Regulation on Information Security Requirements for Payment System Operators and Payment Organizations

---

Back

Print Version

Date of creation: 2024-05-24

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic dated March 31, 2023 No. 2023-P-14/21-1-(PS)

REGULATION on Information Security Requirements for Payment System Operators and Payment Organizations

(As amended by the Resolution of the Board of the National Bank of the Kyrgyz Republic dated May 22, 2024 No. 2024-P-14/23-2-(PS))

Chapter 1. General Provisions

1. The purpose of this Regulation is to establish uniform requirements for payment system operators and payment organizations (hereinafter - PSO/PO), aimed at enhancing the level of information security in PSO/PO, as well as minimizing potential losses caused by malicious actions, emergency failures, and personnel errors.

2. For the purposes of this Regulation, definitions used in the regulatory acts of the National Bank of the Kyrgyz Republic (hereinafter - National Bank) regarding payment systems shall apply, as well as the following definitions:

Automated system - a system consisting of a hardware and software complex of automation tools, methods, and measures implementing the information technology for performing established functions.

Authorization - the process of granting a specific object/subject rights to perform certain actions in accordance with their role in the system.

Authentication - verification of the ownership by an object/subject of a presented identifier or confirmation of authenticity.

Information asset availability - an information security property of PSO/PO consisting in that information assets are provided to an authorized user, in the form and location required by the user, at the time they are needed.

Information system lifecycle - the period starting from the moment a decision is made on the need to create an information system and ending at the moment of its complete withdrawal from operation.

Identifier - a unique attribute of an access subject or object.

Identification - the process of assigning identifiers (unique names) to objects/subjects or comparing an object's/subject's identifier with a list of assigned identifiers.

Information system - a system designed for storing, searching, and processing information, along with the corresponding organizational resources that ensure its provision and distribution.

Information assets - information of value to PSO/PO in terms of achieving their objectives, presented on any physical medium in a form suitable for processing, storage, or transmission.

Information asset confidentiality - a state of PSO/PO resources consisting in that the processing, storage, and transmission of information assets are carried out such that they are accessible only to authorized users, system objects, or processes.

Object - a process running in an information system requesting permission to access information.

Password - a secret set of characters intended for confirming user authority.

User of the automated system - a subject or object registered in the automated system and using its resources (employees, payment system participants).

Authorization - an action granting a user the ability to perform (grant permission for) specific actions in the system based on their job duties. Without special authorization, no user is permitted access to any information or application.

Subject - a user requesting permission to access information.

Token ("key") - a compact device in the form of an USB key fob or a cloud-based key (a special secure server) used for user authorization, protecting electronic correspondence, providing secure remote access to information resources, and reliably storing any personal data.

Information asset integrity - an information security property of PSO/PO to maintain unaltered state or detect changes in its information assets.

3. The information security management system is part of the overall management system, based on the use of business risk assessment methods for developing, implementing, operating, monitoring, analyzing, supporting, and improving the information security of PSO/PO.

4. The National Bank has the right to conduct inspections of PSO/PO for compliance with the requirements established by this Regulation, as well as other regulatory legal acts of the National Bank regarding information security of PSO/PO.

5. The management of PSO/PO bears full responsibility for the use and operation of its entire information system, including actions by agents and sub-agents related to its use.

6. The management of the information security assurance system in PSO/PO must continuously use processes such as planning, implementation, verification, and improvement.

7. Information security requirements must be comprehensively interconnected and continuous across all stages of the information system lifecycle.

Chapter 2. Information Security Documentation Requirements

8. To ensure information security in PSO/PO, two levels of documentation must be developed:

• information security policy (a document regulating the practice of ensuring information security);
• operational procedures for ensuring information security.

9. The information security policy regulating the practice of ensuring information security (hereinafter - IS Policy) must reflect management's support for established goals and further detail the general principles, defining detailed measures necessary to fulfill IS Policy requirements.

