Article 25 Delivery of credentials, authentication devices and software

  1. (1)

    Payment service providers shall ensure that the delivery of personalised security credentials, authentication devices and software to the payment service user is carried out in a secure manner designed to address the risks related to their unauthorised use due to their loss, theft or copying.

  2. (2)

    For the purpose of paragraph 1, payment service providers shall at least apply each of the following measures:

    1. (a)

      effective and secure delivery mechanisms ensuring that the personalised security credentials, authentication devices and software are delivered to the legitimate payment service user;

    2. (b)

      mechanisms that allow the payment service provider to verify the authenticity of the authentication software delivered to the payment services user by means of the internet;

    3. (c)

      arrangements ensuring that, where the delivery of personalised security credentials is executed outside the premises of the payment service provider or through a remote channel:

      1. (i)

        no unauthorised party can obtain more than one feature of the personalised security credentials, the authentication devices or software when delivered through the same channel;

      2. (ii)

        the delivered personalised security credentials, authentication devices or software require activation before usage;

    4. (d)

      arrangements ensuring that, in cases where the personalised security credentials, the authentication devices or software have to be activated before their first use, the activation shall take place in a secure environment in accordance with the association procedures referred to in Article 24.