Article 98
- Description
-
Regulatory technical standards on authentication and communication
- Links
- Main content
-
1. EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, develop draft regulatory technical standards addressed to payment service providers as set out in Article 1(1) of this Directive in accordance with Article 10 of Regulation (EU) No 1093/2010 specifying:
(a) the requirements of the strong customer authentication referred to in Article 97(1) and (2);
(b) the exemptions from the application of Article 97(1), (2) and (3), based on the criteria established in paragraph 3 of this Article;
(c) the requirements with which security measures have to comply, in accordance with Article 97(3) in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials; and
(d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.
2. The draft regulatory technical standards referred to in paragraph 1 shall be developed by EBA in order to:
(a) ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;
(b) ensure the safety of payment service users’ funds and personal data;
(c) secure and maintain fair competition among all payment service providers;
(d) ensure technology and business-model neutrality;
(e) allow for the development of user-friendly, accessible and innovative means of payment.
3. The exemptions referred to in point (b) of paragraph 1 shall be based on the following criteria:
(a) the level of risk involved in the service provided;
(b) the amount, the recurrence of the transaction, or both;
(c) the payment channel used for the execution of the transaction.
4. EBA shall submit the draft regulatory technical standards referred to in paragraph 1 to the Commission by 13 January 2017.
Power is delegated to the Commission to adopt those regulatory technical standards in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
5. In accordance with Article 10 of Regulation (EU) No 1093/2010, EBA shall review and, if appropriate, update the regulatory technical standards on a regular basis in order, inter alia, to take account of innovation and technological developments
Paragraph
All- 2018_4089 Obligatory nature of the SCA and exemption based on transaction risk analysis
- 2018_4235 Ability of static card data to be considered a possession factor?
- 2018_4237 Signature on a paper slip from a payment terminal, as a factor in a two-factor SCA
- 2018_4238 Signature performed on the screen of a digital device as a factor in a two-factor SCA
- 2018_4366 Showing a password after it has been masked
- 2019_4785 Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions
- 2018_4120 Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries
- 2018_4210 Access by AISPs when customer not present up to 4 times in a 24 hour period
- 2018_4239 Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments
- 2018_4383 Exemption of secure corporate payment processes and protocols
- 2018_4439 Fraud rate calculation for TRA exemption – country dimension
- 2019_4740 Compliance with SCA in offline mode on an aircraft without internet connection
- 2019_4783 Delayed or deferred PIN for wearable devices
- 2019_4984 "Push based" authentication and SCA requirements
- 2019_4826 Scope of contingency mechanism
- 2019_4785 Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions
- 2019_4651 Relying on vendor mechanisms processing the biometric data for strong customer authentication; Multiple fingerprint samples stored on a mobile device and used for purpose of user authentication.
- 2018_4140 ASPSP is denied the waiver to the fall-back by an NCA
- 2018_4071 Communication plans to inform payment service providers making use of the dedicated interface
- 2021_6246 Change of TPP access rights for AIS consent by the PSU prior to authorisation
- 2021_5845 Ability of Payee’s PSP to apply exemptions from SCA in credit transfers
- 2021_6156 Arbitrating between security and obstacles
- 2018_4043 Calculation of fraud rates in relation to Exemption Threshold Values (ETVs)
- 2018_4045 Transaction Risk Analysis (TRA) exemption – Frequency of recalculation of fraud rate
- 2018_4071 Communication plans to inform payment service providers making use of the dedicated interface
- 2018_4089 Obligatory nature of the SCA and exemption based on transaction risk analysis
- 2018_4120 Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries
- 2018_4127 Application of Transaction Risk Analysis (TRA) exemption – Real time risk analysis / monitoring
- 2018_4128 Trusted Beneficiary exemption – Management of the exemption, information flows between PSPs in the payment transaction
- 2018_4138 Testing eIDAS certificates before 14 September 2019
- 2018_4140 ASPSP is denied the waiver to the fall-back by an NCA
- 2018_4163 Fall back exemption
- 2018_4210 Access by AISPs when customer not present up to 4 times in a 24 hour period
- 2018_4235 Ability of static card data to be considered a possession factor?
- 2018_4238 Signature performed on the screen of a digital device as a factor in a two-factor SCA
- 2018_4239 Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments
- 2018_4338 Trusted Beneficiaries
- 2018_4360 Application of the exemption related to a trusted beneficiary
- 2018_4366 Showing a password after it has been masked
- 2018_4342 Chip and Signature cards and their inclusion in the remit of RTS Article 11
- 2018_4375 Certfication in relation to a Technical Service Provider (TSP)
- 2019_4630 Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389
- 2019_4609 Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)
- 2019_4532 Strong Customer Authentication (SCA) possession element requirement for cryptographic validation
- 2019_4507 Content of eIDAS certificates if agents or outsource providers are involved
- 2018_4439 Fraud rate calculation for TRA exemption – country dimension
Paragraph
3Paragraph
4