CHAPTER IGENERAL PROVISIONS
Article 1Subject matter
This Regulation establishes the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:
- (a)
apply the procedure of strong customer authentication in accordance with Article 97 of Directive (EU) 2015/2366;
- (b)
exempt the application of the security requirements of strong customer authentication, subject to specified and limited conditions based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution;
- (c)
protect the confidentiality and the integrity of the payment service user's personalised security credentials;
- (d)
establish common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services in application of Title IV of Directive (EU) 2015/2366.
Article 2General authentication requirements
1.
Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions for the purpose of the implementation of the security measures referred to in points (a) and (b) of Article 1.
Those mechanisms shall be based on the analysis of payment transactions taking into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials.
2.
Payment service providers shall ensure that the transaction monitoring mechanisms take into account, at a minimum, each of the following risk-based factors:
(a)
lists of compromised or stolen authentication elements;
(b)
the amount of each payment transaction;
(c)
known fraud scenarios in the provision of payment services;
(d)
signs of malware infection in any sessions of the authentication procedure;
(e)
in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.
Article 3Review of the security measures
1.
The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the payment service provider by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.
2.
The period between the audits referred to in paragraph 1 shall be determined taking into account the relevant accounting and statutory audit framework applicable to the payment service provider.
However, payment service providers that make use of the exemption referred to in Article 18 shall be subject to an audit of the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The auditor performing this audit shall have expertise in IT security and payments and be operationally independent within or from the payment service provider. During the first year of making use of the exemption under Article 18 and at least every 3 years thereafter, or more frequently at the competent authority's request, this audit shall be carried out by an independent and qualified external auditor.
3.
This audit shall present an evaluation and report on the compliance of the payment service provider's security measures with the requirements set out in this Regulation.
The entire report shall be made available to competent authorities upon their request.