3.3.13 Electronic Banking Services
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve, implement and monitor a cyber security standard for electronic banking services. The effectiveness of this standard should be measured and periodically evaluated.
Objective
To ensure the Member Organization safeguards the confidentiality and integrity of the customer information and transactions.
Control Considerations
| 1. | The cyber security standards for electronic banking services should be defined, approved and implemented. | |||||||
| 2. | The compliance with cyber security standards for electronic banking services should be monitored. | |||||||
| 3. | The effectiveness of the cyber security standard for electronic banking services should be measured and periodically evaluated. | |||||||
| 4. | Electronic banking services security standard should cover: | |||||||
| a. | use of brand protection measures to protect online services including social media. | |||||||
| b. | online, mobile and phone banking: | |||||||
| 1. | use of official application stores and websites (applicable for online and mobile banking); | |||||||
| 2. | use of detection measures and take-down of malicious apps and websites (applicable for online and mobile banking); | |||||||
| 3. | use of sandboxing (applicable for online and mobile banking); | |||||||
| 4. | use of non-caching techniques (applicable for online and mobile banking); | |||||||
| 5. | use of communication techniques to avoid ‘man-in-the-middle'-attacks (applicable for online and mobile banking); | |||||||
| 6. | use of multi-factor authentication mechanisms: | |||||||
| a. | multi-factor authentication should be used during the registration process for the customer in order to use of electronic banking services; | |||||||
| b. | multi-factor authentication should be implemented for all electronic banking services available to customers; | |||||||
| c. | the use of hard and soft tokens should be password protected; | |||||||
| d. | revoking the access of customers after 3 successive incorrect passwords or invalid PINs; | |||||||
| e. | the process for changing the customer mobile number should only be done from either a branch or ATM; | |||||||
| f. | the processes for requesting and activating of the multi-factor authentication should be done through different delivery channels; | |||||||
| g. | multi-factor authentication should be implemented for the following processes: | |||||||
| 1. | sign-on; | |||||||
| 2. | adding or modifying beneficiaries; | |||||||
| 3. | adding utility and government payment services; | |||||||
| 4. | high-risk transactions (when it exceeds predefined limits); | |||||||
| 5. | password reset; | |||||||
| 7. | the processes for adding and activating beneficiaries should be done through different delivery channels (applicable for mobile and online banking); | |||||||
| 8. | high availability of the electronic banking services should be ensured; | |||||||
| 9. | scheduled downtime of the electronic banking services should be timely communicated to Saudi Central Bank and customers; | |||||||
| 10. | contractual agreements between the Member Organization and the customer addressing the roles, responsibilities and liabilities for both the Member Organization and the customers; | |||||||
| 11. | obtaining approval of Saudi Central Bank before launching a new electronic banking service. | |||||||
| c. | ATMs and POSs: | |||||||
| 1. | prevention and detection of exploiting the ATM/POS application and infrastructure vulnerabilities (e.g., cables, (USB)-ports, rebooting); | |||||||
| 2. | cyber security measures, such as hardening of operating systems, malware protection, privacy screens, masking of passwords or account numbers (e.g., screen and receipt), geo-blocking (e.g., disable cards per default for outside GCC countries, disable magnetic strip transactions), video monitoring (CCTV), revoking cards after 3 successive invalid PINs, anti-skimming solutions (hardware/software), and PIN-pad protection; | |||||||
| 3. | remote stopping of ATMs in case of malicious activities. | |||||||
| d. | SMS instant notification services: | |||||||
| 1. | SMS messages should not contain sensitive data (e.g., account balance - except for credit cards); | |||||||
| 2. | SMS alert should be sent to both mobile numbers (old and new) when the customer’s mobile number has been changed; | |||||||
| 3. | SMS notification should be sent to the customer’s mobile number when requesting a new multi-factor authentication mechanism. | |||||||
| 4. | SMS notification should be sent to the customer’s mobile number for all retail and personal financial transactions. | |||||||
| 5. | SMS notification should be sent to the customer’s mobile number when beneficiaries are added, modified and activated. | |||||||