Content Options

Content Options

View Options

Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

Article 5 Dynamic linking

  1. (1)

    Where payment service providers apply strong customer authentication in accordance with Regulation 100(2) of the Payment Services Regulations 2017 (SI 2017/752), in addition to the requirements of Article 4 of these Standards, they shall also adopt security measures that meet each of the following requirements:

    1. (a)

      the payer is made aware of the amount of the payment transaction and of the payee;

    2. (b)

      the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;

    3. (c)

      the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;

    4. (d)

      any change to the amount or the payee results in the invalidation of the authentication code generated.

  2. (2)

    For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:

    1. (a)

      the amount of the transaction and the payee throughout all of the phases of the authentication;

    2. (b)

      the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code.

  3. (3)

    For the purpose of paragraph 1(b) and where payment service providers apply strong customer authentication in accordance with Regulation 100(2) of the Payment Services Regulations 2017 (SI 2017/752) the following requirements for the authentication code shall apply:

    1. (a)

      in relation to a card-based payment transaction for which the payer has given consent to the exact amount of the funds to be blocked pursuant to Regulation 78 of the Payment Services Regulations 2017 (SI 2017/752), the authentication code shall be specific to the amount that the payer has given consent to be blocked and agreed to by the payer when initiating the transaction;

    2. (b)

      in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.