(1) An Authorised Firm must, except as provided in PIB Rule 6.13.4, apply strong customer authentication where a User:
(a) accesses a Payment Account online, either directly or through an Account Information Service;
(b) initiates an electronic Payment Transaction; or
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
(2) If a payer initiates a Payment Transaction directly or through a Payment Initiation Service, the Authorised Firm must apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.
(3) If a multipurpose device is used in the SCA process, the Authorised Firm must adopt adequate security measures that mitigate the risk of the device being compromised.
(4) The Authorised Firm must maintain adequate security measures to protect the confidentiality and integrity of Users’ personal security credentials.
Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]