LogoRegulatory Alerts
2022-01-01

Instructions No. 3 of 2022 Regarding the Regulation of Information Technology Environment

The Palestine Monetary Authority issued Instructions No. 3 of 2022 to regulate the information technology environment for licensed payment service companies in Palestine. The regulations mandate strict governance, security, and operational standards for cloud computing and colocation services, requiring prior written approval for critical systems and adherence to specific availability and disaster recovery thresholds. Companies must ensure data confidentiality, implement robust cybersecurity controls, and provide annual compliance reports to the Authority.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority PALESTINE MONETARY AUTHORITY

Instructions No. (3) of 2022 Regarding the Regulation of the Information Technology Environment

Based on the provisions of Law-Decree No. (41) of 2022 regarding National Payments, specifically Articles (7) and (18) thereof, And based on what the Board of Directors of the Palestine Monetary Authority approved in its meeting No. (254) dated 2022/10/5, And according to the powers delegated to us, And to achieve the public interest, We have issued the following Instructions:

Article (1) Definitions

The words and phrases appearing in these Instructions have the meanings specified below, unless the context indicates otherwise:

  • The Company: A licensed payment services company operating in Palestine.
  • Cloud Computing: A remote service provided through the web by a service provider to the user in a shared environment owned by the provider, enabling the user to benefit from various services at any time and anywhere, such as Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).
  • Software as a Service (SaaS): Renting software and applications from a service provider according to a pay-per-use model.
  • Platform as a Service (PaaS): Providing an integrated environment to the user including an operating system, programming language execution environment, databases, and web servers, enabling the user to develop, run, and deploy their own applications on the cloud infrastructure and control their settings.
  • Infrastructure as a Service (IaaS): Providing the necessary hardware, servers, and technologies to enable the user to deploy, run, and control their own operating systems and applications.

1 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

  • Co-Location Service: Renting space from a service provider to host the company's primary data center, disaster recovery site, or high-availability data center (or part thereof), so that it operates without any intervention from the provider, with the provider supplying the necessary space, cooling systems, power, physical protection, and privacy.
  • Service Provider: The entity that provides cloud computing services or co-location services.
  • User: The company that uses cloud computing services or co-location services.
  • Primary Data Center: The space occupied by devices, equipment, and systems through which data is processed and stored, including infrastructure, security, and protection systems.
  • High Availability Data Center: A backup data center containing a live copy of systems and data that is exactly identical and available at any time to what exists in the primary data center.
  • Core Payment Service Systems: Systems used to provide and manage the services and business activities permitted for the company.
  • Disaster Recovery Site (DRS): The backup site of the primary data center which the company can use temporarily to restore its operations to normal in the event that the primary data center suffers any failure or natural disaster that leads to a work stoppage.
  • Critical Operations: Operations whose interruption cannot be tolerated for a period determined based on a business impact analysis.
  • Recovery Time Objective (RTO): The acceptable time period to restore activities, operations, and services after an event occurs.
  • Recovery Point Objective (RPO): The maximum allowed amount of data loss for the purpose of resuming critical operations when restoring the service.

2 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

  • Critical Systems: Systems whose failure or malfunction leads to the disruption of critical operations.
  • Data: All information, documents, and records pertaining to a natural or legal person, regardless of their form or source, including account operations, movements, statements, and transactions resulting from the use of electronic wallets and cards of all types, and any information the company has accessed or obtained from the client.
  • Data Confidentiality: Maintaining all data obtained by the company, as well as financial operations and movements, and protecting them from unauthorized access and viewing.
  • Data Privacy: Taking all necessary measures and precautions to ensure that no client-specific data or information is disclosed to any parties or used for other purposes without the client's prior consent.

Article (2) Objective and Scope of Application

  1. The provisions of these Instructions aim to regulate the information technology environment of payment service companies and enable them to manage their operations effectively and securely.
  2. The provisions of these Instructions apply to all licensed payment service companies operating in Palestine.

Article (3) Cloud Computing Service

The Company may use cloud computing services, provided it adheres to the following:

  1. Obtain prior written approval from the Palestine Monetary Authority before using cloud computing services for critical systems and systems containing confidential data, and inform the Palestine Monetary Authority only regarding other systems.
  2. Take all necessary measures to ensure data and system confidentiality, accuracy, and availability, and apply technical controls that ensure data security, integrity, and privacy, including encryption and protection against unauthorized access, use, or modification via communication lines, storage devices, and databases. Implement due diligence procedures when selecting a service provider and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country.
  3. Establish disaster recovery procedures, provided the following are adhered to regarding critical operational processes:

3 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

a. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations. b. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of not less than 99.9% is maintained. c. The procedures and measures must include ensuring the readiness of the disaster recovery site and its specific tests. 4. Provide a daily backup of data and information for systems, check them to ensure integrity, and store them in a secure and accessible location at all times. 5. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with the provisions of these Instructions and one of the information security standards for cloud services, namely the Cloud Controls Matrix (CCM) or any similar standard approved by the Palestine Monetary Authority.

