PIB 6.13 PIB 6.13 Management of Operational Risk in Money Services
This section applies to an Authorised Firm that provides:(a) Money Services;(b) Account Information Services; or(c) Payment Initiation Services.
Definition of strong customer authentication
PIB 6.13.2(1) In this section, “strong customer authentication” or “SCA” means authentication that is based on the use of two or more elements that are:(a) independent, in that breach of one element does not compromise the reliability of any other element; and(b) designed in such a way as to protect the confidentiality of the authentication data.(2) The elements in (1)(a) must consist of two or more of the following:(a) something known only by the User (“knowledge”);(b) something held only by the User (“possession”); or(c) something inherent to the User (“inherence”).
Strong customer authentication and User security measures
PIB 6.13.3 PIB 6.13.3(1) An Authorised Firm must, except as provided in PIB Rule 6.13.4, apply strong customer authentication where a User:(a) accesses a Payment Account online, either directly or through an Account Information Service;(b) initiates an electronic Payment Transaction; or(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.(2) If a payer initiates a Payment Transaction directly or through a Payment Initiation Service, the Authorised Firm must apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.(3) If a multipurpose device is used in the SCA process, the Authorised Firm must adopt adequate security measures that mitigate the risk of the device being compromised.(4) The Authorised Firm must maintain adequate security measures to protect the confidentiality and integrity of Users’ personal security credentials.
PIB 6.13.3 Guidance1. An Authorised Firm should, as best practice in maintaining the integrity of strong customer authentication, try to ensure that:(a) no element of ‘knowledge’, ‘possession’ or ‘inherence’ (as defined in PIB Rule 6.13.2) can be derived from the disclosure of the authentication code cover;(b) it is not possible to generate a new authentication code based on an old one;(c) the authentication code cannot be forged;(d) where the authentication through a remote channel has failed to generate an authentication code, it is not possible to identify which of the SCA elements was incorrect;(e) a maximum of 5 failed consecutive authentication attempts within a given period result in the account being temporarily or permanently blocked;(f) the duration and number of retries for a temporary block should be linked to the service offered and trigger a fraud risk ; and(g) the User is ed before the block becomes permanent and a secure procedure is established to regain the use of the blocked payment instrument.2. An Authorised Firm should, as best practice in maintaining the integrity of User security credentials (USC), endeavour:(a) not to allow the USC to be fully readable when inputted by the User or by its own staff;(b) to ensure that the USC always remain encrypted and no information relating to the USC is stored in plain text;(c) to protect secret cryptographic material from unauthorised disclosure;(d) to document the process used to encrypt or otherwise render the USCs unreadable;(e) to adopt measures to mitigate the risk of unauthorised use of compromised USCs;(f) to ensure secure delivery of the USC to the User, secure association of the USC with the User and the secure disposal of the USC once it is obsolete; and(g) to immediately inform the User and the issuer of the USC (if another firm) in the event a USC is compromised under the firm's sphere of control.3. Dynamic linking referred to in PIB Rule 6.13.3(2) may include:(a) the User being made aware of the payment amount and the beneficiary;(b) the authentication code generated using SCA being specific to the transaction amount and the beneficiary; and(c) any change to the amount or the beneficiary resulting in the authentication code becoming invalid.4. The security measures referred to in PIB Rule 6.13.3(4) may include:(a) the use of separated secure execution environments through the software installed on the device;(b) mechanisms to ensure that the software or device has not been, and cannot be, altered by the User or a third party; and(c) where alterations have taken place, mechanisms to mitigate the consequences.
PIB 6.13.4 PIB 6.13.4
An Authorised Firm is not required to apply strong customer authentication under PIB Rule 6.13.3 when:(a) the User accesses its own payment account information unless:(i) it is the first time the account is accessed; or(ii) the account has not been accessed for 90 days or more;(b) the User makes a payment of a small amount;(c) the User makes a payment to a specified beneficiary on a list created by the User, or under a standing order, where strong customer authentication was applied when the list or standing order was created; or(d) a transfer is made between accounts held by the same User.
PIB 6.13.4 Guidance
In PIB Rule 6.13.4(b) an example of a small amount may be a transaction not exceeding a certain value e.g. $50 or five payments not exceeding an aggregated amount of $150 over a specified period.
PIB 6.13.5 PIB 6.13.5
An Authorised Firm must adopt and implement technical standards relating to:(a) the implementation of the requirements for strong customer authentication referred to in PIB Rule 6.13.3;(b) procedures for applying the exclusions in PIB Rule 6.13.4;(c) common and secure standards of communication for the purpose of identification, authentication, notification, and sharing information with Users and other service providers; and(d) if applicable, procedures, systems and controls that ensure the reliability and continuity of the interface made available by a Payment Account Provider.
PIB 6.13.5 Guidance1. In developing technical standards referred to in PIB 6.13.5(c) (common and secure standards of communication) an Authorised Firm should, as best practice and where applicable:(a) apply secure identification when communicating between devices used for electronic payments;(b) address the risk of a communication being misdirected to unauthorised parties;(c) trace all payment transactions and interactions with all relevant parties to the Payment Service;(d) use strong and widely recognised encryption techniques when exchanging data;(e) keep the access sessions with the Payment Account Provider (PAP) as short as possible and terminate any session after the requested action is completed;(f) ensure, when maintaining parallel network sessions, that the sessions are securely linked to relevant sessions established with the User to prevent the possibility that information communicated between them could be misrouted;(g) include unambiguous unique references to the User, communication session, payment transaction and requested amount; and(h) have systems and controls to prevent access to User information being available by the Payment Account Provider, beyond what is needed to provide the relevant service. The frequency of the access should also be agreed with the User.2. In developing technical standards referred to in PIB Rule 6.13.4 (d) (procedures, systems and controls to ensure the reliability and continuity of the interface with the PAP) an Authorised Firm should:(a) contractually ensure that the interface applies best practice standards of communication issued by the Security Standards Council;(b) understand and document the interface technical specification such as the routines, protocols, and tools needed to interoperate with the systems of the PAP;(c) contractually require the PAP to provide the firm with at least 3 months' notice ahead of any change to the interface, except in an emergency;(d) adequately test the interface to ensure reliability and performance;(e) establish key performance indicators and service level standards with the PAP; and(f) request the PAP to provide adequate contingency measures in the event the interface is not available and test the measures for reliability.
Systems and Controls to Detect Fraud
PIB 6.13.6(1) An Authorised Firm must have in place transaction monitoring systems and controls to detect and prevent unauthorised or fraudulent Payment Transactions.(2) The systems referred to in (1) must be designed to take into account the following fraud risk factors:(a) compromised or stolen authentication elements;(b) the amount of each payment transaction;(c) known fraud scenarios in the provision of the particular Payment Service;(d) analysis of Payment Transactions typical of the type of Users;(e) signs of malware infection in any sessions of the authentication procedure; and(f) if the firm provides the access device or software (the Payment Instrument), a log of the use of the access device or software and abnormal use.
Reporting of Information About Transactions And Rates of Fraud
An Authorised Firm must provide the following information to the DFSA at least quarterly:(a) rates of fraud or suspected fraud;(b) the total value of fraudulent transactions and the total value of all payment transactions;(c) the number of payment transactions and the average transaction value; and(d) a breakdown by percentage of transactions initiated through SCA and transactions initiated through each exception to the SCA requirements.
Reporting of Information about Money Transmission
An Authorised Firm that provides Money Transmission must send the following information to the DFSA at least quarterly relating to transactions:(a) details of senders and recipients of transfers;(b) the amounts transferred;(c) dates of transfers; and(d) any other firms involved in transfers.