Content Options:

Content Options

View Options:


You are viewing the version of the document as on 2021-01-01.

Chapter 5 Common and secure open standards of communication

Section 1 General requirements for communication

Article 28 Requirements for identification

  1. (1)

    Payment service providers shall ensure secure identification when communicating between the payer’s device and the payee’s acceptance devices for electronic payments, including but not limited to payment terminals.

  2. (2)

    Payment service providers shall ensure that the risks of misdirection of communication to unauthorised parties in mobile applications and other payment services users’ interfaces offering electronic payment services are effectively mitigated.

Chapter 5 Common and secure open standards of communication

Section 1 General requirements for communication

Article 28 Requirements for identification

  1. (1)

    Payment service providers shall ensure secure identification when communicating between the payer’s device and the payee’s acceptance devices for electronic payments, including but not limited to payment terminals.

  2. (2)

    Payment service providers shall ensure that the risks of misdirection of communication to unauthorised parties in mobile applications and other payment services users’ interfaces offering electronic payment services are effectively mitigated.

Article 29 Traceability

  1. (1)

    Payment service providers shall have processes in place which ensure that all payment transactions and other interactions with the payment services user, with other payment service providers and with other entities, including merchants, in the context of the provision of the payment service are traceable, ensuring knowledge ex-post of all events relevant to the electronic transaction in all the various stages.

  2. (2)

    For the purpose of paragraph 1, payment service providers shall ensure that any communication session established with the payment services user, other payment service providers and other entities, including merchants, relies on each of the following:

    1. (a)

      a unique identifier of the session;

    2. (b)

      security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;

    3. (c)

      timestamps which shall be based on a unified time-reference system and which shall be synchronised according to an official time signal.

Section 2 Specific requirements for the common and secure open standards of communication

Article 30 General obligations for access interfaces

  1. (1)

    Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements:

    1. (a)

      account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider;

    2. (b)

      account information service providers are able to communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions;

    3. (c)

      payment initiation service providers are able to communicate securely to initiate a payment order from the payer’s payment account and receive all information on the initiation of the payment transaction and all information accessible to the account servicing payment service providers regarding the execution of the payment transaction.

  2. (2)

    For the purposes of authentication of the payment service user, the interface referred to in paragraph 1 shall allow account information service providers and payment initiation service providers to rely on all the authentication procedures provided by the account servicing payment service provider to the payment service user.

    The interface shall at least meet all of the following requirements:

    1. (a)

      a payment initiation service provider or an account information service provider shall be able to instruct the account servicing payment service provider to start the authentication based on the consent of the payment service user;

    2. (b)

      communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned shall be established and maintained throughout the authentication;

    3. (c)

      the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider shall be ensured.

  3. (3)

    Account servicing payment service providers shall ensure that their interfaces follow standards of communication which are issued by international standardisation organisations.

    Account servicing payment service providers shall also ensure that the technical specification of any of the interfaces is documented specifying a set of routines, protocols, and tools needed by payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments for allowing their software and applications to interoperate with the systems of the account servicing payment service providers.

    Account servicing payment service providers shall at a minimum, and no less than six months before the target date for the market launch of the access interface, make the documentation available, at no charge, upon request by authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, and shall make a summary of the documentation publicly available on their website.

  4. (4)

    In addition to paragraph 3, account servicing payment service providers shall ensure that, except for emergency situations, any change to the technical specification of their interface is made available to authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments, or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, in advance as soon as possible and not less than three months before the change is implemented.

    Payment service providers shall document emergency situations where changes were implemented and make the documentation available to the FCA on request.

  5. (5)

    Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. This testing facility should be made available no later than six months before the target date for the market launch of the access interface.

    However, no sensitive information shall be shared through the testing facility.

  6. (6)

    The FCA shall ensure that account servicing payment service providers comply at all times with the obligations included in these Standards in relation to the interface(s) that they put in place. In the event that an account servicing payment services provider fails to comply with the requirements for interfaces laid down in these Standards, the FCA shall ensure that the provision of payment initiation services and account information services is not prevented or disrupted to the extent that the respective providers of such services comply with the conditions defined under Article 33(5).

Section 2 Specific requirements for the common and secure open standards of communication

Article 30 General obligations for access interfaces

  1. (1)

    Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements:

    1. (a)

      account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider;

    2. (b)

      account information service providers are able to communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions;

    3. (c)

      payment initiation service providers are able to communicate securely to initiate a payment order from the payer’s payment account and receive all information on the initiation of the payment transaction and all information accessible to the account servicing payment service providers regarding the execution of the payment transaction.

