Instruction No. 3 on Regulating the Information Technology Environment

Based on the provisions of Decision-Law No. (41) of 2022 concerning National Payments, specifically Articles (7) and (18) thereof, And based on what the Board of Directors of the Palestine Monetary Authority approved in its meeting No. (254) dated 2022/10/5, And according to the powers delegated to us, And to achieve the public interest, We have issued the following Instructions:

Article (1) Definitions

The words and phrases contained in these Instructions have the meanings specified below, unless the context indicates otherwise:

• The Company: A licensed payment services company operating in Palestine.

• Cloud Computing: A remote service provided through the web by a service provider to the user in a shared environment owned by the provider, enabling the user to benefit from various services at any time and anywhere, such as Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).

• Software as a Service (SaaS): Renting software and applications from a service provider according to a pay-per-use model.

• Platform as a Service (PaaS): Providing an integrated environment to the user including the operating system, programming language execution environment, databases, and web servers, enabling the user to develop, run, and deploy their own applications on the cloud infrastructure and control their settings.

• Infrastructure as a Service (IaaS): Providing the necessary hardware, servers, and technologies to enable the user to deploy, run, and control their own operating systems and applications.

• Co-Location Service: Renting space from a service provider to host the company's primary data center, disaster recovery site, or high-availability data center, or part of them, so that it operates without any intervention from the provider, while the provider supplies the necessary space, cooling systems, power, physical protection, and privacy.

• Service Provider: The entity that provides cloud computing or co-location services.

• User: The company that uses cloud computing or co-location services.

• Primary Data Center: The space occupied by devices, equipment, and systems through which data is processed and stored, including infrastructure, security, and protection systems.

• High Availability Data Center: A backup data center containing a live copy of systems and data that is exactly identical at all times to what exists in the primary data center.

• Core Payment Service Systems: Systems used to provide and manage services and transactions permitted for the company.

• Disaster Recovery Site (DRS): The backup site for the primary data center which the company can use temporarily to restore its operations to normal in the event that the primary data center experiences any failure or natural disaster that causes work to stop.

• Critical Operations: Operations whose interruption cannot be tolerated for a period determined based on business impact analysis.

• Recovery Time Objective (RTO): The acceptable time period to restore activities, operations, and services after an incident occurs.

• Recovery Point Objective (RPO): The maximum amount of data loss permitted for the purpose of resuming critical operations when restoring the service.

• Critical Systems: Systems whose failure or malfunction causes critical operations to fail.

• Data: All information, documents, and records pertaining to a natural or legal person, regardless of their form or source, including account transactions, movements, statements, and transactions resulting from the use of electronic wallets and cards of all types, and any information the company has accessed or obtained from the client.

• Data Confidentiality: Maintaining all data obtained by the company, as well as financial operations and movements, and protecting them from unauthorized access and viewing.

• Data Privacy: Taking all necessary measures and precautions to ensure that no client data or information is disclosed to any parties or used for other purposes without the client's prior consent.

Article (2) Objective and Scope of Application

1. The provisions of these Instructions aim to regulate the information technology environment of payment service companies and enable them to manage their operations effectively and securely.
2. The provisions of these Instructions apply to all licensed payment service companies operating in Palestine.

Article (3) Cloud Computing Service

The Company may use cloud computing services, provided that it adheres to the following:

1. Obtain prior written approval from the Palestine Monetary Authority before using cloud computing services for critical systems and systems containing confidential data, and notify the Palestine Monetary Authority only regarding other systems.
2. Take all necessary measures to ensure data and system confidentiality, accuracy, and availability, and apply technical controls that ensure data security, integrity, privacy, encryption, and protection from unauthorized access, use, or modification on communication lines, storage devices, and databases. Implement due diligence procedures when selecting a service provider, and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country.
3. Establish disaster recovery procedures, provided that the following are adhered to regarding critical operational processes: a. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations. b. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of no less than 99.9% is maintained. c. Procedures and measures must include ensuring the readiness of the disaster recovery site and its specific tests.
4. Provide a daily backup of data and information for systems, check them to ensure integrity, and keep them in a secure and accessible location at all times.
5. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with the provisions of these Instructions and one of the information security standards for cloud services, specifically the Cloud Controls Matrix (CCM) or any similar standard approved by the Palestine Monetary Authority.

