Article 25 Delivery of credentials, authentication devices and software
- (1)
Payment service providers shall ensure that the delivery of personalised security credentials, authentication devices and software to the payment service user is carried out in a secure manner designed to address the risks related to their unauthorised use due to their loss, theft or copying.
- (2)
For the purpose of paragraph 1, payment service providers shall at least apply each of the following measures:
- (a)
effective and secure delivery mechanisms ensuring that the personalised security credentials, authentication devices and software are delivered to the legitimate payment service user;
- (b)
mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user by means of the internet;
- (c)
arrangements ensuring that, where the delivery of personalised security credentials is executed outside the premises of the payment service provider or through a remote channel:
- (i)
no unauthorised party can obtain more than one feature of the personalised security credentials, the authentication devices or software when delivered through the same channel;
- (ii)
the delivered personalised security credentials, authentication devices or software require activation before usage;
- (i)
- (d)
arrangements ensuring that, in cases where the personalised security credentials, the authentication devices or software have to be activated before their first use, the activation shall take place in a secure environment in accordance with the association procedures referred to in Article 24.
- (a)