10. Information security assurance requirements reflected in the PSO/PO information security policy must be defined for the following most important areas:

• personnel requirements;
• assignment, distribution of roles, and registration in the information system;
• information security risk management process;
• business continuity assurance;
• information security assurance during the lifecycle stages of automated systems;
• registration of all actions in automated systems;
• antivirus protection;
• use of internet resources;
• backup and recovery;
• information security incident management, etc.

11. Operational procedure documents for ensuring security must contain descriptions of practical technical-level measures that ensure the implementation of necessary practices. Procedures must comply with PSO/PO policies.

12. PSO/PO must ensure the existence and preservation of documents containing evidence of completed activities and actions for ensuring information security (reports, acts, logs), reflecting achieved results (intermediate and final) when implementing requirements of documents related to information security assurance in PSO/PO.

Chapter 3. PSO/PO Personnel Requirements

13. PSO/PO must have personnel in accordance with the requirements established in the "Regulation on the Regulation of Payment Organization and Payment System Operator Activities", approved by the Resolution of the Board of the National Bank dated September 30, 2019 No. 2019-P-14/50-2-(PS) (hereinafter - Regulation on Regulation).

14. PSO/PO must develop hiring procedures, including:

• verification of the authenticity of presented documents, stated qualifications, accuracy, and completeness of biographical facts;
• verification of professional skills and assessment of professional suitability.

15. All PSO/PO employees must be informed in writing of the information security assurance requirements.

16. The department or authorized person responsible for ensuring information security shall organize and bear responsibility for information security in PSO/PO, must systematically update threat information in the field of information security, timely inform management and employees about threats, and conduct measures aimed at raising the overall level of personnel awareness to counter these threats.

17. The functions of the department or authorized person responsible for ensuring information security must not include combining work with IT department functions. At the same time, PSO/PO that are not significant payment systems/systemically important payment systems/critical service providers may assign information security assurance responsibilities in PSO/PO to another official, subject to mandatory completion of corresponding training.

18. The job duties of the department or authorized person responsible for ensuring information security must include:

1. monitoring compliance by PSO/PO with internal regulatory documents and regulatory legal acts in the field of information security;
2. analysis of the degree of information security protection;
3. development of internal regulatory documents on information security.

19. Personnel duties and responsibilities for fulfilling information security assurance requirements must be included in their job descriptions.

20. Failure or improper fulfillment by PSO/PO employees of information security assurance requirements is equated to non-fulfillment of job duties.

Chapter 4. Assignment, Role Distribution, and Registration in the Automated System

21. PSO/PO must develop and adopt a document containing employee roles, including information security assurance roles.

22. Roles must be defined in the automated system to ensure clear separation of employee authorities.

23. When granting employees access to the automated system, authorization, identification, authentication, and authorization procedures must be performed. Before issuing an identifier to a user, verification of identity confirmation must be carried out. The system must record the issuer who issued the identifier to the user.

24. All automated system users must operate under unique accounts.

25. When distributing access rights of employees and payment system participants to PSO/PO information assets, the following principles must be followed:

• "Know your Employee" - a principle demonstrating PSO/PO's concern regarding employees' attitude to their duties and possible issues such as asset abuse, financial difficulties that may lead to security problems;
• "Need to Know" - a security principle limiting access to information and processing resources to those who need to perform specific duties;
• "Least Privileges" - a principle meaning that for performing a specific operation, a user must receive or be granted the minimum necessary privileges.

26. PSO/PO must document the list of information assets (automated systems and their types) and employee/participant access rights to these assets.

27. Role formation must be based on existing PSO/PO business processes and conducted to exclude concentration of authorities and reduce the risk of information security incidents related to loss of availability, integrity, or confidentiality properties of information assets.

28. PSO/PO must monitor "privileged access", namely: accounts with elevated rights to automated systems (administrator accounts) to minimize risks and ensure the security of critical automated systems.

