- Y Diweddaraf sydd Ar Gael (Diwygiedig)
- Gwreiddiol (Fel y’i mabwysiadwyd gan yr UE)
Commission Delegated Regulation (EU) 2018/389Dangos y teitl llawn
Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (Text with EEA relevance)
You are here:
- Rheoliadau yn deillio o’r UE
- 2018 No. 389
- CHAPTER IV
Pa Fersiwn
Nodweddion Uwch
- Dangos Graddfa Ddaearyddol(e.e. Lloegr, Cymru, Yr Alban aca Gogledd Iwerddon)
- Dangos Llinell Amser Newidiadau
Rhagor o Adnoddau
Deddfwriaeth yn deillio o’r UE
Pan adawodd y DU yr UE, cyhoeddodd legislation.gov.uk ddeddfwriaeth yr UE a gyhoeddwyd gan yr UE hyd at ddiwrnod cwblhau’r cyfnod gweithredu (31 Rhagfyr 2020 11.00 p.m.). Ar legislation.gov.uk, mae'r eitemau hyn o ddeddfwriaeth yn cael eu diweddaru'n gyson ag unrhyw ddiwygiadau a wnaed gan y DU ers hynny.
Mae'r eitem hon o ddeddfwriaeth yn tarddu o'r UE
Mae legislation.gov.uk yn cyhoeddi fersiwn y DU. Mae EUR-Lex yn cyhoeddi fersiwn yr UE. Mae Archif Gwe Ymadael â’r UE yn rhoi cipolwg ar fersiwn EUR-Lex o ddiwrnod cwblhau’r cyfnod gweithredu (31 Rhagfyr 2020 11.00 p.m.).
Changes over time for: CHAPTER IV
Changes to legislation:
Commission Delegated Regulation (EU) 2018/389, CHAPTER IV is up to date with all changes known to be in force on or before 28 May 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
EUR 2018 No. 389 may be subject to amendment by EU Exit Instruments made by the Financial Conduct Authority under powers set out in The Financial Regulators' Powers (Technical Standards etc.) (Amendment etc.) (EU Exit) Regulations 2018 (S.I. 2018/1115), regs. 2, 3, Sch. Pt. 1. These amendments are not currently available on legislation.gov.uk. Details of relevant amending instruments can be found on their website/s.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Changes and effects yet to be applied to Chapter IV:
- Regulation revoked by 2023 c. 29 Sch. 1 Pt. 3
CHAPTER IVU.K. CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS' PERSONALISED SECURITY CREDENTIALS
Article 22U.K.General requirements
1.Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication.
2.For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
(a)personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication;
(b)personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text;
(c)secret cryptographic material is protected from unauthorised disclosure.
3.Payment service providers shall fully document the process related to the management of cryptographic material used to encrypt or otherwise render unreadable the personalised security credentials.
4.Payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards.
Article 23U.K.Creation and transmission of credentials
Payment service providers shall ensure that the creation of personalised security credentials is performed in a secure environment.
They shall mitigate the risks of unauthorised use of the personalised security credentials and of the authentication devices and software following their loss, theft or copying before their delivery to the payer.
Article 24U.K.Association with the payment service user
1.Payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.
2.For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
(a)the association of the payment service user's identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider's responsibility comprising at least the payment service provider's premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;
(b)the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.
Article 25U.K.Delivery of credentials, authentication devices and software
1.Payment service providers shall ensure that the delivery of personalised security credentials, authentication devices and software to the payment service user is carried out in a secure manner designed to address the risks related to their unauthorised use due to their loss, theft or copying.
2.For the purpose of paragraph 1, payment service providers shall at least apply each of the following measures:
(a)effective and secure delivery mechanisms ensuring that the personalised security credentials, authentication devices and software are delivered to the legitimate payment service user;
(b)mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user by means of the internet;
(c)arrangements ensuring that, where the delivery of personalised security credentials is executed outside the premises of the payment service provider or through a remote channel:
(i)
no unauthorised party can obtain more than one feature of the personalised security credentials, the authentication devices or software when delivered through the same channel;
(ii)
the delivered personalised security credentials, authentication devices or software require activation before usage;
(d)arrangements ensuring that, in cases where the personalised security credentials, the authentication devices or software have to be activated before their first use, the activation shall take place in a secure environment in accordance with the association procedures referred to in Article 24.
Article 26U.K.Renewal of personalised security credentials
Payment service providers shall ensure that the renewal or re-activation of personalised security credentials adhere to the procedures for the creation, association and delivery of the credentials and of the authentication devices in accordance with Articles 23, 24 and 25.
