Back Custom print Link Text Only Rich Text Print

  • OM-6.3 OM-6.3 ATM Security Measures: Hardware/Software for Retail Banks

    • Implementation

      • OM-6.3.1

        The requirements in this Section must be complied with in full by 30th April 2017, or as specified otherwise. Failure to comply with these requirements will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

        Amended: July 2017
        Added: April 2016

    • Europay, MasterCard and Visa (EMV) Compliance

      • OM-6.3.1A

        All cards (debit, credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all ATMs, CDMs, POS, etc. must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that conventional bank licensees bear full responsibility in case of fraud occurrence.

        Added: April 2018

    • Provision of Cash Withdrawal and Payment Services through Various Channels

      • OM-6.3.1B

        Conventional bank licensees are allowed to provide cash withdrawal and payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

        Added: April 2018

    • Near Field Communication ("NFC")

      • OM-6.3.1C

        Conventional retail bank licensees must ensure that all currently installed ATMs support contactless payment using Near Field Communication "NFC" technology. The changes necessary to the software/hardware to meet this requirement must be completed no later than 1st April 2020.

        Added: October 2019

      • OM-6.3.1D

        Conventional retail bank licensees must ensure, with effect from 18th August 2019, that all new installations of ATM machines support contactless payment using Near Filed Communication "NFC" technology.

        Added: October 2019

      • OM-6.3.1E

        Conventional retail bank licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

        Added: October 2019

      • OM-6.3.1F

        Conventional retail bank licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

        Added: October 2019

    • Geolocation Limitations

      • OM-6.3.2

        All conventional bank licensees issuing debit, prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS).

        Amended: April 2018
        Added: April 2016

    • Prohibition of Double Swiping

      • OM-6.3.2A

        All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by some merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

        Added: July 2017

      • OM-6.3.2B

        For the purpose of Paragraph OM-6.3.2A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

        Added: July 2017

      • OM-6.3.2C

        For the purpose of Paragraph OM-6.3.2A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

        Added: July 2017

      • OM-6.3.2D

        All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

        Added: July 2017

      • OM-6.3.2E

        All card acquirer licensees must:

        (i) Educate the concerned merchants on the regulatory requirement and continue to follow up the progress of the implementation to comply within the period stipulated in Paragraph OM-6.3.2A; and
        (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
        Added: July 2017

    • Integration of Hardware Components

      • OM-6.3.3

        If the Automated Teller Machines (ATM) environment permits access to internal areas where account data is processed and/or stored (e.g., for service or maintenance), these areas must be effectively protected from access by unauthorised persons to mitigate the risk associated with attaching/inserting malicious additional components, especially those which may be designed to capture sensitive data. Banks must encrypt account data or secure access to such data by effective physical barriers such as strong walls, doors, and mechanical locks.

        Added: April 2016

      • OM-6.3.4

        All entry to sensitive areas must be recorded, including the name of the persons accessing the area; the date; and the time of access to and exit from the area. CCTV cameras must be installed, and used to record all activities within the ATM environment.

        Added: April 2016

      • OM-6.3.5

        Banks are required to implement best industry practice in respect of hardware and software development and integration, including but not limited to formal specification, test plans, and documentation. Hardware and software should only be introduced to the environment following a successful programme of testing.

        Added: April 2016

      • OM-6.3.6

        All test plans and the outcomes of these plans must be retained by the bank for a minimum of five years from the date of testing and be available on request to the CBB or their authorised representatives. Examples of instances in which a detailed testing process must be undertaken prior to installation and integration of components include, but are not limited to, secure card readers or EPPs. In all instances the applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must be fully complied with.

        Added: April 2016

      • OM-6.3.7

        Banks must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be approved by and fully comply with all Payment Card Industry standards at all times.

        Added: April 2016

      • OM-6.3.8

        Banks must ensure that all ATMs, including offsite ATMs, are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

        Added: April 2016

    • ATM Software

      • OM-6.3.9

        Banks must ensure that their ATM software security measures comply with the following:

        (a) Access to sensitive services is controlled by requiring authentication. Entering or exiting sensitive services must not reveal or otherwise compromise the security of sensitive information;
        (b) ATM software must include controls which are designed to prevent unauthorised modification of the software configuration, including the operating system, drivers, libraries, and individual applications. Software configuration includes the software platform, configuration data, applications loaded to and executed by the platform, and the associated data. The mechanisms must also ensure the integrity of third-party applications, using a controlled process to install such controls;
        (c) Access to all elements of the ATM environment must be strictly controlled to ensure an effective segregation of functions and an effective segregation of responsibilities exists for all personnel; and
        (d) The logging data must be stored in a way that data cannot be changed under any circumstances, and deleted only after authorisation by a member of bank staff who has specific responsibility delegated by the CEO;
        Added: April 2016

      • OM-6.3.10

        ATMs should incorporate dedicated tampering protection capabilities.

        Added: April 2016

    • Device Management/Operation

      • OM-6.3.11

        Banks must ensure that their device management/operation controls comply with the following:

        (a) Software is protected and stored in a manner which precludes unauthorised modification; and
        (b) Loading of software into ATMs is performed by a person who has the requisite knowledge and skills, and who has been nominated and authorised by a senior manager in the bank to undertake these tasks.
        Added: April 2016

    • ATM Application Management

      • OM-6.3.12

        Banks must ensure that their ATM application management complies with the following:

        (a) The display of a cardholder PIN on the ATM display must not be in 'clear' mode;
        (b) Sensitive information must not be present any longer or used more often than strictly necessary. The ATM must automatically clear its internal buffers when either the transaction is completed, or the ATM has timed out whilst awaiting a response from the cardholder or host; and
        (c) Prevent the display or disclosure of cardholder account information on the ATM screen, printed on receipts, or audio transcripts for visually impaired cardholders.
        Added: April 2016