Article (4) Co-Location Service

1. The Company may rent a site to host the primary data center, disaster recovery site, or part of any of them, provided that the following are adhered to: a. Obtain prior written approval from the Palestine Monetary Authority. b. Take all necessary measures when renting the site to ensure data and system confidentiality, privacy, accuracy, and availability, by providing all tools and implementing technical controls that ensure data and information security, integrity, and encryption on communication lines and storage devices. Implement due diligence procedures when selecting a service provider, and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country. c. Establish disaster recovery procedures, provided that the following are adhered to regarding critical operational processes:

SLA level of 99.9 % uptime/availability results in the following periods of allowed downtime/unavailability:

• Daily: 1m 26s
• Weekly: 10m 4s
• Monthly: 43m 49s
• Quarterly: 2h 11m 29s
• Yearly: 8h 45m 56s

Direct link to page with these results: uptime.is/99.9

1. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations.

2. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of no less than 99.9% is maintained.

3. Procedures and measures must include ensuring the readiness of the disaster recovery site and its specific tests.

4. Establish mechanisms for effective monitoring of network devices, protection, and storage units regarding critical logs and warnings, keeping them for a period of no less than one year in the live version of the systems.

5. The rented site for the primary data center and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.

6. Subject to what is stated in paragraphs (1/b and 1/d) of this Article, the Company may rent a site to host a high-availability data center and migrate to it and operate from it, provided that prior written approval is obtained from the Palestine Monetary Authority and procedures are in place to ensure no data loss during automatic migration. Data transfer between the primary data center site and the high-availability site must be instantaneous, and the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) values must be achieved in accordance with the provisions of paragraph (1/c) of this Article.

7. The service provider is prohibited from performing any work on behalf of the Company regarding the Company's devices and servers hosted with them, except in emergency cases.

8. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with one of the information security standards for hosted services, specifically PCI DSS, ISO 27001, or CCM (Cloud Controls Matrix) regarding physical security, or any similar standard approved by the Palestine Monetary Authority.

9. The Company must obtain prior written approval from the Palestine Monetary Authority before transferring the primary data center, disaster recovery site, or high-availability data center, or any part of any of them, to a service provider previously approved by the Palestine Monetary Authority.

Article (5) Primary Data Center and Disaster Recovery Site

When creating its own primary data center or disaster recovery site, the Company must adhere to the following:

1. Obtain prior written approval from the Palestine Monetary Authority for the site.
2. Provide the Palestine Monetary Authority with a compliance certificate from an independent body regarding site equipment according to one of the international standards approved by the Palestine Monetary Authority.
3. Equip the site with the necessary systems, applications, and technological solutions to protect information systems and infrastructure.
4. The primary data center site and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.

Article (6) Core Payment Service Systems

The Company must provide core payment service systems that meet the following conditions:

1. Meet all business needs for recording transactions and all types of payment services for customers and the company.
2. Be updated and developed with the latest versions from the vendor, and provide the Palestine Monetary Authority with a report every two years regarding the differences between the current version and the latest version available from the vendor.
3. Maintain data and service confidentiality, accuracy, privacy, and availability, and enhance the principle of dual control and the ability to link and integrate with other different systems.
4. All operating systems, databases, and applications used must be properly licensed.
5. Be capable of providing information and reports to customers and various regulatory authorities.

Article (7) Service Provider Conditions

When selecting a service provider, the Company must ensure the following conditions are met:

1. Be licensed by competent authorities.
2. Be capable of adhering to the performance standards defined by the Company.
3. Have internal controls and an approved cybersecurity policy.
4. Have emergency and business continuity plans regarding the services outsourced to them, and these plans must be compatible with all effective instructions issued by the Palestine Monetary Authority.
5. Be financially sound and capable of adhering to all contract terms with the Company.
6. Have sufficient physical and human resources to manage and monitor the outsourced service, and its employees must hold specialized professional certifications.
7. There must be no political, economic, or social factors in the country where the service provider operates that could affect the provision of cloud computing or co-location services.

Article (8) Contracting with Service Provider

Before contracting with a service provider, the Company must adhere to the following:

1. The contract concluded with the service provider must include data storage locations and deletion procedures upon contract termination.
2. The service provider must commit to the following: a. Protect the Company's data from unauthorized, accidental, or illegal access, disclosure, alteration, loss, or destruction. b. Not use the Company's data for any other purposes. c. Not transfer, store, or process the Company's data outside the agreed location, permanently or temporarily, without obtaining the Company's prior consent. d. Ensure free and easy access to systems at all times. e. Provide 24/7 technical support. f. Notify the Company immediately of any operational events that may affect its data or electronic services. g. Obtain the Company's consent before the service provider subcontracts with another party regarding cloud computing and co-location services.
3. Maintain an updated log containing documents and information related to cloud computing and co-location services.

