| 4.1. | Member organization should implement regulatory SAMA cybersecurity requirements.
|
| 4.2. | Member Organization should use official application stores.
|
| 4.3. | Member Organization should develop installation restriction mechanism for privilege escalation devices such as “Jailbreak” for iOS and “Root” for Android or any open source operating system, taking into consideration that the application is installed through official stores..
|
| 4.4. | Member organization should have contingency measures in case of disaster and ensure effective back-up and recovery procedures.
|
| 4.5. | Terms & Conditions should cover data privacy taking into consideration customer consent to display name of account owner.
|
| 4.6. | Member Organization should conduct awareness program to all users on regular basis that should cover Terms & Conditions and general security awareness such as sharing confidential information (password or OTP).
|
| 4.7. | Member Organization should develop inactive accounts policy.
|
| 4.8. | Multi Factor Authentication (MFA) should be implemented to authenticate each log in.
|
| 4.9. | One-time-password mechanism (OTP) should be implemented for the following processes:
|
| | a. | Transfer between wallet to wallet (for the first time as minimum for each beneficiary) below (Defined Value)2;
|
| | b. | Making any application marketplace transaction;
|
| | c. | Payment of bills, utility and government services (for the first time as minimum for each bills);
|
| | d. | Password reset;
|
| | e. | Wallets reactivations;
|
| | f. | Risky transactions based on company assessment and use cases.
|
| 4.10. | One Time Password in one channel and using different delivery channel should be used for following transactions:
|
| | a. | Any transaction between wallets exceeding (Defined Value) as a daily limit (for first time as minimum for each beneficiary)
|
| | b. | transfer to IBAN (for first time as minimum for each beneficiary)
|
| | c. | international transfer (for first time as minimum for each beneficiary)
|
| | d. | high risk transactions based on company assessment and use cases
|
| 4.11. | SMS notification should be sent to users for all transactions and user account changes.
|
| 4.12. | Member Organization should consider the use of comprehensive use cases and scenarios tailored for their business model to combat fraud; including but not limited to:
|
| | a. | Monitoring the behavior of all users to detect any anomalies based on best practices;
|
| | b. | Managing device usage behavior;
|
| 4.13. | Member Organization should establish process to handle fraud cases taking into the consideration investigation and deactivation accounts steps.
|
| 4.14. | Member Organization should develop a process to safeguard “Data Privacy” and “Data Security” of these accounts. Such information includes “Displaying name of account owner”.
|
| 4.15. | Member Organization should ensure the content of the SMS messages is clear, direct, stating the purpose for the SMS and the name of the Member Organization
|
| 4.16. | Member Organizations should reflect all controls within this document within their board approved internal policies in their respective organizations, and should have a process in place for periodic review of the polices.
|
