Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instruction No. (6) of 2021

Regarding the Regulation of Payment Service Companies' Business

Based on the provisions of Legislative Decree No. (17) of 2012 regarding the National Payment Settlement Law, particularly Articles (5) and (9) thereof, and based on what was approved by the Board of Directors of the Palestine Monetary Authority in its meeting No. (236) dated 2021/06/23, and in pursuit of the public interest, we have issued the following instructions:

---

Chapter One

Definitions and Scope of Application

Article (1)

Definitions

The words and phrases mentioned in these instructions shall have the meanings specified below unless the context indicates otherwise:

• Authority: Palestine Monetary Authority.
• Payment Services: All services related to sending, receiving, and executing payment orders in any currency.
• Service Provider: The company licensed by the Authority to provide payment services.
• Person: Natural or legal person.
• User: The person who uses payment services as a payer or beneficiary.

Article (2)

Objective and Scope of Application

1. These instructions aim to regulate the business of payment service providers in Palestine in a secure and transparent manner.
2. The provisions of these instructions shall apply to all companies licensed by the Authority to provide payment services.

---

Article (3)

Prohibited Services and Activities

The Service Provider is prohibited from engaging in any of the following:

1. Using or dealing with virtual currencies and/or virtual assets.
2. Providing direct or indirect credit facilities/financing.
3. Engaging in foreign exchange buying and selling activities.
4. Providing any service without obtaining prior written approval from the Authority.
5. Trading on margin in global markets (Forex) and trading in securities.
6. Owning or trading real estate, except for owning a property with prior written approval from the Authority for use as the Service Provider's headquarters.

Article (4)

Obtaining Credit Facilities

The Service Provider is prohibited from borrowing or incurring debt directly or indirectly without obtaining prior written approval from the Authority.

Article (5)

Cash Collateral

The Service Provider must deposit cash collateral with the Authority amounting to 5% of the paid-up minimum capital requirements.

Article (6)

Interoperability with Payment Operating Systems Managed by the Authority

The payment service must be interoperable and compatible with payment operating systems managed by the Authority or licensed by it for this purpose.

---

Article (7)

Anti-Monopoly

The Service Provider is prohibited from undermining, restricting, or preventing competition through special agreements and practices that ultimately lead to monopolizing the provision of any payment services.

Article (8)

Request to Suspend Payment Service

The provision of a payment service may be suspended upon the Service Provider's request according to the following procedures:

1. Submit a written request.
2. Provide the Authority with all documents and justifications for the request.
3. Submit documents and evidence proving the Service Provider's commitment to fulfilling its obligations towards its users.
4. The Authority shall make a decision on the request within 30 days from the date of request completion and shall notify the Service Provider of its response in writing.

Article (9)

Basic Requirements for Payment Service Systems Security

The Service Provider must comply with the basic requirements and security of payment service systems in accordance with the requirements set forth in Annex No. (1) to these instructions (Annex on Basic Requirements for Payment Service Systems Security).

Article (10)

Repeal

1. Instruction No. (6) of 2020 regarding the regulation of payment service companies' business is hereby repealed.
2. Any provision conflicting with the provisions of these instructions is hereby repealed.

---

Article (11)

Implementation and Execution

All competent authorities shall, each within their respective jurisdiction, implement the provisions of these instructions, effective from the date of their issuance.

Issued in Ramallah on 2021/06/30

Dr. Firas Malham
Governor

---

Annex No. (1)

Basic Requirements for Payment Service Systems Security

First: Governance and Risk Management

1. Establish effective supervisory controls over risks associated with payment service-related activities, including accountability and the formulation of policies and controls to manage these risks.
2. Conduct comprehensive and continuous review of due diligence and oversight to manage outsourcing processes and reliance on third parties supporting electronic payment services, upon their approval by the Authority.

Second: Information Security

1. The Company bears the responsibility for maintaining the integrity of payment service systems and applications and ensuring information confidentiality by using appropriate technology and audit means to provide protection for all services provided by the Company against risks, maintain information confidentiality, and take necessary measures commensurate with the sensitivity of stored information, including the following:

   أ. Using appropriate technology to encrypt information, prevent breaches, and implement continuous monitoring of systems used within the Company.

   ب. Using the latest devices and systems necessary to monitor and protect the network and IT environment, such as Firewalls, (WAF, IDS, IPS, SIEM).

   ت. Adopting procedures and controls that ensure secure remote access to the Company's network and systems.

   ث. Conducting periodic Vulnerability Assessments and upon any fundamental change in the operational environment of the systems.

   ج. Conducting external Penetration Testing at least once annually by a qualified team and before commencing any new services, and the Authority may request the test at any time.

   ح. Complying with international standards for payment card data security known as PCI-DSS when activating any card-based payment services.

   خ. Continuously enhancing the security features of payment applications as required, subjecting them to multiple tests before operation, and making them available to users exclusively through the Service Provider's addresses and official website.

2. Taking appropriate measures to protect users' payment instruments, including the following:

   أ. Password complexity and length.

   ب. Password rotation/change.

   ت. Password validity period and limiting reuse.

