These Standards establish the requirements to be complied with by payment service providers for the purpose of implementing security measures which enable them to do the following:

1. (a)

   apply the procedure of strong customer authentication in accordance with Regulation 100 of the Payment Services Regulations 2017 (SI 2017/752);

2. (b)

   exempt the application of the security requirements of strong customer authentication, subject to specified and limited conditions based on the level of risk, the amount and the recurrence of the payment transaction and of the payment channel used for its execution;

3. (c)

   protect the confidentiality and the integrity of the payment service user’s personalised security credentials;

4. (d)

   establish common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services in application of Part 7 of the Payment Services Regulations 2017 (SI 2017/752).

1. (1)

   Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions for the purpose of the implementation of the security measures referred to in points (a) and (b) of Article 1.

   Those mechanisms shall be based on the analysis of payment transactions taking into account elements which are typical of the payment service user in the circumstances of a normal use of the personalised security credentials.

2. (2)

   Payment service providers shall ensure that the transaction monitoring mechanisms take into account, at a minimum, each of the following risk-based factors:

   1. (a)

      lists of compromised or stolen authentication elements;

   2. (b)

      the amount of each payment transaction;

   3. (c)

      known fraud scenarios in the provision of payment services;

   4. (d)

      signs of malware infection in any sessions of the authentication procedure;

   5. (e)

      in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.

1. (1)

   The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the payment service provider by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.

2. (2)

   The period between the audits referred to in paragraph 1 shall be determined taking into account the relevant accounting and statutory audit framework applicable to the payment service provider.

   However, payment service providers that make use of the exemption referred to in Article 18 shall be subject to an audit of the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The auditor performing this audit shall have expertise in IT security and payments and be operationally independent within or from the payment service provider. During the first year of making use of the exemption under Article 18 and at least every three years thereafter, or more frequently at the FCA’s request, this audit shall be carried out by an independent and qualified external auditor.

3. (3)

   This audit shall present an evaluation and report on the compliance of the payment service provider’s security measures with the requirements set out in these Standards.

   The entire report shall be made available to the FCA upon its request.