PSD2 Regulatory Technical Standards (RTS)
Table of Contents
Chapter I – GENERAL PROVISIONS
Chapter II – SECURITY MEASURES FOR THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION
Chapter III – EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION
Chapter IV – CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS' PERSONALISED SECURITY CREDENTIALS
Chapter V – COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION
Chapter VI – FINAL PROVISIONS
Recitals (30)
Annexes
Chapter III – EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION
Article 10
Access to the payment account information directly with the account servicing payment service provider
1. Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
2. By way of derogation from paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where one of the following conditions is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time;
(b) more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 and strong customer authentication was applied.