Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?
Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. Article 10 of the Delegated Regulation states that “Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data: (a) the balance of one or more designated payment accounts; (b) the payment transactions executed in the last 90 days through one or more designated payment accounts.”
Thus, the PSP can apply the exemption from strong customer authentication under Article 10 of the Delegated Regulation where the payment service user (PSU) is limited to accessing the balance of one or more payment accounts, or payment transactions executed in the last 90 days. In such a scenario, the 5-minute inactivity requirement would not apply although, in the context of the management of security risks, PSPs may still wish to consider putting in place an automated “time out” of such a session.
However, if the PSU (i.e. the customer) accesses the payment account online for the first time or more than 90 days have elapsed since strong customer authentication was applied to access information online, the customer would need to strongly authenticate him/herself by the corresponding authentication procedure. In this case, the session must automatically expire after 5 minutes of inactivity.