Skip to main content

Annex II: Guidance on the Best Practices for Technology Risk and Information Security

C 15/2021 Effective from 6/6/2021

The following best practices will enable Payment Service Providers to operate adaptive and responsive cyber resilience processes. Payment Service Providers are encouraged to discuss and consider their application to improve their technology risk, information security and cyber resilience preparedness.

Technology Risk

An incident management framework with sufficient management oversight to ensure effective incident response and management capability to deal with significant incidents properly should include:

  1. (i) timely reporting to the Central Bank of any confirmed technology-related fraud cases or major security breaches, including cyberattacks, cases of prolonged disruption of service and systemic incidents where Retail Payment Service Users suffer from monetary loss or Retail Payment Service Users’ interests are being affected (e.g. data leakage); and
     
  2. (ii) a communication strategy to address the concerns any stakeholders may have arising from the incidents and restore the reputational damage that the incidents may cause.
     

Change Management

Payment Service Providers whose monthly average value of Payment Transactions amounts to (10) million Dirham or above are encouraged to:

  1. (i) develop a formal change management process to ensure the integrity and reliability of the production environment and that the changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems and other IT facilities and equipment, are proper and do not have any undesirable impact on the production environment. Formal procedures for managing emergency changes (including the record keeping and endorsement arrangement) should also be established to enable unforeseen problems to be addressed in a timely and controlled manner; and
     
  2. (ii) adequately and accurately document control procedures and baseline security requirements, including all configurations and settings of operating systems, system software, databases, servers and network devices. They are also expected to perform periodic reviews on the compliance of the security settings with the baseline standards.
     

Project Life Cycle

A full project life cycle methodology governing the process of developing, implementing and maintaining major computer should be established.

Where a software package is acquired from vendors, a formal software package acquisition process should be established to manage risks associated with acquisitions, such as breach of software license agreement or patent infringement.

Quality assurance reviews of major technology-related projects by an independent party, with the assistance of the legal and compliance functions should be conducted.

IT Governance

A set of IT control policies that fits the business model and technology applications should be implemented. The IT control policies which establish the ground rules for IT controls should be formally approved by Management and properly implemented among IT functions and business units. Processes used to verify compliance with IT control policies and the process for seeking appropriate approval by Management for dispensation from IT control policies are also be clearly specified, and consequences associated with any failure to adhere to these processes should be effected.

Security Requirements

Guidelines and standards for software development are adopted with reference to industry generally accepted practices on secure development. Source code reviews (e.g. peer review and automated analysis review), which could be risk-based, as part of a software quality assurance process should be conducted.

Formal testing and acceptance processes should be conducted to ensure that only properly tested and approved systems are promoted to the production environment. The scope of tests covers business logic, security controls and system performance under various stress-load scenarios and recovery conditions.

Segregated environments for development, testing and production purposes should be maintained. System testing and user acceptance testing (UAT) should be properly carried out in the testing environment. Production data should not be used in development or acceptance testing unless the data has been desensitized and prior approval from the information owner has been obtained.

A segregation of duties among IT teams should be introduced. Developers should not be permitted to access to production libraries and promote programming code into the production environment. If automated tools are used for the promotion of programming code, adequate monitoring, reviews and checks by independent teams should be done. Vendor accesses to the UAT environment, if necessary, should be closely monitored.

An inventory of end-user developed applications and where necessary, control practices and responsibilities with respect to end-user computing to cover areas such as ownership, development standards, data security, documentation, data/file storage and backup, system recovery, audit responsibilities and training should be established.

A problem management process to identify, classify, prioritize and address all IT problems in a timely manner should be established. It should perform a trend analysis of past incidents regularly to facilitate the identification and prevention of similar problems.

Network and Infrastructure Management

Network security devices such as firewalls at critical junctures of its IT infrastructure should be installed to secure the connection to untrusted external networks, such as the Internet and connections with third parties.

Where mobile devices are provided to employees, policies and procedures covering, among others, requisition, authentication, hardening, encryption, data backup and retention should be established.

Adequate measures to maintain appropriate segregation of databases for different purposes to prevent unauthorized or unintended access or retrieval and robust access controls should be enforced to ensure the confidentiality and integrity of the databases. In respect of any Personal Data of Retail Payment Service Users, including Merchants, the relevant data protection laws as well as any relevant codes of practice, guidelines or best practice issued by the Central Bank or any other relevant authorities should be assessed from time to time.

Access to the information and application systems should be restricted by an adequate authentication mechanism associated with access control rules. A role-based access control framework should be adopted and access rights should be granted on a need-to-have basis.

Cyber Security Risk

The trends in cyber threats should be considered, including subscribing to quality cyber threat intelligence services, which are relevant to the provision of Retail Payment Services to enhance ability to precisely respond to new type of threats in a timely manner. The Payment Service Provider may also seek opportunities to collaborate with other organizations to share and gather cyber threat intelligence with the aim of facilitating the Retail Payment Services industry to better prepare and manage cyber security risks.

Monitoring or surveillance systems to ensure being alerted to any suspicious or malicious system activities such as multiple sessions of same account from different geographic locations should be carried out. Real-time monitoring of cyber events for critical systems should be performed to facilitate the prompt detection of anomalous activities.

Close attention should be paid to evolving risks related to accessing critical IT infrastructure and appropriate measures are accordingly taken.

Payment Acceptance Devices

Retail Payment Service User devices should be assumed to be exposed to security vulnerabilities and appropriate measures when designing, developing and maintaining Retail Payment Services should be taken. Security measures to guard against different compromising situations, including unauthorized device access, malware or virus attack, compromised or unsecure status of mobile device and unauthorized mobile applications should be taken.

Where Merchants use mobile devices to accept a Payment Service Provider’s Retail Payment Services, additional security measures should be implemented to safeguard the mobile payment acceptance solution, including the detection of abnormal activities and logging them in reports, and the provision of Merchant identification for Retail Payment Service Users to validate identity.

Retail Payment Service User Authentication

Retail Payment Service User authentication based on a multi-factor authentication by combining any two or more of the following three factors is adopted:

  1. (i) verification information specified by Retail Payment Service User knows (e.g. user IDs and passwords);
     
  2. (ii) verification information a Retail Payment Service User has provided or possesses (e.g. one-time passwords generated by a security token or a Payment Service Provider’s security systems); and
     
  3. (iii) physical verification information belonging to a Retail Payment Service User (e.g. retina, fingerprint or voice recognition).
     

If a password (including a personal identification number) is used as one factor of authentication, adequate controls related to the strength of the password (e.g. minimum password length) should be put in place.

Login attempts and session management

Robust log files allowing retrieval of historical data including a full audit trail of additions, modifications or deletions of transactions are provided. Access to such tools, including privileged responsibilities, should only be available to authorized personnel and is appropriately logged.

Retail Payment Service Users should be provided with channels to check their Past Payment Transactions.

Fraud Detection Systems

Payment Transaction monitoring mechanisms designed to prevent, detect and block fraudulent Payment Transactions should be operated by Payment Service Providers providing Payment Token Services and Payment Service Providers whose monthly average value of Payment Transactions amounts to ten (10) million Dirhams or above. Suspicious or high-risk transactions are subject to a specific screening, filtration and evaluation procedure.