Please enable JavaScript.

Coggle requires JavaScript to display documents.

User (Mobile (Personalized Security Credentials (Creation and Transmission…

- - - - Implementation of control mechanisms for operations
      - Authentication Elements
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Make impossible the identification of which authentication element was incorrect in case of failed authentication
        
        Authentification elements (knowledge, possession, inherence) must be protected from disclosure
        
        The breach of one of an authentication element does not compromise the reliability of the other elements
        
        Authentication shall be based on two or more elements categorised as knowledge, possession and inherence
      - Authentication Code
        
        Not-forgeable authentication code
        
        Number of consecutive failed authentication attempts limited to 5
        
        Communication sessions must be protected against the capture and manipulation of authentication data during the authentication
        
        Maximum inactivity time set to 5 min
        
        A secure procedure must be established in case of a block on user account
        
        Unique authentication code
      - Devices
        
        Alteration prevention mechanisms and mitigation measures
        
        Multi-purposes devices must use separated secure execution environments
      - Strong Authentication
        
        SCA application when first access to payment accounts informations
        
        SCA application when more than 90 since last SCA
        
        SCA application when more than 90 days since last SCA application
        
        SCA application when creating or amending a list of trusted beneficiaries
        
        SCA application for recurring ttransactions
    - - Authentication code must be specific to the amount of the payment transaction
      - Authentication code must corresponds to the original amount of the payment transaction (or blocked funds) and payee identity
      - Invalidation of the authentication code in case of any change
      - Confidentiality, authenticity and integrity of the amount of transaction and informations displayed during authenticaiton
    - - Secure identification when communicating between the payer’s device and the payee’s acceptance devices
      - Mitigate the risks of misdirection of communication to unauthorised parties in mobile applications
    - - Security mechanisms for the detailed logging of the transaction,
  - - - Secure environment
      - Mitigation of the risks of unauthorised use
      - Credentials delivery partitionning
      - Activation before first use, in a secure environment
    - - Unique association
      - Secure environments
      - Strong authentication
    - - Secure delivery mechanisms
      - Authenticity verication mechanisms for the software
    - - Secure destruction, deactivation or revocation of the credentials, authentication devices and software
      - Secure re-use of a device or software is established, documented and implemented
      - deactivation or revocation of credentials stored in the PSP’s systems and databases shall be acted
    - - Same as "Creation", "Delivery" and "Association"
    - - Security credentials masked or not fully-readable
      - No plaintext storing
      - Protected from unauthorized diclosure
      - Secure environments for the processing and routing of personalised security credentials
- - - - Authentication
        
        Implementation of control mechanisms for operations
        
        Authentication Elements
        
        Authentification elements (knowledge, possession, inherence) must be protected from disclosure
        
        The breach of one of an authentication element does not compromise the reliability of the other elements
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Authentication shall be based on two or more elements categorised as knowledge, possession and inherence
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Make impossible the identification of which authentication element was incorrect in case of failed authentication
        
        Authentication Code
        
        Unique authentication code
        
        Not-forgeable authentication code
        
        Number of consecutive failed authentication attempts limited to 5
        
        Maximum inactivity time set to 5 min
        
        A secure procedure must be established in case of a block on user account
        
        Communication sessions must be protected against the capture and manipulation of authentication data during the authentication
        
        Devices
        
        Multi-purposes devices must use separated secure execution environments
        
        Alteration prevention mechanisms and mitigation measures
        
        Strong Authentication
        
        SCA application when first access to payment accounts informations
        
        SCA application when more than 90 since last SCA
        
        SCA application when more than 90 days since last SCA application
        
        SCA application when creating or amending a list of trusted beneficiaries
        
        SCA application for recurring ttransactions
      - Dynamic Linking
        
        Authentication code must be specific to the amount of the payment transaction
        
        Authentication code must corresponds to the original amount of the payment transaction (or blocked funds) and payee identity
        