29. Persons responsible for performing each role must be assigned. Employee responsibilities must be recorded in their job descriptions.

30. User authentication in the automated system must correspond to the criticality of the received information and be carried out based on one or more authentication mechanisms:

• by knowledge "something to know" (password, PIN-code);
• by possession "something to have" (smart card, token);
• by physical characteristics of the user "someone to be" (fingerprints or other biometric data). Two-factor authentication includes any two of these three mechanisms: a person "knows something" and "has something" or "is someone".

31. Events for registration and modification of user access rights must be recorded in the automated system event log.

32. PSO/PO must apply protective measures aimed at ensuring protection against unauthorized access, unauthorized actions, and information integrity violations necessary for registration, identification, authentication, and/or authorization of payment system participants and PSO/PO employees. All attempts at unauthorized actions and unauthorized access to such information must be recorded in the event log.

33. When providing employees with remote access to the automated system and corporate services, PSO/PO must implement multi-factor authentication technology.

34. Upon employee dismissal or change of job duties, employees of PSO/PO with access to automated system information must have their access rights blocked or modified.

35. PSO/PO must develop and implement a password policy. The password policy must include at least the following main rules and components:

• requirements for password complexity and length;
• requirements prohibiting recording and storing passwords on physical media;
• user responsibility for policy violations.

36. PSO/PO employees must be familiar with the password policy and strictly comply with its requirements during work.

37. PSO/PO must develop recommendations for complying with information security policy requirements for:

• payment system participants (agents, sub-agents) having access to the payment system;
• electronic wallet holders (if an electronic money settlement system exists);
• mobile application users, including agent mobile applications (if mobile applications exist); and conduct information work regarding user compliance with these requirements during their interaction.

Chapter 5. Information Security Risk Management Process Requirements

38. PSO/PO must develop an information security risk management policy integrated with the overall risk management policy in the payment system.

39. PSO/PO must determine asset value, identify vulnerabilities, threats, and risks. Identified risks must be quantitatively or qualitatively assessed. PSO/PO must determine appropriate measures and control means for risk treatment.

40. The organization of the risk assessment process may be based on the international information security standard ISO 27005 or similar standards.

Chapter 5-1. Payment Card Service Process Requirements

(As amended by the Resolution of the Board of the National Bank of the Kyrgyz Republic dated May 22, 2024 No. 2024-P-14/23-2-(PS))

40-1. When servicing payment cards, PSO/PO must ensure compliance with the requirements of this Regulation.

40-2. When servicing payment cards, PSO/PO or their processing center must have a valid certificate of compliance with PCI DSS security standards, and accordingly fulfill PCI DSS security requirements.

Chapter 6. PSO/PO Business Continuity

41. To ensure business continuity, PSO/PO must develop:

• a business continuity policy containing necessary guidelines for ensuring business continuity and necessary role authorities to perform assigned tasks;
• a business recovery plan describing procedures ensuring the rapid restoration of critical systems and functions. The plan must be tested periodically at least once a year.

Chapter 7. Automated System Lifecycle Security of PSO/PO

42. PSO/PO must ensure comprehensive protection of automated systems at all stages of the automated system lifecycle (design, implementation, testing, acceptance, operation, maintenance, modernization, decommissioning must be documented and approved by management). Testing must be conducted in a test environment identical to the production environment.

43. PSO/PO must use only licensed software; open-source or proprietary software is permitted if accompanied by a complete set of documentation approved by the head (technical specification, test program and methodology, act and test log, commissioning act).

Chapter 8. Event Registration Log Management

44. PSO/PO must maintain an event registration log (logging) of activities performed in the automated system, personal computers, server and network equipment, databases as a means for conducting information security audits, restoring the course of events, and maintaining accountability. The event log must include actions of all users, including highly privileged accounts (root, administrator, sysdba, dba).

45. Monitoring and analysis of event log information must be conducted daily by automated system administrators (technical support personnel), including the use of automated systems, and all non-standard situations related to security must be investigated.

