Chapter 3 Exemptions from strong customer authentication
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
the balance of one or more designated payment accounts;
the payment transactions executed in the last 90 days through one or more designated payment accounts.
For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following conditions are met:
the payment service user is accessing online the information specified in paragraph 1 for the first time;
more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.