Entire Section

  • Technical Standards

    • PIB 6.13.5 PIB 6.13.5

      An Authorised Firm must adopt and implement technical standards relating to:

      (a) the implementation of the requirements for strong customer authentication referred to in PIB Rule 6.13.3;
      (b) procedures for applying the exclusions in PIB Rule 6.13.4;
      (c) common and secure standards of communication for the purpose of identification, authentication, notification, and sharing information with Users and other service providers; and
      (d) if applicable, procedures, systems and controls that ensure the reliability and continuity of the interface made available by a Payment Account Provider.
      Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]

      • PIB 6.13.5 Guidance

        1. In developing technical standards referred to in PIB 6.13.5(c) (common and secure standards of communication) an Authorised Firm should, as best practice and where applicable:
        (a) apply secure identification when communicating between devices used for electronic payments;
        (b) address the risk of a communication being misdirected to unauthorised parties;
        (c) trace all payment transactions and interactions with all relevant parties to the Payment Service;
        (d) use strong and widely recognised encryption techniques when exchanging data;
        (e) keep the access sessions with the Payment Account Provider (PAP) as short as possible and terminate any session after the requested action is completed;
        (f) ensure, when maintaining parallel network sessions, that the sessions are securely linked to relevant sessions established with the User to prevent the possibility that information communicated between them could be misrouted;
        (g) include unambiguous unique references to the User, communication session, payment transaction and requested amount; and
        (h) have systems and controls to prevent access to User information being available by the Payment Account Provider, beyond what is needed to provide the relevant service. The frequency of the access should also be agreed with the User.
        2. In developing technical standards referred to in PIB Rule 6.13.4 (d) (procedures, systems and controls to ensure the reliability and continuity of the interface with the PAP) an Authorised Firm should:
        (a) contractually ensure that the interface applies best practice standards of communication issued by the Security Standards Council;
        (b) understand and document the interface technical specification such as the routines, protocols, and tools needed to interoperate with the systems of the PAP;
        (c) contractually require the PAP to provide the firm with at least 3 months' notice ahead of any change to the interface, except in an emergency;
        (d) adequately test the interface to ensure reliability and performance;
        (e) establish key performance indicators and service level standards with the PAP; and
        (f) request the PAP to provide adequate contingency measures in the event the interface is not available and test the measures for reliability.
        Derived from DFSA RMI270/2020 (Made 26th February 2020). [VER36/04-20]