Article (9) Application Submission Conditions

Before contracting for cloud computing services or renting a site to host the primary data center, disaster recovery site, high-availability data center, or part of any of them, the Company must submit an application for prior written approval from the Palestine Monetary Authority, accompanied by the following documents and records:

1. All documents and records in accordance with the provisions of the effective Outsourcing Instructions issued by the Palestine Monetary Authority.
2. A report regarding the service risk assessment and risk management procedures.
3. A compliance certificate from an independent body proving that the service provider complies with one of the standards specified in Article (3) paragraph (5) and Article (4) paragraph (4), as applicable.
4. A legal opinion from a legal advisor in the service provider's country regarding effective laws and legislation for data protection, confidentiality, and disclosure, if the service provider is outside Palestine.
5. The Company's procedures and technical controls regarding data and information protection, security, integrity, and privacy, as stipulated in Article (3) paragraph (2) and Article (4) paragraph (1/b), as applicable.
6. The Company's disaster recovery procedures, as stipulated in Article (3) paragraph (3) and Article (4) paragraph (1/c), as applicable.
7. Effective monitoring and auditing procedures for the outsourced service at the provider, as stipulated in Article (4) paragraph (1/d).
8. The nature and classification of data and information held by the service provider and their storage locations.
9. A work plan for service termination procedures related to the contract.
10. Provide the Palestine Monetary Authority with supporting documents and records for what is stated in Article (7) of these Instructions.

Article (10) Governance

The Company must adhere to the following:

1. Adopt and continuously update policies and work procedures for cloud computing and co-location services, especially upon any fundamental change, provided that they include the following: a. The main objectives of usage. b. Systems and data to be outsourced to the service provider, classified by importance, risk level, and sensitivity, specifically regarding cloud computing services and their types. c. Cloud models regarding infrastructure, software, and platform services. d. Security and technical controls and standards. e. Data retention mechanisms, storage locations, and disposal mechanisms. f. Control and auditing mechanisms.
2. Assess and manage risks associated with cloud computing and co-location services, and review them continuously and upon any fundamental change.
3. Monitor the service provider's compliance with contract terms.
4. Ensure the service provider is capable of keeping pace with technological development and continuously updating the service.
5. Update business continuity and disaster recovery plans, and crisis management for cloud computing and co-location services, in accordance with the Business Continuity Instructions issued by the Palestine Monetary Authority.

Article (11) Information Security

The Company must adhere to the following:

1. Store encryption and authentication keys in a secure location under dual control, inaccessible to the service provider.
2. Store the Company's data independently and isolated from other users' data in the cloud computing service.
3. Apply specific access control and user identity controls on systems and data at the service provider, and review them periodically.
4. Conduct penetration testing for outsourced service infrastructure at least once a year and upon any fundamental change.
5. Conduct periodic vulnerability assessments for cloud computing and co-location service infrastructure.
6. Enable the audit trail feature and retain all changes and modifications to the Company's data and systems related to cloud computing and co-location services.
7. Review and audit login logs and security events, retain them, and ensure that only authorized users access data and servers. Periodically review user permissions on systems.
8. Provide primary and alternative communication lines from different internet service providers to ensure service continuity.
9. Notify the Palestine Monetary Authority of operational events in accordance with effective instructions.

Article (12) Compliance

The Company must provide the Palestine Monetary Authority annually with the following:

1. A PCI-DSS compliance certificate for any applications related to payment cards.
2. A compliance certificate for one of the international information security standards approved by the Palestine Monetary Authority.
3. A report on penetration test results at least once a year or upon any fundamental modifications.
4. Internal and external audit reports on the technological environment and management's response, along with a correction timeline, provided that the audit scope includes general controls and IT application controls (IT & ITGC).

Article (13) Repeal

All provisions conflicting with these Instructions are repealed.

Article (14) Implementation and Enforcement

All competent authorities must implement the provisions of these Instructions, each within its jurisdiction, and they apply from the date of their issuance.

Issued in Ramallah, on 2022/10/13

Dr. Firas Malham Governor