LogoRegulatory Alerts
2021-01-01

Instructions No. 6 of 2021 Regarding the Regulation of Operations of Payment Service Companies (1)

The Palestine Monetary Authority issued Instructions No. 6 of 2021 to securely and transparently regulate the operations of licensed payment service companies in Palestine. The directives prohibit providers from engaging in virtual currency trading, credit extension, forex speculation, and real estate activities, while mandating a 5% cash collateral deposit and strict interoperability with national payment systems. Furthermore, the regulations enforce comprehensive cybersecurity governance, including mandatory encryption, multi-factor authentication, segregation of duties, continuous monitoring, and robust business continuity and disaster recovery protocols.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instructions No. (6) of 2021

Regarding the Regulation of Operations of Payment Service Companies

Based on the provisions of Decision-Law No. (17) of 2012 regarding the National Payment Settlement Law, and specifically Articles (5) and (9) thereof,
and based on what was approved by the Board of Directors of the Palestine Monetary Authority in its meeting No. (236) dated 2021/06/23,
and in pursuit of the public interest,
we have issued the following Instructions:

Chapter One

Definitions and Scope of Application

Article (1)

Definitions

The words and phrases contained in these Instructions shall have the meanings specified below unless the context indicates otherwise:

  • Authority: The Palestine Monetary Authority.
  • Payment Services: All services related to sending, receiving, and executing payment orders in any currency.
  • Service Provider: The company licensed by the Authority to provide payment services.
  • Person: Natural or legal person.
  • User: The person who uses payment services as a payer or beneficiary.

Article (2)

Objective and Scope of Application

  1. These Instructions aim to regulate the operations of payment service providers in Palestine in a secure and transparent manner.
  2. The provisions of these Instructions shall apply to all companies licensed by the Authority to provide payment services.

Article (3)

Prohibited Services and Activities

The Service Provider is prohibited from engaging in any of the following:

  1. Using or dealing with virtual currencies and/or virtual assets.
  2. Providing credit facilities / direct and indirect financing.
  3. Engaging in foreign exchange buying and selling activities.
  4. Providing any service without obtaining prior written approval from the Authority.
  5. Margin trading in global markets (Forex) and trading in securities.
  6. Owning or trading real estate, except owning a property with prior written approval from the Authority for the purpose of using it as the Service Provider's headquarters.

Article (4)

Obtaining Credit Facilities

The Service Provider is prohibited from borrowing or taking loans directly or indirectly without obtaining prior written approval from the Authority.

Article (5)

Cash Collateral

The Service Provider must deposit cash collateral with the Authority amounting to 5% of the paid-up minimum capital requirements.

Article (6)

Interoperability with Payment Operating Systems Managed by the Authority

The payment service must be interoperable and compliant with payment operating systems managed by the Authority or licensed by it for this purpose.

Article (7)

Anti-Monopoly

The Service Provider is prohibited from undermining, restricting, or preventing competition through special agreements and practices that ultimately lead to monopolizing the provision of any payment services.

Article (8)

Request to Suspend Payment Service

The provision of a payment service may be suspended upon the Service Provider's request according to the following procedures:

  1. Submit a written request.
  2. Provide the Authority with all documents and justifications for the request.
  3. Submit documents and evidence proving the Service Provider's commitment to fulfilling its obligations towards its users.
  4. The Authority shall decide on the request within 30 days from the date of completion and shall notify the Service Provider of its response in writing.

Article (9)

Basic Requirements for Payment Service Systems Security

The Service Provider must comply with the basic requirements and security of payment service systems in accordance with the requirements set forth in Annex No. (1) to these Instructions (Annex on Basic Requirements for Payment Service Systems Security).

Article (10)

Repeal

  1. Instructions No. (6) of 2020 regarding the regulation of operations of payment service companies are hereby repealed.
  2. Any provision conflicting with the provisions of these Instructions is hereby repealed.

Article (11)

Implementation and Execution

All competent authorities shall, each within their respective jurisdiction, implement the provisions of these Instructions, effective from the date of their issuance.

Issued in Ramallah on 2021/06/30 AD

Dr. Firas Malham
Governor

Annex No. (1)

Basic Requirements for Payment Service Systems Security

First: Governance and Risk Management

  1. Establish effective supervisory controls over risks associated with payment service-related activities, including accountability and the formulation of policies and controls to manage these risks.
  2. Conduct comprehensive and continuous review of due diligence and oversight for managing outsourcing operations and reliance on third parties supporting electronic payment services, upon their approval by the Authority.

Second: Information Security

  1. The Company bears the responsibility of maintaining the integrity of payment service systems and applications and preserving information confidentiality by using appropriate technology and audit means to provide protection for all services provided by the Company, preserve information confidentiality, and take necessary measures commensurate with the sensitivity of stored information, including the following:

    a. Using appropriate technology to encrypt information, prevent breaches, and implement continuous monitoring of systems used within the Company.

    b. Using the latest hardware and systems necessary to monitor and protect the network and IT environment, such as Firewalls, (WAF, IDS, IPS, SIEM).

    c. Adopting procedures and controls that ensure secure remote access to the Company's network and systems.

    d. Conducting periodic Vulnerability Assessments and upon any fundamental change in the operational environment of systems.

    e. Conducting external Penetration Testing at least once annually by a qualified team and before commencing any new services, and the Authority may request the test at any time.

    f. Complying with international standards for payment card data security known as PCI-DSS when activating any card-based payment services.

    g. Continuously enhancing the security features of payment applications as required, subjecting them to multiple tests before deployment, and making them available to users exclusively through the Service Provider's addresses and official website.

