Back Custom print Link Text Only Rich Text Print

  • OB-2.2 OB-2.2 Standards for Authentication and Communication

    • Secure authentication

      • OB-2.2.1

        AISPs and PISPs must have in place a 2-factor authentication process to prevent unauthorised access.

        (a) [This sub-paragraph was deleted in July 2021];
        (b) [This sub-paragraph was deleted in July 2021];
        (c) [This sub-paragraph was deleted in July 2021].
        Amended: July 2021
        Added: December 2018

      • OB-2.2.2

        [This Paragraph was deleted in July 2021].

        Deleted: July 2021
        Added: December 2018

      • OB-2.2.3

        [This Paragraph was deleted in July 2021].

        (a) [This sub-paragraph was deleted in July 2021];
        (b) [This sub-paragraph was deleted in July 2021];
        (c) [This sub-paragraph was deleted in July 2021];
        (d) [This sub-paragraph was deleted in July 2021].
        Deleted: July 2021
        Added: December 2018

    • Independence of elements of strong authentication

      • OB-2.2.4

        [This Paragraph was deleted in July 2021].

        (a) [This sub-paragraph was deleted in July 2021];
        (b) [This sub-paragraph was deleted in July 2021];
        (c) [This sub-paragraph was deleted in July 2021].
        Deleted: July 2021
        Added: December 2018

      • OB-2.2.5

        [This Paragraph was deleted in July 2021].

        Deleted: July 2021
        Added: December 2018

      • OB-2.2.6

        [This Paragraph was deleted in July 2021].

        (a) [This sub-paragraph was deleted in July 2021];
        (b) [This sub-paragraph was deleted in July 2021].
        Deleted: July 2021
        Added: December 2018

    • Confidentiality and Integrity of Personalised Security Credentials

      • OB-2.2.7

        AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.

        Added: December 2018

      • OB-2.2.8

        AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the customer, including authentication codes, during all phases of authentication including display and transmission.

        Added: December 2018

      • OB-2.2.9

        For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:

        (a) personalised security credentials are masked when displayed and not readable in their full extent when input by the customer during the authentication;
        (b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;
        (c) secret cryptographic material is protected from unauthorised disclosure.
        Added: December 2018

      • OB-2.2.10

        PISPs and AISPs must ensure that only the customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.

        Added: December 2018

    • Security of Communication Sessions

      • OB-2.2.11

        AISPs and PISPs must ensure that any communication session established with the customer, and other entities, including merchants, relies on each of the following:

        (a) a unique identifier of the session;
        (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and
        (c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
        Added: December 2018

      • OB-2.2.12

        AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.

        Added: December 2018

      • OB-2.2.13

        AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other customers' interfaces offering electronic payment services are effectively mitigated.

        Added: December 2018

      • OB-2.2.14

        AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

        Added: December 2018

      • OB-2.2.15

        AISPs and PISPs must keep the access sessions offered by the licensee maintaining customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.

        Added: December 2018

      • OB-2.2.16

        When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

        Added: December 2018

      • OB-2.2.17

        AISPs and PISPs, with the licensee maintaining customer accounts must include unambiguous reference to each of the following items:

        (a) the customer or users and the corresponding communication session in order to distinguish several requests from the same customer or users;
        (b) for payment initiation services, the uniquely identified payment transaction initiated;
        (c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.
        Added: December 2018

      • OB-2.2.18

        AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the customer associated with them and the issuer of the personalised security credentials.

        Added: December 2018

      • OB-2.2.19

        AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the customer's explicit consent.

        Added: December 2018

      • OB-2.2.20

        PISPs must provide the licensees maintaining customer accounts with the same information requested from the customer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintaining customer accounts.

        Added: December 2018