1. The payment service provider issuing a payment instrument shall:
(a) make sure that the personalised security credentials are not accessible to parties other than the payment service user that is entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 69;
(b) refrain from sending an unsolicited payment instrument, except where a payment instrument already given to the payment service user is to be replaced;
(c) ensure that appropriate means are available at all times to enable the payment service user to make a notification pursuant to point (b) of Article 69(1) or to request unblocking of the payment instrument pursuant to Article 68(4); on request, the payment service provider shall provide the payment service user with the means to prove, for 18 months after notification, that the payment service user made such a notification;
(d) provide the payment service user with an option to make a notification pursuant to point (b) of Article 69(1) free of charge and to charge, if at all, only replacement costs directly attributed to the payment instrument;
(e) prevent all use of the payment instrument once notification pursuant to point (b) of Article 69(1) has been made.
2. The payment service provider shall bear the risk of sending a payment instrument or any personalised security credentials relating to it to the payment service user.