14.5.1Where the data is shared outside of own network or when the data is related to any card transactions, the Licensed Person must use stronger encryption techniques to suitably encrypt such data;
14.5.2The customer and transaction database must be held/stored within the UAE;
14.5.3Outside parties must not be given access to the customer/transaction database which must be held completely proprietary at all times. Restricted access may be given to the IT service provider, in case the IT function is outsourced, to carry out maintenance of computer hardware, network or applications;
14.5.4Appropriate policies must be introduced for the back-up and off-site storage of back-up data of all enterprise servers, databases, network servers and system software;
14.5.5The Licensed Person must have a procedure for the back-up of systems that may include details of back-up frequency, information to be backed-up, storage media, back-up retention period, recirculation of the media and periodical testing of the back-up copies for data availability; and
14.5.6Disaster Recovery (DR) drills must be conducted at regular intervals to ensure that the DR set-up is functional.