1. The payment service provider issuing a payment instrument shall:
(a) make sure that the personalised
security credentials are not accessible to parties other than the
payment service user that is entitled to use the payment instrument,
without prejudice to the obligations on the payment service user set out
in Article 69;
(b) refrain from sending an unsolicited
payment instrument, except where a payment instrument already given to
the payment service user is to be replaced;
(c) ensure that appropriate means are
available at all times to enable the payment service user to make a
notification pursuant to point (b) of Article 69(1) or to request
unblocking of the payment instrument pursuant to Article 68(4); on
request, the payment service provider shall provide the payment service
user with the means to prove, for 18 months after notification, that the
payment service user made such a notification;
(d) provide the payment service user with
an option to make a notification pursuant to point (b) of Article 69(1)
free of charge and to charge, if at all, only replacement costs directly
attributed to the payment instrument;
(e) prevent all use of the payment instrument once notification pursuant to point (b) of Article 69(1) has been made.
2. The payment service provider shall bear the
risk of sending a payment instrument or any personalised security
credentials relating to it to the payment service user.