  2. (2)

    For the purposes of authentication of the payment service user, the interface referred to in paragraph 1 shall allow account information service providers and payment initiation service providers to rely on all the authentication procedures provided by the account servicing payment service provider to the payment service user.

    The interface shall at least meet all of the following requirements:

    1. (a)

      a payment initiation service provider or an account information service provider shall be able to instruct the account servicing payment service provider to start the authentication based on the consent of the payment service user;

    2. (b)

      communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned shall be established and maintained throughout the authentication;

    3. (c)

      the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider shall be ensured.

  3. (3)

    Account servicing payment service providers shall ensure that their interfaces follow standards of communication which are issued by international standardisation organisations.

    Account servicing payment service providers shall also ensure that the technical specification of any of the interfaces is documented specifying a set of routines, protocols, and tools needed by payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments for allowing their software and applications to interoperate with the systems of the account servicing payment service providers.

    Account servicing payment service providers shall at a minimum, and no less than six months before the target date for the market launch of the access interface, make the documentation available, at no charge, upon request by authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, and shall make a summary of the documentation publicly available on their website.

  4. (4)

    In addition to paragraph 3, account servicing payment service providers shall ensure that, except for emergency situations, any change to the technical specification of their interface is made available to authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments, or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, in advance as soon as possible and not less than three months before the change is implemented.

    Payment service providers shall document emergency situations where changes were implemented and make the documentation available to the FCA on request.

  5. (5)

    Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. This testing facility should be made available no later than six months before the target date for the market launch of the access interface.

    However, no sensitive information shall be shared through the testing facility.

  6. (6)

    The FCA shall ensure that account servicing payment service providers comply at all times with the obligations included in these Standards in relation to the interface(s) that they put in place. In the event that an account servicing payment services provider fails to comply with the requirements for interfaces laid down in these Standards, the FCA shall ensure that the provision of payment initiation services and account information services is not prevented or disrupted to the extent that the respective providers of such services comply with the conditions defined under Article 33(5).

Article 31 Access interface options

Account servicing payment service providers shall establish the interface(s) referred to in Article 30 by means of a dedicated interface or by allowing the use by the payment service providers referred to in Article 30(1) of the interfaces used for authentication and communication with the account servicing payment service provider’s payment services users.

Article 32 Obligations for a dedicated interface

  1. (1)

    Subject to compliance with Article 30 and 31, account servicing payment service providers that have put in place a dedicated interface shall ensure that the dedicated interface offers at all times the same level of availability and performance, including support, as the interfaces made available to the payment service user for directly accessing its payment account online.

  2. (2)

    Account servicing payment service providers that have put in place a dedicated interface shall define transparent key performance indicators and service level targets, at least as stringent as those set for the interface used by their payment service users both in terms of availability and of data provided in accordance with Article 36. Those interfaces, indicators and targets shall be monitored by the FCA and stress-tested.

  3. (3)

    Account servicing payment service providers that have put in place a dedicated interface shall ensure that this interface does not create obstacles to the provision of payment initiation and account information services. Such obstacles may include, among others, preventing the use by payment service providers referred to in Article 30(1) of the credentials issued by account servicing payment service providers to their customers, imposing redirection to the account servicing payment service provider's authentication or other functions, requiring additional authorisations and registrations in addition to those provided for in Regulations 4 and 6 of the Payment Services Regulations 2017 (SI 2017/752) or Articles 11, 14 and 15 of Directive (EU) 2015/2366 as they are implemented in Gibraltar, or requiring additional checks of the consent given by payment service users to providers of payment initiation and account information services.

  4. (4)

    For the purpose of paragraphs 1 and 2, account servicing payment service providers shall monitor the availability and performance of the dedicated interface. Account servicing payment service providers shall publish on their website quarterly statistics on the availability and performance of the dedicated interface and of the interface used by its payment service users.

Article 33 Contingency measures for a dedicated interface

  1. (1)

    Account servicing payment service providers shall include, in the design of the dedicated interface, a strategy and plans for contingency measures for the event that the interface does not perform in compliance with Article 32, that there is unplanned unavailability of the interface and that there is a systems breakdown. Unplanned unavailability or a systems breakdown may be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services are not replied to within 30 seconds.

