Question ID
2020_5477
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
Article 66
Paragraph
3
Subparagraph
(f),(g)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Article 35, paragraph 1
Name of institution / submitter
Multi-Stakeholder Group Mobile initiated SEPA (instant) credit transfers
Country of incorporation / residence
Belgium
Type of submitter
Industry association
Subject matter
Clarification on level of protection required for the processing of the IBAN outside the inter-PSP environment
Question

Can the IBAN of the payer or payee be handled in cleartext outside the inter Payment Service Provider (PSP) environment? For instance could a payer’s IBAN be contained in cleartext in a payer-presented QR-code provided by the payer’s device to the merchant’s point of interaction for the initiation of an (instant) credit transfer? Or could a merchant’s IBAN be contained in cleartext in a merchant-presented QR-code at the merchant’s point of interaction to be read by the payer’s device for the initiation of an (instant) credit transfer?

Background on the question

Article 4 (32), PSD2, provides that for the activities of Payment Initiation Service Providers (PISPs), i) the name of the account owner and ii) the account number (the IBAN) do not constitute sensitive payment data.

In line with the clarifications given under the EBA Q&A 2018_4081, if the transaction is initiated in accordance with the rules of Article 36 (1), RTS and provided that the PISP complies with Article 66 (3), PSD2, it seems possible that the IBAN could be used/displayed in cleartext in an Application Programming Interface (API) environment. It is however unclear whether the same would apply in case of presentation of the IBAN in cleartext as part of the payer-presented-QR provided by the payer’s device to the merchant at point of interaction (POI) (or vice-versa) for the initiation of an (instant). In particular, from a security perspective, it is unclear whether in a POI context the IBAN could be shown to all parties without tokenisation and still comply with Article 35 (1), RTS on security of communication.

Submission date
Final publishing date
Final answer

Article 4(31) of Directive 2015/2366/EU (PSD2) defines personalised security credentials (PSC) as ‘personalised features provided by the payment service provider to a payment service user for the purposes of authentication’.

Accordingly, since the IBAN is not an element used for the purpose of authentication, it cannot be considered as a PSC.

Article 4(32) of PSD2 defines sensitive payment data as ‘data, including personalised security credentials which can be used to carry out fraud. The article further clarifies that ‘for the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data’.

Accordingly, the IBAN of the payer does not constitute sensitive payment data for the activities of payment initiation service providers.

In relation to the above, in a transaction initiated at the point-of-interaction (POI) by using a QR code presented by either the payer or the payee (merchant), the IBAN can be included in free text.

 

However, since its disclosure may be used to carry out fraud, it will be for payment service providers to assess the risks arising from transmitting the IBAN in free text between the device of the payer and the POI and from storing it, if applicable. Subsequently, PSPs should decide whether it is necessary to implement corresponding security measures to mitigate these risks.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.
Note to Q&A

The topic of this Q&A was changed from “Security measures for operational and security risks” to “Strong customer authentication and common and secure communication (incl. access)” on 15.12.2022.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.