A Payment Account Information Service Provider must obtain consent from the Payment Service User before providing its service.
(2)
A Payment Account Information Service Provider must delete the relevant data and information belonging to the Payment Service User when consent is withdrawn or cancelled (insofar as it does not conflict with applicable obligations under the relevant laws, regulations and instructions).
(3)
A Payment Account Information Service Provider must ensure that the Personalized Security Credentials of the Payment Service User are not, with the exception of the user and the issuer of the Personalized Security Credentials, accessible to other parties and that they are transmitted through safe and efficient channels.
(4)
A Payment Account Information Service Provider must securely communicate with the Payment Account Service Provider and identify itself for each communication session.
(5)
A Payment Account Information Service Provider shall only access information from designated Payment Accounts and associated with the relevant Payment Transactions.
(6)
A Payment Account Information Service Provider shall not request Sensitive Data linked to Payment Accounts that could be used to carry out fraudulent transactions.
(7)
A Payment Account Information Service Provider shall not use, access or store any data for purposes other than performing the service requested by the Payment Service User.