1. Payment service providers shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
2. By way of derogation from paragraph 1, payment service providers shall apply strong customer authentication where one of the following conditions is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time through the account information service provider;
(b) more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 through the account information service provider and strong customer a
…