Conventional retail bank licensees must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.