Article 27U.K.Destruction, deactivation and revocation
Payment service providers shall ensure that they have effective processes in place to apply each of the following security measures:
(a)
the secure destruction, deactivation or revocation of the personalised security credentials, authentication devices and software;
(b)
where the payment service provider distributes reusable authentication devices and software, the secure re-use of a device or software is established, documented and implemented before making it available to another payment services user;
(c)
the deactivation or revocation of information related to personalised security credentials stored in the payment service provider's systems and databases and, where relevant, in public repositories.
Options/Cymorth
Print Options
PrintThe Whole Regulation
PrintThis Chapter only
Mae deddfwriaeth ar gael mewn fersiynau gwahanol:
Y Diweddaraf sydd Ar Gael (diwygiedig):Y fersiwn ddiweddaraf sydd ar gael o’r ddeddfwriaeth yn cynnwys newidiadau a wnaed gan ddeddfwriaeth ddilynol ac wedi eu gweithredu gan ein tîm golygyddol. Gellir gweld y newidiadau nad ydym wedi eu gweithredu i’r testun eto yn yr ardal ‘Newidiadau i Ddeddfwriaeth’.
Gwreiddiol (Fel y’i mabwysiadwyd gan yr UE): Mae'r wreiddiol version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Gweler y wybodaeth ychwanegol ochr yn ochr â’r cynnwys
Rhychwant ddaearyddol: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Dangos Llinell Amser Newidiadau: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Dewisiadau Agor
Dewisiadau gwahanol i agor deddfwriaeth er mwyn gweld rhagor o gynnwys ar y sgrin ar yr un pryd
Rhagor o Adnoddau
Gallwch wneud defnydd o ddogfennau atodol hanfodol a gwybodaeth ar gyfer yr eitem ddeddfwriaeth o’r tab hwn. Yn ddibynnol ar yr eitem ddeddfwriaeth sydd i’w gweld, gallai hyn gynnwys:
- y PDF print gwreiddiol y fel adopted version that was used for the EU Official Journal
- rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
- pob fformat o’r holl ddogfennau cysylltiedig
- slipiau cywiro
- dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Llinell Amser Newidiadau
Mae’r llinell amser yma yn dangos y fersiynau gwahanol a gymerwyd o EUR-Lex yn ogystal ag unrhyw fersiynau dilynol a grëwyd ar ôl y diwrnod ymadael o ganlyniad i newidiadau a wnaed gan ddeddfwriaeth y Deyrnas Unedig.
Cymerir dyddiadau fersiynau’r UE o ddyddiadau’r dogfennau ar EUR-Lex ac efallai na fyddant yn cyfateb â’r adeg pan ddaeth y newidiadau i rym ar gyfer y ddogfen.
Ar gyfer unrhyw fersiynau a grëwyd ar ôl y diwrnod ymadael o ganlyniad i newidiadau a wnaed gan ddeddfwriaeth y Deyrnas Unedig, bydd y dyddiad yn cyd-fynd â’r dyddiad cynharaf y daeth y newid (e.e. ychwanegiad, diddymiad neu gyfnewidiad) a weithredwyd i rym. Am ragor o wybodaeth gweler ein canllaw i ddeddfwriaeth ddiwygiedig ar Ddeall Deddfwriaeth.
Rhagor o Adnoddau
Defnyddiwch y ddewislen hon i agor dogfennau hanfodol sy’n cyd-fynd â’r ddeddfwriaeth a gwybodaeth am yr eitem hon o ddeddfwriaeth. Gan ddibynnu ar yr eitem o ddeddfwriaeth sy’n cael ei gweld gall hyn gynnwys:
- y PDF print gwreiddiol y fel adopted fersiwn a ddefnyddiwyd am y copi print
- slipiau cywiro
liciwch ‘Gweld Mwy’ neu ddewis ‘Rhagor o Adnoddau’ am wybodaeth ychwanegol gan gynnwys
- rhestr o newidiadau a wnaed gan a/neu yn effeithio ar yr eitem hon o ddeddfwriaeth
- manylion rhoi grym a newid cyffredinol
- pob fformat o’r holl ddogfennau cysylltiedig
- dolenni i ddeddfwriaeth gysylltiedig ac adnoddau gwybodaeth eraill
Mae’r holl gynnwys ar gael dan Drwydded Llywodraeth Agored v3.0 ac eithrio ble nodir yn wahanol. Yn ychwanegol mae’r safle hwn â chynnwys sy’n deillio o EUR-Lex, a ailddefnyddiwyd dan delerau Penderfyniad y Comisiwn 2011/833/EU ar ailddefnyddio dogfennau o sefydliadau’r UE. Am ragor o wybodaeth gweler ddatganiad cyhoeddus Swyddfa Gyhoeddiadau’r UE ar ailddefnyddio.