Payment service providers shall ensure that they have effective processes in place to apply each of the following security measures:

1. (a)

   the secure destruction, deactivation or revocation of the personalised security credentials, authentication devices and software;

2. (b)

   where the payment service provider distributes reusable authentication devices and software, the secure re-use of a device or software is established, documented and implemented before making it available to another payment services user;

3. (c)

   the deactivation or revocation of information related to personalised security credentials stored in the payment service provider's systems and databases and, where relevant, in public repositories.