  2. Taking appropriate measures to protect users' payment instruments, including the following:

    a. Password complexity and length.

    b. Password rotation/change.

    c. Password validity period and limiting reuse.

    d. Using appropriate automated technologies for password generation.

    e. Maximum number of unsuccessful password entry attempts.

    f. Constraints on password creation and modification, and controls for delivering them to users.

  3. The Service Provider must protect its data of all types during storage or transmission through encryption and secure storage of encryption keys.

  4. Encrypting any personal data, financial transaction data, or user data stored with a third party.

  5. The Service Provider must configure the production environment settings, including operating systems, databases, servers, and security systems, in accordance with a global information security standard such as ISO27001.

  6. The Service Provider must take appropriate measures to authenticate the identity of users managing their operations within the payment service.

  7. The Service Provider must use transaction authentication methods that enhance non-repudiation and ensure accountability and auditability regarding electronic payment service transactions.

  8. Immediately changing default passwords associated with all components of the IT and communications environment upon initiation and before transitioning to the actual production environment.

  9. The Service Provider must update operating systems and software installed on IT and communications environment devices and servers with the latest recommended updates from the vendor, ensuring necessary tests are conducted before implementing these updates.

  10. Using licensed copies of software, systems, and databases.

  11. Using connection lines of appropriate speed to accommodate the volume of transmitted data to ensure no slowness, disconnection, or data loss.

Third: Awareness, Security, and User Protection

  1. Security awareness should cover, at a minimum, the following:

    a. Awareness and techniques to avoid potential online fraud attempts, including:

    • Phishing attacks and impersonation of the payment service provider through fake websites.
    • Advising users not to trust any online website merely because it bears the identity of the payment service provider.

    b. Confidential use of username and password:

    • Users must not share their passwords.
    • The client must not, under any circumstances, disclose their PIN or password to any employee of the payment service provider.
    • The necessity of changing passwords periodically.
    • Carefully selecting passwords to avoid guessability.

    c. Providing advice and guidance to customers on how to set or create strong passwords or PINs that cannot be easily guessed or predicted.

    d. Proper storage of passwords.

  2. Relying on and using strong access controls through Two-Factor Authentication (2FA).

  3. Not disclosing personal information to unauthorized persons, suspicious websites, or emails.

  4. Warning users against using electronic payment tools via public or shared computers and free wireless networks.

  5. Advising customers on how to identify employees of the payment service provider in case of receiving a call from someone claiming to be from the provider.

  6. Using the latest versions of personal Firewalls and Anti-Virus systems.

Fourth: Access Controls

  1. Implementing a policy of segregation of duties and privileges in operational, technical, and technical functions related to the service.
  2. The payment service provider must ensure the existence of effective controls and appropriate access authorization privileges to prevent unauthorized persons from accessing electronic payment service systems, databases, and applications.
  3. Granting privileges on a need-to-know basis, and reviewing them periodically.
  4. Preparing and adopting an Authority Matrix encompassing all functional and financial privileges for all systems within the Company.
  5. Evaluating the implemented access management and user identity program in the provided services.
  6. Establishing appropriate controls for remote access to the production environment by technical support companies through secure software.

Fifth: Effective Monitoring

  1. The payment service provider must ensure the activation of the audit trail feature to retain all transactions and changes occurring to payment system data and ensure traceability.

  2. Reviewing, auditing, and retaining login records to ensure that only authorized users access data and that authorized persons modify any settings or data related to the electronic payment system.

  3. Ensuring the existence of security event logs for all systems.

  4. Notifying the Authority immediately, without undue delay, regarding fraud events, system failures, unauthorized access, or any information security breach or data leak they are aware of, which affects or is likely to affect payment service data or its electronic services that the Service Provider or any contracted third party may be subject to.

  5. Providing mechanisms and systems specifically for analyzing and monitoring various logs on a continuous basis.

  6. Effective monitoring of servers, network devices, security systems, and storage units regarding Critical and Warning Logs.

Sixth: Business Continuity

  1. Maintaining permanent backups within approved procedures to ensure the restoration of all data and information related to systems associated with service provision.
  2. Providing an appropriate level of physical and non-physical protection for backups.
  3. Providing necessary technologies and controls for rapid and efficient data storage and retrieval, ensuring the availability, integrity, and reliability of such data.
  4. Testing backup restoration according to approved backup procedures and documenting restoration procedures and results.
  5. Developing and implementing periodic plans to test systems and their associated security environments.
  6. Adding the service to the Service Provider's disaster recovery site to ensure immediate management and operation of the provided service in case of any failure or emergency preventing the continuation of its services through the headquarters.
  7. Updating the Service Provider's business continuity plan to include this service.
  8. Preparing and adopting a business continuity management plan that specifies the procedures, processes, and systems required to continue the Company's operational processes in case of downtime, with the plan to be reviewed and updated periodically.
  9. The payment service provider shall bear full responsibility for all services it provides in the event of system failure, breach, data leak, or mismanagement of accounts, including bearing all material losses that may result therefrom.
  10. The payment service provider must ensure the existence of adequate controls to guarantee High Availability for IT and communications environment components, servers, and systems related to the service, to minimize failure points that could lead to operational downtime.
  11. Preparing and adopting detailed procedures through which the IT environment can be operated and transitioned to the alternate site.
Share