Instruction No. 3 on Regulating the Information Technology Environment

Based on the provisions of Law No. (41) of 2022 on National Payments, specifically Articles (7) and (18) thereof, And based on what the Board of Directors of the Palestine Monetary Authority approved in its meeting No. (254) dated 2022/10/5, And according to the powers delegated to us, And in pursuit of the public interest, We have issued the following Instructions:

Article (1)

Definitions

The words and phrases contained in these Instructions shall have the meanings specified below, unless the context indicates otherwise:

• The Company: A licensed payment services company authorized to operate in Palestine.
• Cloud Computing: A remote service provided through the web by a service provider to the user in a shared environment owned by the provider, enabling the user to benefit from various services at any time and anywhere, such as Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).
• Software as a Service (SaaS): Renting software and applications from a service provider according to a pay-per-use model.
• Platform as a Service (PaaS): Providing an integrated environment for the user including an operating system, programming language execution environment, databases, and web servers, enabling the user to develop, run, and deploy their own applications on the cloud infrastructure and control their settings.
• Infrastructure as a Service (IaaS): Providing the necessary hardware, servers, and technologies to enable the user to deploy, run, and control their own operating systems and applications.
• Co-Location Service: Renting space from a service provider to host the company's primary data center, disaster recovery site, or high-availability data center (or part thereof), so that it operates without any intervention from the provider, with the provider supplying the space, cooling systems, power, physical protection, and necessary privacy.
• Service Provider: The entity providing cloud computing or co-location services.
• User: The company using cloud computing or co-location services.
• Primary Data Center: The space occupied by devices, equipment, and systems through which data is processed and stored, including infrastructure, security, and protection systems.
• High Availability Data Center: A backup data center containing a live copy of systems and data that is exactly identical to what exists in the primary data center at all times.
• Core Payment Service Systems: Systems used to provide and manage services and transactions permitted for the company.
• Disaster Recovery Site (DRS): The backup site for the primary data center, which the company can use temporarily to restore its operations to normal in the event that the primary data center experiences any failure or natural disaster leading to a work stoppage.
• Critical Operations: Operations whose interruption cannot be tolerated for a period determined based on a business impact analysis.
• Recovery Time Objective (RTO): The acceptable period of time to restore activities, operations, and services after an event occurs.
• Recovery Point Objective (RPO): The maximum amount of data loss permitted for the purpose of resuming critical operations when restoring the service.
• Critical Systems: Systems whose failure or malfunction causes critical operations to fail.
• Data: All information, documents, and records pertaining to a natural or legal person, regardless of their form or source, including account operations, movements, statements, and transactions resulting from the use of electronic wallets and cards of all types, and any information the company has accessed or obtained from the client.
• Data Confidentiality: Maintaining all data obtained by the company, as well as financial operations and movements, and protecting them from unauthorized access and viewing.
• Data Privacy: Taking all necessary measures and precautions to ensure that no client data or information is disclosed to any parties or used for other purposes without the client's prior consent.

Article (2)

Objective and Scope of Application

1. The provisions of these Instructions aim to regulate the information technology environment of payment service companies and enable them to manage their operations effectively and securely.
2. The provisions of these Instructions apply to all licensed payment service companies operating in Palestine.

Article (3)

Cloud Computing Service

The Company may use cloud computing services, provided it complies with the following:

1. Obtain prior written approval from the Palestine Monetary Authority before using cloud computing services for critical systems and systems containing confidential data, and notify the Palestine Monetary Authority only regarding other systems.
2. Take all necessary measures to achieve data and system confidentiality, accuracy, and availability, and apply technical controls that ensure the security, integrity, and privacy of data, including encryption and protection against unauthorized access, use, or modification on communication lines, storage devices, and databases. Implement due diligence procedures when selecting a service provider, and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country.
3. Establish disaster recovery procedures, provided the following are complied with regarding critical operational processes: a. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations. b. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of not less than 99.9% is maintained. c. Procedures and measures must include ensuring the readiness of the disaster recovery site and conducting tests on it.
4. Provide a daily backup of data and information for systems, check them to ensure integrity, and keep them in a secure and accessible location at all times.
5. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with the provisions of these Instructions and one of the information security standards for cloud services, specifically the Cloud Controls Matrix (CCM) or any similar standard approved by the Palestine Monetary Authority.