   ث. Using appropriate automated technologies for password generation.

ج. Maximum limit for unsuccessful password entry attempts.

ح. Constraints on password creation and modification, and controls for delivering them to users.

3. The Service Provider must protect its data of all types when stored or transmitted, through encryption and secure storage of encryption keys.

4. Encrypting any personal data, financial transaction data, or user data stored with a third party.

5. The Service Provider must configure the operational environment settings, including operating systems, databases, servers, and security systems, in accordance with one of the international information security standards such as ISO27001.

6. The Service Provider must take appropriate measures to authenticate the identity of users managing their operations within the payment service.

7. The Service Provider must use transaction authentication methods that enhance non-repudiation and ensure accountability and auditability regarding electronic payment service transactions.

8. Immediately changing default passwords for all components of the IT and communications environment upon initiation and before transitioning to the actual work environment.

9. The Service Provider must update operating systems and software installed on IT and communications environment devices and servers with the latest updates recommended by the vendor, ensuring necessary checks are conducted before implementing these updates.

10. Using customized versions of software, systems, and databases.

11. Using connection lines with appropriate speeds to accommodate the volume of transmitted data to ensure no delay, disconnection, or data loss.

Third: Awareness, Security, and User Protection

1. Security awareness should cover, at a minimum, the following:

   أ. Awareness and techniques to avoid potential online fraud attempts, including:

   • Phishing attacks and the misuse of the payment service provider's identity through fake websites.
   • Advising users not to trust any online website merely because it bears the payment service provider's identity.

   ب. Confidential use of usernames and passwords

   • Users must not share their passwords.
   • The customer must not, under any circumstances, disclose their Personal Identification Number (PIN) or password to any employee of the payment service provider.
   • The necessity of changing passwords periodically.
   • Carefully selecting passwords to avoid guessing.

   ث. Providing advice and guidance to customers on how to select or create strong passwords or PINs that cannot be easily guessed or predicted.

   ج. Proper storage of passwords.

2. Adopting and using strong access controls through Two-Factor Authentication (2FA).

3. Not disclosing personal information to unauthorized persons, suspicious websites, or emails.

4. Warning users against using electronic payment tools through public or shared computers and free wireless networks.

5. Advising customers on how to identify payment service provider employees in case of receiving a call from someone claiming to be from the provider.

6. Using the latest versions of personal Firewalls and Anti-Virus systems.

Fourth: Access Controls

1. Implementing a policy of segregation of duties and permissions in operational, technical, and functional roles related to the service.
2. The payment service provider must ensure the existence of effective controls and appropriate access authorization privileges to prevent unauthorized persons from accessing electronic payment service systems, databases, and applications.
3. Granting permissions on a need-to-know basis, and reviewing them periodically.
4. Preparing and adopting an Authority Matrix encompassing all functional and financial permissions for all systems within the Company.
5. Evaluating the implemented access management and user identity program in the provided services.
6. Establishing appropriate controls for remote access to the work environment by technical support companies through secure programs.

Fifth: Effective Monitoring

1. The payment service provider must ensure the activation of the audit trail feature to retain all transactions and modifications occurring on payment system data and ensure traceability.
2. Reviewing, auditing, and retaining login records to ensure that only authorized users access data and that authorized persons modify any settings or data related to the electronic payment system.
3. Ensuring the existence of security event logs for all systems.
4. Immediately notifying the Authority, without undue delay, of fraud incidents, system failures, unauthorized access, or any information security breach or data leak of which they are aware, that affects or is likely to affect payment service data or electronic services that the Service Provider or any contracted third party may be subject to.
5. Providing mechanisms and systems specifically for analyzing and monitoring various logs on a continuous basis.
6. Effectively monitoring servers, network devices, security appliances, and storage units regarding Critical and Warning Logs.

Sixth: Business Continuity

1. Maintaining permanent backups within approved procedures to ensure the recovery of all data and information related to activities associated with service provision.
2. Providing an appropriate level of physical and non-physical protection for backups.
3. Providing the necessary technologies and controls for rapid and efficient data storage and retrieval, ensuring the availability, integrity, and reliability of that data.
4. Testing backup recovery according to approved backup procedures and documenting recovery procedures and results.
5. Developing and implementing periodic plans to test systems and their associated security environments.
6. Adding the service to the payment service provider's disaster recovery site to ensure immediate management and operation of the provided service in the event of any failure or emergency preventing the continuation of services through the headquarters.
7. Updating the payment service business continuity plan to include this service.
8. Preparing and adopting a business continuity management plan that specifies the procedures, processes, and systems required to maintain operational continuity within the Company during downtime, with the plan to be reviewed and updated periodically.
9. The payment service provider shall bear full responsibility for all services provided in the event of system failure, breach, information leakage, or account mismanagement, including bearing all material losses that may result therefrom.
10. The payment service provider must ensure the existence of adequate controls to guarantee High Availability for the components of the IT and communications environment, servers, and systems related to the service, to minimize failure points that could lead to operational disruption.
11. Preparing and adopting detailed procedures through which the IT environment can be operated and transitioned to the alternate site.