Updated 18/09/2024
In force

Version from: 12/09/2023
Amendments
QA2020_5367 - Other topics
Status: Final
Answered: 13/04/2022
Art. 5
QA2019_4796 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 24/09/2021
Art. 5
QA2020_5247 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 13/04/2022
Art. 5
QA2020_5366 - Other topics
Status: Final
Answered: 30/07/2021
Art. 5(1)
QA2019_4556 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 20/12/2019
Art. 5(1)
QA2019_4797 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 05/11/2021
Art. 5(1)
QA2020_5133 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 29/05/2020
Art. 5(1)
QA2018_4414 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 26/02/2021
Art. 5(2)
QA2018_4435 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 20/12/2019
Art. 5(3)(b)
QA2019_4776 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 21/01/2022
Art. 5(3)(b)
QA2018_4415 - Strong customer authentication and common and secure communication (incl. access)
Status: Final
Answered: 20/12/2019
Art. 5(3)(b), 5(1)(a)
EBA-Op-2019-06
Published: 21/06/2019
Art. 5
Search within this legal act
PSD2 ToolDelegated Regulation 2018/389
Article 5

Article 5 - Dynamic linking

Article 5

Dynamic linking

1.  

Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements:

(a) 

the payer is made aware of the amount of the payment transaction and of the payee;

(b) 

the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;

(c) 

the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;

(d) 

any change to the amount or the payee results in the invalidation of the authentication code generated.

2.  

For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:

(a) 

the amount of the transaction and the payee throughout all of the phases of the authentication;

(b) 

the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.

3.  

For the purpose of paragraph 1(b) and where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366 the following requirements for the authentication code shall apply:

(a) 

in relation to a card-based payment transaction for which the payer has given consent to the exact amount of the funds to be blocked pursuant to Article 75(1) of that Directive, the authentication code shall be specific to the amount that the payer has given consent to be blocked and agreed to by the payer when initiating the transaction;

(b) 

in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.