arts. 37-38)
Article 37 Review
Article 38 Entry into force
Annex
Done at
Next