Confidentiality and Integrity of Personalised Security Credentials
OB-2.2.7
AISPs and PISPs must ensure that the creation of personalised security credentials is performed in a secure environment. AISPs and PISPs must mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software due to their loss, theft or copying before their delivery to the payer.
Added: December 2018OB-2.2.8
AISPs and PISPs must ensure the confidentiality and integrity of the personalised security credentials of the
customer , including authentication codes, during all phases of authentication including display and transmission.Added: December 2018OB-2.2.9
For the purpose of Paragraph OB-2.2.8, AISPs and PISPs must ensure that each of the following requirements are met:
(a) personalised security credentials are masked when displayed and not readable in their full extent when input by thecustomer during the authentication;(b) personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plaintext;(c) secret cryptographic material is protected from unauthorised disclosure.Added: December 2018OB-2.2.10
PISPs and AISPs must ensure that only the
customer is associated with the personalised security credentials, with the authentication devices and the software in a secure manner.Added: December 2018
