Single Rulebook Q&A

Question ID: 2018_4366
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: a
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 22, (2)(a)
Name of institution / submitter: VBB AS
Country of incorporation / residence: Norway
Type of submitter: Other
Subject matter : Showing a password after it has been masked
Question:

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

 

Background on the question:

In Bank “N” ID Web-client the users enter their security credentials in three different windows when authenticating. First you enter your SSN, then in the next window you enter your one-time-password and finally you enter the personal password. Our question is related to the latter; if the security credential is masked when displayed, can the user be offered a "show password"-button, so the entered password can be controlled by the end user in plain text before submitting it?

 

Date of submission: 09/11/2018
Published as Final Q&A: 08/02/2019
EBA answer:

Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 states that payment service providers (PSPs) shall ensure “the confidentiality and integrity of the personalised security credentials of the payment service user […] during all phases of authentication”. Article 22(2) continues by stating that for that purpose they should ensure that “personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication”; “personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text”; and “secret cryptographic material is protected from unauthorised disclosure”. In other words, personalised security credentials (PSC) cannot be stored in plain text, PSCs shall be protected from unauthorised disclosure and they should be masked when displayed and not readable in their full extent. It follows that the PSP should not display the password if readable in its full extent. However, it could display one character of the password as and when the payment service user inputs it, while masking the other characters of the password.

Status: Final Q&A
Permanent link: link