Article (4)

Co-Location Service

1. The Company may rent a site to host the primary data center, disaster recovery site, or part of any of them, provided it complies with the following: a. Obtain prior written approval from the Palestine Monetary Authority. b. Take all necessary measures when renting the site to achieve data and system confidentiality, privacy, accuracy, and availability, by providing all tools and implementing technical controls that ensure data and information security and integrity, including encryption on communication lines and storage devices. Implement due diligence procedures when selecting a service provider, and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country. c. Establish disaster recovery procedures, provided the following are complied with regarding critical operational processes:

SLA level of 99.9 % uptime/availability results in the following periods of allowed downtime/unavailability:

• Daily: 1m 26s
• Weekly: 10m 4s
• Monthly: 43m 49s
• Quarterly: 2h 11m 29s
• Yearly: 8h 45m 56s

Direct link to page with these results: uptime.is/99.9

1. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations.
2. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of not less than 99.9% is maintained.
3. Procedures and measures must include ensuring the readiness of the disaster recovery site and conducting tests on it.
4. Establish mechanisms for effective monitoring of network devices, protection, and storage units regarding critical logs and warnings, keeping them for a period of not less than one year in the live version of the systems.
5. The rented site for the primary data center and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.

2. Subject to what is stated in paragraphs (1/b and 1/c) of this Article, the Company may rent a site to host a high-availability data center and migrate to it and operate from it, provided it obtains prior written approval from the Palestine Monetary Authority and has procedures that ensure no data loss during the automatic migration. The data transfer process between the primary data center site and the high-availability site must be instantaneous, and the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) values must be achieved in accordance with the provisions of paragraph (1/c) of this Article. 3. The service provider is prohibited from performing any work on behalf of the Company regarding the Company's hosted devices and servers, except in emergency cases. 4. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with one of the information security standards for hosted services, specifically PCI DSS, ISO 27001, or Cloud Controls Matrix (CCM) regarding physical security, or any similar standard approved by the Palestine Monetary Authority. 5. The Company must obtain prior written approval from the Palestine Monetary Authority before transferring the primary data center, disaster recovery site, high-availability data center, or any part of any of them to a service provider that has been previously approved by the Palestine Monetary Authority.

Article (5)

Primary Data Center and Disaster Recovery Site

When creating its own primary data center or disaster recovery site, the Company must comply with the following:

1. Obtain prior written approval from the Palestine Monetary Authority for the site.
2. Provide the Palestine Monetary Authority with a compliance certificate from an independent entity regarding the site's equipment according to one of the international standards approved by the Palestine Monetary Authority.
3. Equip the site with the necessary systems, applications, and technological solutions to protect information systems and infrastructure.
4. The primary data center site and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.

Article (6)

Core Payment Service Systems

The Company must provide core payment service systems that meet the following conditions:

1. They must meet all business needs for recording transactions and all types of payment services for clients and the company.
2. They must be updated and developed with the latest versions from the vendor, and the Palestine Monetary Authority must be provided with a report every two years regarding the differences between the current version held and the latest version from the vendor.
3. They must maintain data and service confidentiality, accuracy, and availability, and enhance the principle of dual control and the ability to link and integrate with other different systems.
4. All operating systems, databases, and applications used must be properly licensed.
5. They must be capable of providing information and reports to clients and various regulatory authorities.

Article (7)

Service Provider Conditions

When selecting a service provider, the Company must ensure the following conditions are met:

1. It must be licensed by the competent authorities.
2. It must be capable of complying with the performance standards defined by the Company.
3. It must have internal controls and an approved cybersecurity policy.
4. It must have emergency and business continuity plans regarding the services outsourced to it, and these plans must be compatible with all valid instructions issued by the Palestine Monetary Authority.
5. It must be financially sound and capable of complying with all contract terms with the Company.
6. It must have sufficient and appropriate physical and human resources to manage and monitor the outsourced service, and its employees must hold specialized professional certifications.
7. There must be no political, economic, or social factors in the country where the service provider operates that could affect the provision of cloud computing or co-location services.

Article (8)

Contracting with the Service Provider

Before contracting with a service provider, the Company must comply with the following:

1. The contract concluded with the service provider must include data storage locations and deletion procedures upon contract termination.
2. The service provider must commit to the following: a. Protecting the Company's data from unauthorized, accidental, or illegal access, disclosure, alteration, loss, or destruction. b. Not using the Company's data for any other purposes. c. Not transferring, storing, or processing the Company's data outside the agreed permanent or temporary location without obtaining the Company's prior consent. d. Ensuring free and easy access to systems at all times. e. Providing 24/7 technical support. f. Immediately notifying the Company of any operational events that may affect its data or electronic services. g. Obtaining the Company's consent before the service provider subcontracts with another party regarding cloud computing and co-location services.
3. Maintaining an updated log containing documents and information related to cloud computing and co-location services.

