Entire Section

  • Strong customer authentication and User security measures

    • PIB 6.13.3 PIB 6.13.3

      (1) An Authorised Firm must, except as provided in PIB Rule 6.13.4, apply strong customer authentication where a User:
      (a) accesses a Payment Account online, either directly or through an Account Information Service;
      (b) initiates an electronic Payment Transaction; or
      (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
      (2) If a payer initiates a Payment Transaction directly or through a Payment Initiation Service, the Authorised Firm must apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.
      (3) If a multipurpose device is used in the SCA process, the Authorised Firm must adopt adequate security measures that mitigate the risk of the device being compromised.
      (4) The Authorised Firm must maintain adequate security measures to protect the confidentiality and integrity of Users’ personal security credentials.
      Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]

      • PIB 6.13.3 Guidance

         
        1. An Authorised Firm should, as best practice in maintaining the integrity of strong customer authentication, try to ensure that:
        (a) no element of ‘knowledge’, ‘possession’ or ‘inherence’ (as defined in PIB Rule 6.13.2) can be derived from the disclosure of the authentication code cover;
        (b) it is not possible to generate a new authentication code based on an old one;
        (c) the authentication code cannot be forged;
        (d) where the authentication through a remote channel has failed to generate an authentication code, it is not possible to identify which of the SCA elements was incorrect;
        (e) a maximum of 5 failed consecutive authentication attempts within a given period result in the account being temporarily or permanently blocked;
        (f) the duration and number of retries for a temporary block should be linked to the service offered and trigger a fraud risk ; and
        (g) the User is ed before the block becomes permanent and a secure procedure is established to regain the use of the blocked payment instrument.
        2. An Authorised Firm should, as best practice in maintaining the integrity of User security credentials (USC), endeavour:
        (a) not to allow the USC to be fully readable when inputted by the User or by its own staff;
        (b) to ensure that the USC always remain encrypted and no information relating to the USC is stored in plain text;
        (c) to protect secret cryptographic material from unauthorised disclosure;
        (d) to document the process used to encrypt or otherwise render the USCs unreadable;
        (e) to adopt measures to mitigate the risk of unauthorised use of compromised USCs;
        (f) to ensure secure delivery of the USC to the User, secure association of the USC with the User and the secure disposal of the USC once it is obsolete; and
        (g) to immediately inform the User and the issuer of the USC (if another firm) in the event a USC is compromised under the firm's sphere of control.
        3. Dynamic linking referred to in PIB Rule 6.13.3(2) may include:
        (a) the User being made aware of the payment amount and the beneficiary;
        (b) the authentication code generated using SCA being specific to the transaction amount and the beneficiary; and
        (c) any change to the amount or the beneficiary resulting in the authentication code becoming invalid.
        4. The security measures referred to in PIB Rule 6.13.3(4) may include:
        (a) the use of separated secure execution environments through the software installed on the device;
        (b) mechanisms to ensure that the software or device has not been, and cannot be, altered by the User or a third party; and
        (c) where alterations have taken place, mechanisms to mitigate the consequences.
        Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]