Article (4) Co-Location

  1. The Company may rent a site to host the primary data center, disaster recovery site, or part of any of them, provided it adheres to the following: a. Obtain prior written approval from the Palestine Monetary Authority. b. Take all necessary measures when renting the site to ensure data and system confidentiality, privacy, accuracy, and availability, by providing all tools and implementing technical controls that ensure data and information security, integrity, and encryption on communication lines and storage devices. Implement due diligence procedures when selecting a service provider and ensure the availability of legislation regarding data confidentiality protection, anti-money laundering, and counter-terrorism financing in the service provider's country. c. Establish disaster recovery procedures, provided the following are adhered to regarding critical operational processes:

SLA level of 99.9 % uptime/availability results in the following periods of allowed downtime/unavailability:

  • Daily: 1m 26s
  • Weekly: 10m 4s
  • Monthly: 43m 49s
  • Quarterly: 2h 11m 29s
  • Yearly: 8h 45m 56s

Direct link to page with these results: uptime.is/99.9

4 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

  1. Take all necessary measures to prevent the loss or destruction of any data pertaining to the company's operations.
  2. Take all necessary measures to prevent the interruption of systems used in critical operations, provided that an availability rate of not less than 99.9% is maintained.
  3. The procedures and measures must include ensuring the readiness of the disaster recovery site and its specific tests.
  4. Establish mechanisms for effective monitoring of network devices, protection, and storage units regarding critical logs and warnings, ensuring they are retained for at least one year in the live version of the systems.
  5. The rented site for the primary data center and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.
  6. Subject to what is stated in paragraphs (1/b and 1/c) of this Article, the Company may rent a site to host a high-availability data center and migrate to it and operate from it, provided it obtains prior written approval from the Palestine Monetary Authority and has procedures that ensure no data loss during automatic migration. The data transfer process between the primary data center site and the high-availability site must be instantaneous, and the values of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) must be achieved in accordance with the provisions of paragraph (1/c) of this Article.
  7. The service provider is prohibited from performing any work on behalf of the Company regarding the Company's devices and servers hosted with them, except in emergency cases.
  8. Provide the Palestine Monetary Authority with a report from a specialized company regarding compliance with one of the information security standards for hosted services, specifically PCI DSS, ISO 27001, or CCM (Cloud Controls Matrix) regarding physical security, or any similar standard approved by the Palestine Monetary Authority.
  9. The Company must obtain prior written approval from the Palestine Monetary Authority before transferring the primary data center, disaster recovery site, high-availability data center, or any part of any of them to a service provider previously approved by the Palestine Monetary Authority.

5 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

Article (5) Primary Data Center and Disaster Recovery Site

When creating a primary data center or disaster recovery site for its own use, the Company must adhere to the following:

  1. Obtain prior written approval from the Palestine Monetary Authority for the site.
  2. Provide the Palestine Monetary Authority with a compliance certificate from an independent entity regarding the site's equipment according to one of the international standards approved by the Palestine Monetary Authority.
  3. Equip the site with the necessary systems, applications, and technological solutions to protect information systems and infrastructure.
  4. The primary data center site and the disaster recovery site must differ in terms of the likelihood of exposure to the same threats.

Article (6) Core Payment Service Systems

The Company must provide core payment service systems that meet the following conditions:

  1. They must meet all business needs for recording operations and all types of payment services operations for clients and the company.
  2. They must be updated and developed with the latest versions from the vendor, and the Palestine Monetary Authority must be provided with a report every two years regarding the differences between the current version in their possession and the latest version from the vendor.
  3. They must maintain data and service confidentiality, accuracy, and availability, and enhance the principle of dual control and the ability to link and integrate with other different systems.
  4. All operating systems, databases, and applications used must be properly licensed.
  5. They must be capable of providing information and reports to clients and various regulatory authorities.

Article (7) Service Provider Conditions

When selecting a service provider, the Company must ensure the following conditions are met:

  1. It must be licensed by the competent authorities.
  2. It must be capable of adhering to the performance standards defined by the Company.
  3. It must have internal controls and an approved cybersecurity policy.

6 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

  1. It must have emergency and business continuity plans regarding the services outsourced to it, and these plans must be compliant with all valid instructions issued by the Palestine Monetary Authority.
  2. It must be financially sound and capable of adhering to all contract terms with the Company.
  3. It must have sufficient and appropriate physical and human resources to manage and monitor the outsourced service, and its employees must hold specialized professional certifications.
  4. There must be no political, economic, or social factors in the country where the service provider operates that could affect the provision of cloud computing or co-location services.