46. Event log information must be stored electronically for a period equal to the retention period of processed data by the corresponding automated system, but not less than 2 (two) years.

47. Event log information must be protected against accidental or intentional deletion, modification, or falsification. Disabling logging, deleting, modifying, or falsifying log information must be treated as an incident.

Chapter 9. Antivirus Protection

48. PSO/PO must use only officially acquired (licensed) antivirus protection tools. Installation and regular updating of antivirus protection tools on automated workstations and servers must be carried out by responsible administrators.

49. When providing antivirus protection in PSO/PO, instructions for antivirus protection must be developed and implemented, taking into account the features of information processes. Responsibility for fulfilling antivirus procedure requirements must be assigned to each PSO/PO employee having access to a personal computer and/or automated system.

50. Installed or modified software must be pre-checked for the absence of viruses. Upon detection of a computer virus, measures must be taken to neutralize it and restore workstation functionality.

51. Disabling or failing to update antivirus tools is not permitted. Installation and updating of antivirus protection must be controlled by responsible employees.

Chapter 10. Use of Internet Resources

52. PSO/PO must apply measures for segmentation and firewalling of internal computer networks, as well as protecting internal computer networks when interacting with the internet.

53. PSO/PO are obliged to apply measures for registering changes in the parameters of information protection tools and systems, firewalls, and computer network protection of PSO/PO.

54. PSO/PO must define and approve by management the objectives for using the internet. Use of the internet for unestablished purposes must be prohibited.

55. PSO/PO must determine the procedure for connecting and using internet resources, including control by the department responsible for ensuring information security.

56. PSO/PO providing remote client services via mobile applications due to increased risks of information security violations when interacting with the internet must apply information protection tools ensuring receipt and transmission of information only in the established format and exclusively for the specific technology.

57. When providing remote services, protective measures must be applied to prevent the possibility of an authorized client being replaced by a malicious party during the work session.

58. All client operations during the entire session with mobile applications must be performed only after completing identification, authentication, and authorization procedures. In case of session time expiration (disruption or connection break), the repeated performance of these procedures must be ensured.

59. Email exchange via the internet must be carried out using protective measures and spam prevention.

60. When interacting with the internet, protective measures against malicious attacks must be used.

Chapter 11. Backup and Recovery

61. PSO/PO must create backups for processed and completed payments.

62. External information media must be used as data carriers: hard drives, magnetic tapes, recordable optical digital disks, etc.

63. All backups must be marked with the stored information, account number, and date of copy creation.

64. Backups (or their duplicates) must be stored in remote facilities providing protection against unauthorized access, electromagnetic radiation, thermal impacts, mechanical impacts, as well as maintaining internal air temperature and humidity at a specified level.

65. PSO/PO must conduct periodic testing and recovery procedures for backup archive data according to internal documents at least once a year.

Chapter 12. Information Security Incident and Vulnerability Management Process Requirements

66. Information security incident and vulnerability management is carried out based on developed and clearly used processes, taking into account requirements for payment system operators and participants established in the "Regulation on Emergencies in the Payment System", approved by the Resolution of the Board of the National Bank dated September 2, 2019 No. 2019-P-14/46-2-(PS), as well as other regulatory acts of the National Bank.

67. PSO/PO must identify incidents and vulnerabilities, they must be assessed, and preventive measures against the occurrence of similar information security incidents must be taken. Vulnerabilities must be eliminated.

68. Results of information security incident analysis, as well as recommendations for minimizing the probability of information security incidents and their potential damage, must be further used to assess information security risks.

Contacts

Public Reception +996 (312) 61-04-86, +996 (312) 66-90-15 ext. 1257, 1256

Consumer Rights Protection Department +996 (312) 66-90-15 ext. 1671, 1666

Report Corruption +996 (312) 66-90-15 ext. 2120, +996 (312) 61-04-00

Auto-informer