- Question ID
-
2023_6946
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Other topics
- Article
-
67
- Paragraph
-
3
- Subparagraph
-
b
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
32
- Type of submitter
-
Other
- Subject matter
-
Card data (PAN) to be returned in AISP calls
- Question
-
Does the ASPSP have to return the card number (PAN) attached to a fetched payment account in case the user can access this data during a standard session with its ASPSP in the direct internet banking interface? In case of "YES", does the TPP that is fetching this data have to be PCI DSS certified, since this data has to be encrypted based on the PCI DSS requirements? Moreover, could be the "card number (PAN)" considered sensible, since it could be potentially used for fraud?
- Background on the question
-
The PSD2, art. 67.3.(b) states that In relation to payment accounts, an ASPSP shall treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons. Stating this, there are many ASPSP direct baking interfaces where the PSU can have access to credit/debit card data like card number (PAN), date of expiration, CVV, by accessing it directly or through an additional layer of security. In this case, as stated in the RTS on SCA, art. 32.1, the ASPSP that has put in place a dedicated interface shall ensure that the dedicated interface offers at all times the same level of availability and performance, including support, as the interfaces made available to the PSU for directly accessing its payment account online. It means that the TPPs need to have access to the specified data in case it's available in the direct interface. On the other hand, this data has to be managed under the PCI DSS protocols and thus all actors that have access to it need to be certified. It would require additional certification burdens for the TPPs since they will have to manage the data received from the ASPSP. For ASPSP instead is generated a new challenge of monitoring the level of compliance of the connected TPPs with the PCI DSS, which currently is impossible, because the eIDAS certificates don't carry this information.
However, there is another situation in how the card number can be treated. As stated in art. 4.(32) of the PSD2, sensitive data means data, including personalized security credentials which can be used to carry out fraud. We can assume that the card number can be used for fraud intentions, even without having the other parts of the data set like expiry date and CVV. Moreover, art. 67.2.(e) of the PSD2 states that an AISP shall not request sensitive payment data linked to the payment accounts. We would like to understand how the EBA treats this data.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the European Commission because it is a matter of interpretation of Union law.