Article 27 Destruction, deactivation and revocation

Payment service providers shall ensure that they have effective processes in place to apply each of the following security measures:

  1. (a)

    the secure destruction, deactivation or revocation of the personalised security credentials, authentication devices and software;

  2. (b)

    where the payment service provider distributes reusable authentication devices and software, the secure re-use of a device or software is established, documented and implemented before making it available to another payment services user;

  3. (c)

    the deactivation or revocation of information related to personalised security credentials stored in the payment service provider’s systems and databases and, where relevant, in public repositories.