  2. (2)

    Contingency measures shall include communication plans to inform payment service providers making use of the dedicated interface of measures to restore the system and a description of the immediately available alternative options payment service providers may have during this time.

  3. (3)

    Both the account servicing payment service provider and the payment service providers referred to in Article 30(1) shall report problems with dedicated interfaces as described in paragraph 1 to the FCA without delay.

  4. (4)

    As part of a contingency mechanism, payment service providers referred to in Article 30(1) shall be allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment service provider, until the dedicated interface is restored to the level of availability and performance provided for in Article 32.

  5. (5)

    For this purpose, account servicing payment service providers shall ensure that the payment service providers referred to in Article 30(1) can be identified and can rely on the authentication procedures provided by the account servicing payment service provider to the payment service user. Where the payment service providers referred to in Article 30(1) make use of the interface referred to in paragraph 4 they shall:

    1. (a)

      take the necessary measures to ensure that they do not access, store or process data for purposes other than for the provision of the service as requested by the payment service user;

    2. (b)

      continue to comply with the obligations following from Regulations 69(3) and 70(3) of the Payment Services Regulations 2017 (SI 2017/752) respectively;

    3. (c)

      log the data that are accessed through the interface operated by the account servicing payment service provider for its payment service users, and provide, upon request and without undue delay, the log files to the FCA;

    4. (d)

      duly justify to the FCA, upon request and without undue delay, the use of the interface made available to the payment service users for directly accessing its payment account online;

    5. (e)

      inform the account servicing payment service provider accordingly.

  6. (6)

    The FCA will exempt account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism described under paragraph 4 where the dedicated interface meets all of the following conditions:

    1. (a)

      it complies with all the obligations for dedicated interfaces as set out in Article 32;

    2. (b)

      it has been designed and tested in accordance with Article 30(5) to the satisfaction of the payment service providers referred to therein;

    3. (c)

      it has been widely used for at least three months by payment service providers to offer account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments;

    4. (d)

      any problem related to the dedicated interface has been resolved without undue delay.

  7. (7)

    The exemption referred to in paragraph 6 will be revoked where the conditions 6(a) and 6(d) are not met by the account servicing payment service providers for more than two consecutive calendar weeks. The FCA will ensure that the account servicing payment service provider establishes, within the shortest possible time and at the latest within two months, the contingency mechanism referred to in paragraph 4.

Article 34 Certificates

  1. (1)

    For the purpose of identification, as referred to in Article 30(1)(a), account servicing payment service providers shall accept both of the following electronic means of identification:

    1. (a)

      qualified certificates for electronic seals as referred to in Article 3(30) of the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust service for electronic transactions in the internal market, as amended by the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019 as came into force on IP completion day as defined in the European Union (Withdrawal Agreement) Act 2020, or for website authentication as referred to in Article 3(39) of the same Regulations;

    2. (b)

      at least one other form of identification issued by an independent third party that is not unduly burdensome for payment service providers to obtain; and

    account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments shall rely on one of the above means of identification.

  2. (2)

    For the purpose of these Standards, referred to in paragraph 1, the registration number as referred to in the official records in accordance with Annex III(c) or Annex IV(c) to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust service for electronic transactions in the internal market as amended by the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019 as came into force on IP completion day as defined in the European Union (Withdrawal Agreement) Act 2020 and the registration number referred to in paragraph 8, shall be the authorisation or registration number of the payment service provider issuing card-based payment instruments, the account information service providers and payment initiation service providers, including account servicing payment service providers providing such services, available in the public register of the UK pursuant to regulation 4 of the Payment Services Regulations (SI 2017/752) or section 347 of the Financial Services and Markets Act 2000, or in the case of such payment service providers incorporated and registered or authorised in Gibraltar, their incorporation number available in the Regulated Entities Register of the Gibraltar Financial Services Commission.

  3. (3)

    For the purposes of these Standards qualified certificates for electronic seals or for website authentication referred to in paragraph 1(a) shall include, in a language customary in the sphere of international finance, additional specific attributes in relation to each of the following:

    1. (a)

      the role of the payment service provider, which may be one or more of the following:

      1. (i)

        account servicing;

      2. (ii)

        payment initiation;

      3. (iii)

        account information;

      4. (iv)

        issuing of card-based payment instruments;

    2. (b)

      the name of the competent authorities where the payment service provider is registered.

  4. (4)

    The attributes referred to in paragraph 3 shall not affect the interoperability and recognition of qualified certificates for electronic seals or website authentication.

