Payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.
For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:
the association of the payment service user’s identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider’s responsibility comprising at least the payment service provider’s premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;
the association by means of a remote channel of the payment service user’s identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.
Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.