Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?
In Bank “N” ID Web-client the users enter their security credentials in three different windows when authenticating. First you enter your SSN, then in the next window you enter your one-time-password and finally you enter the personal password. Our question is related to the latter; if the security credential is masked when displayed, can the user be offered a "show password"-button, so the entered password can be controlled by the end user in plain text before submitting it?
Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 states that payment service providers (PSPs) shall ensure “the confidentiality and integrity of the personalised security credentials of the payment service user […] during all phases of authentication”. Article 22(2) continues by stating that for that purpose they should ensure that “personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication”; “personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text”; and “secret cryptographic material is protected from unauthorised disclosure”. In other words, personalised security credentials (PSC) cannot be stored in plain text, PSCs shall be protected from unauthorised disclosure and they should be masked when displayed and not readable in their full extent. It follows that the PSP should not display the password if readable in its full extent. However, it could display one character of the password as and when the payment service user inputs it, while masking the other characters of the password.