1. Where payment service providers apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366, the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code.
The authentication code shall be only accepted once by the payment service provider when the payer uses the authentication code to access its payment account online, to initiate an electronic payment transaction or to carry out any action through a remote channel which may imply a risk of payment fraud or other abuses.
2. For the purpose of paragraph 1, payment service providers shall adopt security measures ensuring that each of the following requirements is met:
(a) no information on any of the elements referred to in paragraph 1 can be derived from the disclosure of the authentication code;
(b) it is not possible to generate a new authentication code based on the knowledge
…