PIB 6.13.3 Guidance

1. An Authorised Firm should, as best practice in maintaining the integrity of strong customer authentication, try to ensure that:
(a) no element of ‘knowledge’, ‘possession’ or ‘inherence’ (as defined in PIB Rule 6.13.2) can be derived from the disclosure of the authentication code cover;
(b) it is not possible to generate a new authentication code based on an old one;
(c) the authentication code cannot be forged;
(d) where the authentication through a remote channel has failed to generate an authentication code, it is not possible to identify which of the SCA elements was incorrect;
(e) a maximum of 5 failed consecutive authentication attempts within a given period result in the account being temporarily or permanently blocked;
(f) the duration and number of retries for a temporary block should be linked to the service offered and trigger a fraud risk alert; and
(g) the User is alerted before the block becomes permanent and a secure procedure is established to regain the use of the blocked payment instrument.
2. An Authorised Firm should, as best practice in maintaining the integrity of User security credentials (USC), endeavour:
(a) not to allow the USC to be fully readable when inputted by the User or by its own staff;
(b) to ensure that the USC always remain encrypted and no information relating to the USC is stored in plain text;
(c) to protect secret cryptographic material from unauthorised disclosure;
(d) to document the process used to encrypt or otherwise render the USCs unreadable;
(e) to adopt measures to mitigate the risk of unauthorised use of compromised USCs;
(f) to ensure secure delivery of the USC to the User, secure association of the USC with the User and the secure disposal of the USC once it is obsolete; and
(g) to immediately inform the User and the issuer of the USC (if another firm) in the event a USC is compromised under the firm's sphere of control.
3. Dynamic linking referred to in PIB Rule 6.13.3(2) may include:
(a) the User being made aware of the payment amount and the beneficiary;
(b) the authentication code generated using SCA being specific to the transaction amount and the beneficiary; and
(c) any change to the amount or the beneficiary resulting in the authentication code becoming invalid.
4. The security measures referred to in PIB Rule 6.13.3(4) may include:
(a) the use of separated secure execution environments through the software installed on the device;
(b) mechanisms to ensure that the software or device has not been, and cannot be, altered by the User or a third party; and
(c) where alterations have taken place, mechanisms to mitigate the consequences.
Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]