Back Custom print Link Text Only Rich Text Print

  • Security of Communication Sessions

    • OB-2.2.11

      AISPs and PISPs must ensure that any communication session established with the customer, and other entities, including merchants, relies on each of the following:

      (a) a unique identifier of the session;
      (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data; and
      (c) timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.
      Added: December 2018

    • OB-2.2.12

      AISPs and PISPs must rely on qualified certificates for electronic seals for identification of the different parties for communication between parties.

      Added: December 2018

    • OB-2.2.13

      AISPs and PISPs must ensure that the risks against misdirection of communication to unauthorised parties in mobile applications and other customers' interfaces offering electronic payment services are effectively mitigated.

      Added: December 2018

    • OB-2.2.14

      AISPs and PISPs must ensure that, when exchanging data via the internet, secure encryption, using strong and widely recognised encryption techniques, is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

      Added: December 2018

    • OB-2.2.15

      AISPs and PISPs must keep the access sessions offered by the licensee maintaining customer account, as short as possible and they shall actively terminate the session with the relevant licensee maintaining customer account as soon as the requested action has been completed.

      Added: December 2018

    • OB-2.2.16

      When maintaining parallel network sessions with the bank licensees, AISPs and PISPs must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

      Added: December 2018

    • OB-2.2.17

      AISPs and PISPs, with the licensee maintaining customer accounts must include unambiguous reference to each of the following items:

      (a) the customer or users and the corresponding communication session in order to distinguish several requests from the same customer or users;
      (b) for payment initiation services, the uniquely identified payment transaction initiated;
      (c) For confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of transaction.
      Added: December 2018

    • OB-2.2.18

      AISPs and PISPs must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time. In case of loss of confidentiality of personalised security credentials under their sphere of competence, PISPs and AISPs must inform without undue delay the customer associated with them and the issuer of the personalised security credentials.

      Added: December 2018

    • OB-2.2.19

      AISPs must have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the customer's explicit consent.

      Added: December 2018

    • OB-2.2.20

      PISPs must provide the licensees maintaining customer accounts with the same information requested from the customer when initiating the payment transaction directly, unless the collection of additional information for the purposes of the provision of the payment initiation service is agreed otherwise between PISP, payer, and the licensee maintaining customer accounts.

      Added: December 2018