OB-2.2 OB-2.2 Standards for Authentication and Communication
Secure authentication
OB-2.2.1
AISPs and PISPs must have in place a 2-factor authentication process to prevent unauthorised access.
(a) [This sub-paragraph was deleted in July 2021];(b) [This sub-paragraph was deleted in July 2021];(c) [This sub-paragraph was deleted in July 2021].Amended: July 2021
Added: December 2018OB-2.2.2
[This Paragraph was deleted in July 2021].
Deleted: July 2021
Added: December 2018OB-2.2.3
[This Paragraph was deleted in July 2021].
(a) [This sub-paragraph was deleted in July 2021];(b) [This sub-paragraph was deleted in July 2021];(c) [This sub-paragraph was deleted in July 2021];(d) [This sub-paragraph was deleted in July 2021].Deleted: July 2021
Added: December 2018Independence of elements of strong authentication
OB-2.2.4
[This Paragraph was deleted in July 2021].
(a) [This sub-paragraph was deleted in July 2021];(b) [This sub-paragraph was deleted in July 2021];(c) [This sub-paragraph was deleted in July 2021].Deleted: July 2021
Added: December 2018OB-2.2.5
[This Paragraph was deleted in July 2021].
Deleted: July 2021
Added: December 2018OB-2.2.6
[This Paragraph was deleted in July 2021].
(a) [This sub-paragraph was deleted in July 2021];(b) [This sub-paragraph was deleted in July 2021].Deleted: July 2021
Added: December 2018Confidentiality and Integrity of Personalised Security Credentials
OB-2.2.7
AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.
Added: December 2018OB-2.2.8
AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the
customer , including authentication codes, during all phases of authentication including display and transmission.Added: December 2018OB-2.2.9
For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:
(a) personalised security credentials are masked when displayed and not readable in their full extent when input by thecustomer during the authentication;(b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;(c) secret cryptographic material is protected from unauthorised disclosure.Added: December 2018OB-2.2.10
PISPs and AISPs must ensure that only the
customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.Added: December 2018Security of Communication Sessions
OB-2.2.11
AISPs and PISPs must ensure that any communication session established with the
customer , and other entities, including merchants, relies on each of the following:(a) a unique identifier of the session;(b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and(c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.Added: December 2018OB-2.2.12
AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.
Added: December 2018OB-2.2.13
AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other
customers ' interfaces offering electronic payment services are effectively mitigated.Added: December 2018OB-2.2.14
AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.
Added: December 2018OB-2.2.15
AISPs and PISPs must keep the access sessions offered by the licensee maintaining
customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.Added: December 2018OB-2.2.16
When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.
Added: December 2018OB-2.2.17
AISPs and PISPs, with the licensee maintaining
customer accounts must include unambiguous reference to each of the following items:(a) thecustomer or users and the corresponding communication session in order to distinguish several requests from the samecustomer or users;(b) for payment initiation services, the uniquely identified payment transaction initiated;(c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.Added: December 2018OB-2.2.18
AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the
customer associated with them and the issuer of the personalised security credentials.Added: December 2018OB-2.2.19
AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the
customer's explicit consent.Added: December 2018OB-2.2.20
PISPs must provide the licensees maintaining
customer accounts with the same information requested from thecustomer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintainingcustomer accounts.Added: December 2018