- Question ID:
- 2020_5477
- Legal Act:
- Directive 2015/2366/EU (PSD2)
- Topic:
- Strong customer authentication and common and secure communication (incl. access)
- Article:
- Article 66
- Paragraph:
- 3
- Subparagraph:
- (f),(g)
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph:
- Article 35, paragraph 1
- Disclose name of institution / entity:
- Yes
- Name of institution / submitter:
- Multi-Stakeholder Group Mobile initiated SEPA (instant) credit transfers
- Country of incorporation / residence:
- Belgium
- Type of submitter:
- Industry association
- Subject Matter:
- Clarification on level of protection required for the processing of the IBAN outside the inter-PSP environment
- Question:
Can the IBAN of the payer or payee be handled in cleartext outside the inter Payment Service Provider (PSP) environment? For instance could a payer’s IBAN be contained in cleartext in a payer-presented QR-code provided by the payer’s device to the merchant’s point of interaction for the initiation of an (instant) credit transfer? Or could a merchant’s IBAN be contained in cleartext in a merchant-presented QR-code at the merchant’s point of interaction to be read by the payer’s device for the initiation of an (instant) credit transfer?
- Background on the question:
Article 4 (32), PSD2, provides that for the activities of Payment Initiation Service Providers (PISPs), i) the name of the account owner and ii) the account number (the IBAN) do not constitute sensitive payment data.
In line with the clarifications given under the EBA Q&A 2018_4081, if the transaction is initiated in accordance with the rules of Article 36 (1), RTS and provided that the PISP complies with Article 66 (3), PSD2, it seems possible that the IBAN could be used/displayed in cleartext in an Application Programming Interface (API) environment. It is however unclear whether the same would apply in case of presentation of the IBAN in cleartext as part of the payer-presented-QR provided by the payer’s device to the merchant at point of interaction (POI) (or vice-versa) for the initiation of an (instant). In particular, from a security perspective, it is unclear whether in a POI context the IBAN could be shown to all parties without tokenisation and still comply with Article 35 (1), RTS on security of communication.
- Date of submission:
- 04/09/2020
- Published as Final Q&A:
- 24/09/2021
- Final Answer:
Article 4(31) of Directive 2015/2366/EU (PSD2) defines personalised security credentials (PSC) as ‘personalised features provided by the payment service provider to a payment service user for the purposes of authentication’.
Accordingly, since the IBAN is not an element used for the purpose of authentication, it cannot be considered as a PSC.
Article 4(32) of PSD2 defines sensitive payment data as ‘data, including personalised security credentials which can be used to carry out fraud. The article further clarifies that ‘for the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data’.
Accordingly, the IBAN of the payer does not constitute sensitive payment data for the activities of payment initiation service providers.
In relation to the above, in a transaction initiated at the point-of-interaction (POI) by using a QR code presented by either the payer or the payee (merchant), the IBAN can be included in free text.
However, since its disclosure may be used to carry out fraud, it will be for payment service providers to assess the risks arising from transmitting the IBAN in free text between the device of the payer and the POI and from storing it, if applicable. Subsequently, PSPs should decide whether it is necessary to implement corresponding security measures to mitigate these risks.
- Status:
- Final Q&A
- Answer prepared by:
- Answer prepared by the EBA.
- Note to Q&A:
The topic of this Q&A was changed from “Security measures for operational and security risks” to “Strong customer authentication and common and secure communication (incl. access)” on 15.12.2022.
2020_5477 Clarification on level of protection required for the processing of the IBAN outside the inter-PSP environment - European Banking Authority (2024)
Top Articles
The Ethereum Merge (ETH 2.0) explained
Best Bitcoin Stocks | Top Bitcoin Companies Today - TipRanks - TipRanks.com
Fling: Un examen approfondi de la meilleure application de rencontre axé sur la pertinence et la satisfaction des utilisateurs
Fling.com - unable to log in
Latest Posts
OneDrive vs Dropbox – Which One Should You Pick?
Solana (SOL) Node Deployment and Staking | Blockdaemon
Article information
Author: Chrissy Homenick
Last Updated:
Views: 5667
Rating: 4.3 / 5 (54 voted)
Reviews: 93% of readers found this page helpful
Author information
Name: Chrissy Homenick
Birthday: 2001-10-22
Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818
Phone: +96619177651654
Job: Mining Representative
Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming
Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.