• OM-5.2 OM-5.2 Payment and ATM cards, Wallets and Point of Sale infrastructure

    • Europay, MasterCard and Visa (EMV) Compliance

      • OM-5.2.1

        All cards (debit, credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all ATMs, CDMs, POS, etc. must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that Conventional bank licensees bear full responsibility in case of fraud occurrence.

        Added: January 2020

      • OM-5.2.1A

        Where contactless payments use Consumer Device Cardholder Verification Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph OM-5.2.1 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where debit/credit card of the customer has already been tokenized in the payment application.

        Added: July 2020

    • Provision of Cash Withdrawal and Payment Services through Various Channels

      • OM-5.2.2

        Conventional bank licensees are allowed to provide cash withdrawal and payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to explicit consent from the customers using established methods described in OM-3.2 and enrolling them through a registration process for each channel and service, wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated. Such enrolment process must allow an opt-out option if the customer does not want to use a channel for which he has enrolled.

        Added: January 2020

    • Geolocation Limitations

      • OM-5.2.3

        All Conventional bank licensees issuing debit, prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their cards must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS).

        Added: January 2020

    • Prohibition of Double Swiping

      • OM-5.2.4

        Double swiping of cards by merchants is not allowed, and all card acquirer licensees must ensure that the merchants concerned must comply with this requirement.

        Added: January 2020

      • OM-5.2.5

        For the purpose of Paragraph OM-5.2.4, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

        Added: January 2020

      • OM-5.2.6

        For the purpose of Paragraph OM-5.2.4, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

        Added: January 2020

      • OM-5.2.7

        All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

        Added: January 2020

      • OM-5.2.8

        All card acquirer licensees must:

        (i) Educate the concerned merchants on the regulatory requirement and monitor the implementation of this requirement; and
        (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
        Added: January 2020

    • Integration of Hardware Components

      • OM-5.2.9

        If the Automated Teller Machines (ATM) environment permits access to internal areas where account data is processed and/or stored (e.g., for service or maintenance), these areas must be effectively protected from access by unauthorised persons to mitigate the risk associated with attaching/inserting malicious additional components, especially those which may be designed to capture sensitive data. Banks must encrypt account data or secure access to such data by effective physical barriers such as strong walls, doors, and mechanical locks.

        Added: January 2020

      • OM-5.2.10

        All entry to sensitive areas must be recorded, including the name of the persons accessing the area; the date; and the time of access to and exit from the area. CCTV cameras must be installed, and used to record all activities within the ATM environment.

        Added: January 2020

      • OM-5.2.11

        Banks are required to implement best industry practice in respect of hardware and software development and integration, including but not limited to formal specification, test plans, and documentation. Hardware and software should only be introduced to the environment following a successful programme of testing.

        Added: January 2020

      • OM-5.2.12

        All test plans and the outcomes of these plans must be retained by the bank for a minimum of five years from the date of testing and be available on request to the CBB or their authorised representatives. Examples of instances in which a detailed testing process must be undertaken prior to installation and integration of components include, but are not limited to, secure card readers or EPPs. In all instances the applicable standards relating to Payment Card Industry (PCI), PIN Transaction Security (PTS), and Point of Interaction (POI) requirements must be fully complied with.

        Added: January 2020

      • OM-5.2.13

        Banks must ensure that the integration of Secure Card Readers, (SCRs) and, if applicable, any mechanism protecting the SCRs and any anti skimming devices are properly implemented and fully comply with the guidelines provided by the device vendor. SCRs must be PCI Security Standards Council approved and fully comply with all PCI standards at all times.

        Added: January 2020

      • OM-5.2.14

        Banks must ensure that all ATMs, including offsite ATMs, are equipped with mechanisms which prevent skimming attacks. There must be no known or demonstrable way to disable or defeat the above-mentioned mechanisms, or to install an external or internal skimming device.

        Added: January 2020

    • ATM Software

      • OM-5.2.15

        Banks must ensure that their ATM software security measures comply with the following:

        (a) Access to sensitive services is controlled by requiring authentication. Entering or exiting sensitive services must not reveal or otherwise compromise the security of sensitive information;
        (b) ATM software must include controls which are designed to prevent unauthorised modification of the software configuration, including the operating system, drivers, libraries, and individual applications. Software configuration includes the software platform, configuration data, applications loaded to and executed by the platform, and the associated data. The mechanisms must also ensure the integrity of third-party applications, using a controlled process to install such controls;
        (c) Access to all elements of the ATM environment must be strictly controlled to ensure an effective segregation of functions and an effective segregation of responsibilities exists for all personnel;
        (d) The logging data must be stored in a way that data cannot be changed under any circumstances, and deleted only after authorisation by a member of bank staff who has specific responsibility delegated by the CEO;
        (e) Software is protected and stored in a manner which precludes unauthorised modification; and
        (f) Loading of software into ATMs is performed by a person who has the requisite knowledge and skills, and who has been nominated and authorised by a senior manager in the bank to undertake these tasks.
        Added: January 2020

      • OM-5.2.16

        ATMs must incorporate dedicated tampering protection capabilities.

        Added: January 2020

    • ATM Application Management

      • OM-5.2.17

        Banks must ensure that their ATM application management complies with the following:

        (a) The display of a cardholder PIN must be obfuscated on the ATM display and must not be in 'clear' mode;
        (b) Sensitive information must not be present any longer or used more often than strictly necessary. The ATM must automatically clear its internal buffers when either the transaction is completed, or the ATM has timed out whilst awaiting a response from the cardholder or host; and
        (c) Prevent the display or disclosure of cardholder account information such as the account number, ID number, address and other personal details etc. on the ATM screen, printed on receipts, or audio transcripts for visually impaired cardholders.
        Added: January 2020