        Invalidation of the authentication code in case of any change
        
        Confidentiality, authenticity and integrity of the amount of transaction and informations displayed during authenticaiton :
      - Identification
        
        Secure identification when communicating between the payer’s device and the payee’s acceptance devices
        
        Mitigate the risks of misdirection of communication to unauthorised parties in mobile applications
      - Traceability
  - - - Creation and Transmission of Credentials
        
        Secure environment
        
        Mitigation of the risks of unauthorised use
        
        Credentials delivery partitionning
        
        Activation before first use, in a secure environment
      - Association with the Payment Service User
        
        Unique association
        
        Secure environments
        
        Strong authentication
      - Delivery of Credentials, Devices and Softwares
        
        Secure delivery mechanisms
        
        Authenticity verication mechanisms for the software
      - Destruction, Deactivation and Renewal
        
        Secure destruction, deactivation or revocation of the credentials, authentication devices and software
        
        Secure re-use of a device or software is established, documented and implemented
        
        deactivation or revocation of credentials stored in the PSP’s systems and databases shall be acted
      - Renewal of Personal Security Credentials
        
        Same as "Creation", "Delivery" and "Association"
      - General Requirements
        
        Security credentials masked or not fully-readable
        
        No plaintext storing
        
        Protected from unauthorized diclosure
        
        Secure environments for the processing and routing of personalised security credentials
- - - - Implementation of control mechanisms for operations
      - Authentication Elements
        
        Authentification elements (knowledge, possession, inherence) must be protected from disclosure
        
        The breach of one of an authentication element does not compromise the reliability of the other elements
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Authentication shall be based on two or more elements categorised as knowledge, possession and inherence
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Make impossible the identification of which authentication element was incorrect in case of failed authentication
      - Devices
        
        Multi-purposes devices must use separated secure execution environments
        
        Alteration prevention mechanisms and mitigation measures
      - Authentication Code
        
        Unique authentication code
        
        Not-forgeable authentication code
        
        Number of consecutive failed authentication attempts limited to 5
        
        Maximum inactivity time set to 5 min
        
        A secure procedure must be established in case of a block on user account
        
        Communication sessions must be protected against the capture and manipulation of authentication data during the authentication
    - - Authentication code must be specific to the amount of the payment transaction
      - Authentication code must corresponds to the original amount of the payment transaction (or blocked funds) and payee identity
      - Confidentiality, authenticity and integrity of the amount of transaction and informations displayed during authenticaiton
    - - Secure identification when communicating between the payer’s device and the payee’s acceptance devices
      - Mitigate the risks of misdirection of communication to unauthorised parties in mobile applications
  - - - Dynamic Linking
        
        Authentication code must be specific to the amount of the payment transaction
        
        Authentication code must corresponds to the original amount of the payment transaction (or blocked funds) and payee identity
        
        Confidentiality, authenticity and integrity of the amount of transaction and informations displayed during authenticaiton
      - Authentication
        
        Implementation of control mechanisms for operations
        
        Authentication Elements
        
        Authentification elements (knowledge, possession, inherence) must be protected from disclosure
        
        The breach of one of an authentication element does not compromise the reliability of the other elements
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Authentication shall be based on two or more elements categorised as knowledge, possession and inherence
        
        No information on authentication elements can be derived from the disclosure of the authentication code
        
        Make impossible the identification of which authentication element was incorrect in case of failed authentication
        
        Devices
        
        Multi-purposes devices must use separated secure execution environments
        
        Alteration prevention mechanisms and mitigation measures
        
        Authentication Code
        
        Unique authentication code
        
        Not-forgeable authentication code
        
        Number of consecutive failed authentication attempts limited to 5
        
        Maximum inactivity time set to 5 min
        
        A secure procedure must be established in case of a block on user account
        
        Communication sessions must be protected against the capture and manipulation of authentication data during the authentication
  - - - Authentication
        
        Implementation of control mechanisms for operations