1. European
  2. Legislation (EU)
  3. EU Regulations
  4. 2018
Date-stamp loading
  1. Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) (Text with EEA relevance)
  2. Chapter IV Confidentiality and integrity of the payment service users' personalised security credentials (arts. 22-27)
  3. Article 22 General requirements
Previous Next
Version status: Applicable | Document consolidation status: Updated to reflect all known changes
Version date: 14 September 2019 - onwards
  Version 3 of 3    

Article 22 General requirements

1. Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication.

2. For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:

(a) personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication;

(b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text;

(c) secret cryptographic material is protected from unauthorised disclosure.

3. Payment service providers shall fully document the process related to the management of cryptographic material used to encrypt or otherwise render unreadable the personalised security credentials.

4. Payment service provi

Comparing proposed amendment...
Previous Next