- Question ID
-
2023_6946
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Other topics
- Article
-
67
- Paragraph
-
3
- Subparagraph
-
b
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
32
- Type of submitter
-
Other
- Subject matter
-
Card data (PAN) to be returned in AISP calls
- Question
-
Does the ASPSP have to return the card number (PAN) attached to a fetched payment account in case the user can access this data during a standard session with its ASPSP in the direct internet banking interface? In case of "YES", does the TPP that is fetching this data have to be PCI DSS certified, since this data has to be encrypted based on the PCI DSS requirements? Moreover, could be the "card number (PAN)" considered sensible, since it could be potentially used for fraud?
- Background on the question
-
The PSD2, art. 67.3.(b) states that In relation to payment accounts, an ASPSP shall treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons. Stating this, there are many ASPSP direct baking interfaces where the PSU can have access to credit/debit card data like card number (PAN), date of expiration, CVV, by accessing it directly or through an additional layer of security. In this case, as stated in the RTS on SCA, art. 32.1, the ASPSP that has put in place a dedicated interface shall ensure that the dedicated interface offers at all times the same level of availability and performance, including support, as the interfaces made available to the PSU for directly accessing its payment account online. It means that the TPPs need to have access to the specified data in case it's available in the direct interface. On the other hand, this data has to be managed under the PCI DSS protocols and thus all actors that have access to it need to be certified. It would require additional certification burdens for the TPPs since they will have to manage the data received from the ASPSP. For ASPSP instead is generated a new challenge of monitoring the level of compliance of the connected TPPs with the PCI DSS, which currently is impossible, because the eIDAS certificates don't carry this information.
However, there is another situation in how the card number can be treated. As stated in art. 4.(32) of the PSD2, sensitive data means data, including personalized security credentials which can be used to carry out fraud. We can assume that the card number can be used for fraud intentions, even without having the other parts of the data set like expiry date and CVV. Moreover, art. 67.2.(e) of the PSD2 states that an AISP shall not request sensitive payment data linked to the payment accounts. We would like to understand how the EBA treats this data.
- Submission date
- Final publishing date
-
- Final answer
-
Under Article 4(12) of Directive (EU) 2015/2366, of 25 November 2015, on payment services in the internal market (PSD2), ‘payment account’ means an account held in the name of one or more payment service users (PSUs) which is used for the execution of payment transactions.
‘Payment instrument’ is, in turn, defined as a personalised device(s) and/or set of procedures agreed between the PSU and the payment service provider and used to initiate a payment order (Article 4(14) of the PSD2).
Even though there are account servicing payment service providers (ASPSPs) that allow PSUs to have access via the online banking interfaces to credit/debit card data like the card number, the date of expiration, the card verification value (CVV), by accessing that data directly online or through an additional layer of security, that does not constitute payment account information.
Rather, it constitutes information regarding a specific payment instrument that has been assigned to the holder of the payment account. It is clear from the two definitions cited above that the concepts of ‘payment account’ and ‘payment instrument’ are not to be used interchangeably, even if ‘transaction data’ that is accessible to PSUs may include a limited set of data on the payment instrument that has been used to initiate a given transaction.
It follows from the above that ASPSPs do not have to offer Account Information Service Providers (AISPs) the possibility to view the card number linked to a payment account in case the PSU can access that data during a standard session with its ASPSP in the online banking interface.
Disclaimer:
The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the European Commission because it is a matter of interpretation of Union law.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.