Article (9)

Application Submission Conditions

Before contracting for cloud computing services or renting a site to host a primary data center, disaster recovery site, high-availability data center, or part of any of them, the Company must submit an application for prior written approval from the Palestine Monetary Authority, accompanied by the following documents and records:

1. All documents and records in accordance with the provisions of the valid Outsourcing Instructions issued by the Palestine Monetary Authority.
2. A report regarding the service risk assessment and risk management procedures.
3. A compliance certificate from an independent entity proving that the service provider complies with one of the standards specified in Article (3) paragraph (5) and Article (4) paragraph (4), as applicable.
4. A legal opinion from a legal advisor in the service provider's country regarding the laws and legislation in force for data protection, confidentiality, and disclosure, if the service provider is outside Palestine.
5. The Company's procedures and technical controls regarding the protection, security, integrity, and privacy of data and information, as stipulated in Article (3) paragraph (2) and Article (4) paragraph (1/b), as applicable.
6. The Company's disaster recovery procedures, as stipulated in Article (3) paragraph (3) and Article (4) paragraph (1/c), as applicable.
7. Effective monitoring and auditing procedures for the outsourced service with the provider, as stipulated in Article (4) paragraph (1/d).
8. The nature and classification of data and information held by the service provider and their storage locations.
9. A work plan for service termination procedures related to the contract.
10. Providing the Palestine Monetary Authority with documents and records supporting the information in Article (7) of these Instructions.

Article (10)

Governance

The Company must comply with the following:

1. Adopt and continuously update a policy and work procedures for cloud computing and co-location services, especially upon any fundamental change, provided it includes the following: a. The main objectives of usage. b. The systems and data to be outsourced to the service provider, classified by importance, risk level, and sensitivity, regarding cloud computing services and their types. c. The cloud model regarding infrastructure, software, and platform services. d. Security and technical controls and standards. e. Data retention mechanisms, storage locations, and disposal mechanisms. f. Control and audit mechanisms.
2. Evaluate and manage risks associated with cloud computing and co-location services, and review them continuously and upon any fundamental change.
3. Monitor the service provider's compliance with contract terms.
4. Ensure the service provider is capable of keeping pace with technological development and continuously updating the service.
5. Update business continuity and disaster recovery plans, and crisis management plans for cloud computing and co-location services, in accordance with the Business Continuity Instructions issued by the Palestine Monetary Authority.

Article (11)

Information Security

The Company must comply with the following:

1. Store encryption and authentication keys in a secure location under dual control, inaccessible to the service provider.
2. Store the Company's data independently and isolated from other users' data in the cloud computing service.
3. Apply specific controls for user identity and access management on systems and data with the service provider, and review them periodically.
4. Conduct penetration testing for the outsourced service infrastructure at least once a year and upon any fundamental change.
5. Conduct periodic vulnerability assessments for the cloud computing and co-location service infrastructure.
6. Enable the audit trail feature and retain all changes and modifications to the Company's data and systems related to cloud computing and co-location services.
7. Review and audit login logs and security events, retain them, and ensure that only authorized users access data and servers, and periodically review user permissions on systems.
8. Provide primary and alternative communication lines from different internet service providers to ensure service continuity.
9. Notify the Palestine Monetary Authority of operational events in accordance with valid instructions.

Article (12)

Compliance

The Company must provide the Palestine Monetary Authority annually with the following:

1. A PCI-DSS compliance certificate for any applications related to payment cards.
2. A compliance certificate for one of the international information security standards approved by the Palestine Monetary Authority.
3. A report on penetration test results at least once a year or upon any fundamental modifications.
4. Internal and external audit reports on the technological environment and management's response and correction timeline, provided the audit scope includes general controls and IT & ITGC Application Controls.

Article (13)

Repeal

All provisions conflicting with these Instructions are repealed.

Article (14)

Implementation and Enforcement

All competent authorities must implement the provisions of these Instructions, each within its jurisdiction, and they shall apply from the date of their issuance.

Issued in Ramallah, on 2022/10/13

Dr. Fares Malham Governor