AuthenticationU.K.
100.—(1) A payment service provider must apply strong customer authentication where a payment service user—
(a)accesses its payment account online, whether directly or through an account information service provider;
(b)initiates an electronic payment transaction; or
(c)carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
(2) Where a payer initiates an electronic remote payment transaction directly or through a payment initiation service provider, the payment service provider must apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.
(3) A payment service provider must maintain adequate security measures to protect the confidentiality and integrity of payment service users' personalised security credentials.
(4) An account servicing payment service provider must allow a payment initiation service provider or account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to a payment service user in accordance with the preceding paragraphs of this regulation.
(5) Paragraphs (1), (2) and (3) are subject to any exemptions from the requirements in those paragraphs provided for in [F1technical standards made under regulation 106A].
Textual Amendments
F1Words in reg. 100(5) substituted (31.12.2020) by The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 48 (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)