Section 2 Specific requirements for the common and secure open standards of communication
Article 30 General obligations for access interfaces
- (1)
Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements:
- (a)
account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments are able to identify themselves towards the account servicing payment service provider;
- (b)
account information service providers are able to communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions;
- (c)
payment initiation service providers are able to communicate securely to initiate a payment order from the payer’s payment account and receive all information on the initiation of the payment transaction and all information accessible to the account servicing payment service providers regarding the execution of the payment transaction.
- (a)
- (2)
For the purposes of authentication of the payment service user, the interface referred to in paragraph 1 shall allow account information service providers and payment initiation service providers to rely on all the authentication procedures provided by the account servicing payment service provider to the payment service user.
The interface shall at least meet all of the following requirements:
- (a)
a payment initiation service provider or an account information service provider shall be able to instruct the account servicing payment service provider to start the authentication based on the consent of the payment service user;
- (b)
communication sessions between the account servicing payment service provider, the account information service provider, the payment initiation service provider and any payment service user concerned shall be established and maintained throughout the authentication;
- (c)
the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the payment initiation service provider or the account information service provider shall be ensured.
- (a)
- (3)
Account servicing payment service providers shall ensure that their interfaces follow standards of communication which are issued by international standardisation organisations.
Account servicing payment service providers shall also ensure that the technical specification of any of the interfaces is documented specifying a set of routines, protocols, and tools needed by payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments for allowing their software and applications to interoperate with the systems of the account servicing payment service providers.
Account servicing payment service providers shall at a minimum, and no later than the date of1 the market launch of the access interface, make the documentation available, at no charge, upon request by authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, and shall make a summary of the documentation publicly available on their website.
- (4)
In addition to paragraph 3, account servicing payment service providers shall ensure that, except for emergency situations, any change to the technical specification of their interface is made available to authorised payment initiation service providers, account information service providers and payment service providers issuing card-based payment instruments, or payment service providers that have applied to the FCA or the Gibraltar Financial Services Commission for the relevant authorisation, in advance as soon as possible and not less than three months before the change is implemented.
Payment service providers shall document emergency situations where changes were implemented and make the documentation available to the FCA on request.
- (5)
Account servicing payment service providers shall make available a testing facility, including support, for connection and functional testing to enable authorised payment initiation service providers, payment service providers issuing card-based payment instruments and account information service providers, or payment service providers that have applied for the relevant authorisation, to test their software and applications used for offering a payment service to users. This testing facility should be made available no later than the date1 of the market launch of the access interface.
However, no sensitive information shall be shared through the testing facility.
- (6)
The FCA shall ensure that account servicing payment service providers comply at all times with the obligations included in these Standards in relation to the interface(s) that they put in place. In the event that an account servicing payment services provider fails to comply with the requirements for interfaces laid down in these Standards, the FCA shall ensure that the provision of payment initiation services and account information services is not prevented or disrupted to the extent that the respective providers of such services comply with the conditions defined under Article 33(5).