Article (8) Contracting with a Service Provider

Before contracting with a service provider, the Company must adhere to the following:

  1. The contract concluded with the service provider must include data storage locations and deletion procedures upon contract termination.
  2. The service provider must commit to the following: a. Protect the Company's data from unauthorized, accidental, or illegal access, disclosure, alteration, loss, or destruction. b. Not use the Company's data for any other purposes. c. Not transfer, store, or process the Company's data outside the agreed permanent or temporary location without obtaining the Company's prior consent. d. Ensure free and easy access to systems at all times. e. Provide 24/7 technical support. f. Immediately notify the Company of any operational events that may affect its data or electronic services. g. Obtain the Company's consent before the service provider subcontracts with another party regarding cloud computing and co-location services.
  3. Maintain an updated record containing documents and information related to cloud computing and co-location services.

7 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

Article (9) Application Submission Conditions

Before contracting for cloud computing services or renting a site to host a primary data center, disaster recovery site, high-availability data center, or part of any of them, the Company must submit an application for prior written approval from the Palestine Monetary Authority, accompanied by the following documents and records:

  1. All documents and records in accordance with the provisions of the valid Outsourcing Instructions issued by the Palestine Monetary Authority.
  2. A report regarding the service risk assessment and risk management procedures.
  3. A compliance certificate from an independent entity proving that the service provider complies with one of the standards stipulated in Article (3) paragraph (5) and Article (4) paragraph (4), as applicable.
  4. A legal opinion from a legal advisor in the service provider's country regarding the laws and legislation in force for data protection, confidentiality, and disclosure, if the service provider is outside Palestine.
  5. The Company's procedures and technical controls regarding data and information protection, security, integrity, and privacy as stipulated in Article (3) paragraph (2) and Article (4) paragraph (1/b), as applicable.
  6. The Company's disaster recovery procedures as stipulated in Article (3) paragraph (3) and Article (4) paragraph (1/c), as applicable.
  7. Effective monitoring and auditing procedures for the outsourced service with the provider as stipulated in Article (4) paragraph (1/d).
  8. The nature and classification of data and information retained with the service provider and their storage locations.
  9. A work plan for service termination procedures subject to the contract.
  10. Provide the Palestine Monetary Authority with supporting documents and records for what is stated in Article (7) of these Instructions.

Article (10) Governance

The Company must adhere to the following:

  1. Adopt and continuously update policies and work procedures specific to cloud computing and co-location services, especially upon any fundamental change, provided they include the following: a. The main objectives of usage.

8 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

b. The systems and data to be outsourced to the service provider, classified by importance, risk level, and sensitivity, specifically regarding cloud computing services and their types. c. The cloud model regarding infrastructure, software, and platform services. d. Security and technical controls and standards. e. Data retention mechanisms, storage locations, and disposal mechanisms. f. Control and auditing mechanisms. 2. Evaluate and manage risks associated with cloud computing and co-location services, and review them continuously and upon any fundamental change. 3. Monitor the service provider's compliance with contract terms. 4. Ensure the service provider is capable of keeping up with technological development and continuously updating the service. 5. Update business continuity and disaster recovery plans and crisis management specific to cloud computing and co-location services in accordance with the Business Continuity Instructions issued by the Palestine Monetary Authority.

Article (11) Information Security

The Company must adhere to the following:

  1. Store encryption and authentication keys in a secure location under dual control, inaccessible to the service provider.
  2. Store the Company's data independently and isolated from other users' data in the cloud computing service.
  3. Apply specific controls for user identity and access management on systems and data with the service provider, and review them periodically.
  4. Conduct penetration testing for the outsourced service infrastructure at least once a year and upon any fundamental change.
  5. Conduct periodic vulnerability assessments for the cloud computing and co-location service infrastructure.
  6. Enable the audit trail feature and retain all changes and modifications to the Company's data and systems related to cloud computing and co-location services.

9 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

  1. Review and audit login records and security events (Logs & Events), retain them, and ensure that only authorized users access data and servers. Periodically review user permissions on systems.
  2. Provide primary and alternative communication lines from different internet service providers to ensure service continuity.
  3. Notify the Palestine Monetary Authority of operational events in accordance with valid instructions.

Article (12) Compliance

The Company must provide the Palestine Monetary Authority annually with the following:

  1. A PCI-DSS (Payment Card Industry Data Security Standard) compliance certificate for any applications related to payment cards.
  2. A compliance certificate for one of the international information security standards approved by the Palestine Monetary Authority.
  3. A report on penetration test results at least once a year or upon any fundamental modifications.
  4. Internal and external audit reports on the technological environment and management's response and correction timeline, provided that the audit scope includes general controls and IT & ITGC (Information Technology General Controls) Application Controls.

Article (13) Repeal

Anything inconsistent with the provisions of these Instructions is repealed.

Article (14) Implementation and Enforcement

All competent authorities must implement the provisions of these Instructions, each within its jurisdiction, and they apply from the date of their issuance.

Issued in Ramallah, on 2022/10/13

Dr. Firas Malham Governor

10 Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 | Tel: +970 2 2415251 | Fax: +970 2 2415310 | info@pma.ps Gaza - Palestine P.O. Box 4026 | Tel: +970 8 2825713 | Fax: +970 8 2844487

Share