  5. (5)

    Where a form of identification under paragraph 1(b) is used, account servicing payment service providers must:

    1. (a)

      verify that the payment service provider is authorised or registered to perform the payment services relevant to its activities in a way that does not present an obstacle to the provision of payment initiation and account information services; and

    2. (b)

      satisfy itself that the independent third party issuing that form of identification is suitable and has sufficient systems and controls to verify the information contained in the digital certificate referred to in paragraph 8.

  6. (6)

    Account servicing payment service providers must make public the forms of identification they accept.

  7. (7)

    Payment service providers relying on a form of identification under paragraph 1(b) must notify the independent third party issuing that form of identification of any changes in identity information or regulatory authorisation in writing before such changes take effect or, where this is not possible, immediately after.

  8. (8)

    A form of identification accepted under paragraph 1(b) must be a digital certificate that:

    1. (a)

      is issued upon identification and verification of the payment service provider’s name, company number (if applicable) and its principal place of business;

    2. (b)

      gives appropriate assurance to account servicing payment service providers in relation to the authenticity of the data and the identity of the payment service provider;

    3. (c)

      represents the following information:

      1. (i)

        name of the issuer of the form of identification;

      2. (ii)

        the name of the payment service provider to whom the certificate is issued; and

      3. (iii)

        the registration number and competent authority of the payment service provider to whom the certificate is issued; and

    4. (d)

      is revoked where the payment service provider ceases to be authorised or registered or it would be inconsistent with its authorisation to carry on the relevant payment services.

Article 35 Security of communication session

  1. (1)

    Account servicing payment service providers, payment service providers issuing card-based payment instruments, account information service providers and payment initiation service providers shall ensure that, when exchanging data by means of the internet, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

  2. (2)

    Payment service providers issuing card-based payment instruments, account information service providers and payment initiation service providers shall keep the access sessions offered by account servicing payment service providers as short as possible and they shall actively terminate any such session as soon as the requested action has been completed.

  3. (3)

    When maintaining parallel network sessions with the account servicing payment service provider, account information service providers and payment initiation service providers shall ensure that those sessions are securely linked to relevant sessions established with the payment service user(s) in order to prevent the possibility that any message or information communicated between them could be misrouted.

  4. (4)

    Account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments with the account servicing payment service provider shall contain unambiguous references to each of the following items:

    1. (a)

      the payment service user or users and the corresponding communication session in order to distinguish several requests from the same payment service user or users;

    2. (b)

      for payment initiation services, the uniquely identified payment transaction initiated;

    3. (c)

      for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the card-based payment transaction.

  5. (5)

    Account servicing payment service providers, account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments shall ensure that where they communicate personalised security credentials and authentication codes, these are not readable, directly or indirectly, by any staff at any time.

    In case of loss of confidentiality of personalised security credentials under their sphere of competence, those providers shall inform without undue delay the payment services user associated with them and the issuer of the personalised security credentials.

Article 36 Data exchanges

  1. (1)

    Account servicing payment service providers shall comply with each of the following requirements:

    1. (a)

      they shall provide account information service providers with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly requesting access to the account information, provided that this information does not include sensitive payment data;

    2. (b)

      they shall, immediately after receipt of the payment order, provide payment initiation service providers with the same information on the initiation and execution of the payment transaction provided or made available to the payment service user when the transaction is initiated directly by the latter;

    3. (c)

      they shall, upon request, immediately provide payment service providers with a confirmation in a simple 'yes' or 'no' format, whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer.

  2. (2)

    In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the account servicing payment service provider shall send a notification message to the payment initiation service provider or the account information service provider and the payment service provider issuing card-based payment instruments which explains the reason for the unexpected event or error.

    Where the account servicing payment service provider offers a dedicated interface in accordance with Article 32, the interface shall provide for notification messages concerning unexpected events or errors to be communicated by any payment service provider that detects the event or error to the other payment service providers participating in the communication session.

  3. (3)

    Account information service providers shall have in place suitable and effective mechanisms that prevent access to information other than from designated payment accounts and associated payment transactions, in accordance with the user’s explicit consent.

  4. (4)

    Payment initiation service providers shall provide account servicing payment service providers with the same information as requested from the payment service user when initiating the payment transaction directly.

  5. (5)

    Account information service providers shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service in either of the following circumstances:

    1. (a)

      whenever the payment service user is actively requesting such information;

    2. (b)

      where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user’s consent.