GR-6.3 GR-6.3 Security of Communication Sessions and Authentication
GR-6.3.1
Islamic retail bank licensees must ensure that communication sessions with PISPs and AISPs including merchants, relies on each of the following:(a) a unique identifier of the session;(b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;(c) timestamps which must be based on a unified time-reference system and which must be synchronised according to an official time signal.Added: April 2019GR-6.3.2
Islamic retail bank licensees must ensure secured identification when communicating with AISPs and PISPs.Added: April 2019GR-6.3.3
Islamic retail bank licensees must ensure that, when exchanging data via the internet, with PISPs and AISPs, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.Added: April 2019GR-6.3.4
PISPs and AISPs must keep the access sessions offered by
Islamic retail bank licensees as short as possible and they must actively terminate the session as soon as the requested action has been completed.Added: April 2019GR-6.3.5
When maintaining parallel network sessions with the PISPs and AISPs,
Islamic retail bank licensees must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.Added: April 2019GR-6.3.6
Islamic retail bank licensees' sessions with PISPs and AISPs must contain unambiguous reference to each of the following items:(a) the customer and the corresponding communication session in order to distinguish several requests from the same customer;(b) forpayment initiation services , the uniquely identified payment transaction initiated;(c) for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the transaction.Added: April 2019GR-6.3.7
Islamic retail bank licensees must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.Added: April 2019GR-6.3.8
[This Paragraph was moved to GR-6.1.7].
Amended: July 2021
Added: April 2019GR-6.3.9
In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the
Islamic retail bank licensees must send a notification message to the relevant PISP or AISP which explains the reason for the unexpected event or error.Added: April 2019GR-6.3.10
Where the
Islamic retail bank licensee offers a dedicated interface, it must ensure that the interface provides for notification messages concerning unexpected events or errors to be communicated by any PISP or AISP that detects the event or error to the other licensees participating in the communication session.Added: April 2019GR-6.3.11
Islamic retail bank licensees must provide access to information from customer accounts to AISPs whenever the customer requests such information.Added: April 2019Secure authentication
GR-6.3.12
Islamic retail bank licensees must have in place a strong customer authentication process and ensure the following:(a) no information on any of the elements of the strong customer authentication can be derived from the disclosure of the authentication code;(b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and(c) the authentication code cannot be forged.Amended: July 2021
Added: April 2019GR-6.3.13
Islamic retail bank licensees must adopt security measures that meet the following requirements for payment transactions:(a) the authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;(b) the authentication code accepted by the licensee maintaining customer account corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer;(c) a SMS message must be sent to the customer (or through alternative means of communication for legal persons) upon accessing the online portal or application and when a transaction is initiated; and(d) any change to the amount or the payee must result in the invalidation of the authentication code generated.Amended: September 2024
Amended: July 2021
Added: April 2019Independence of elements of strong authentication
GR-6.3.14
Islamic retail bank licensees must establish adequate security features for customer authentication including the use of the following three elements:(a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;(b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and(c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.Amended: July 2021
Added: April 2019GR-6.3.15
Islamic retail bank licensees must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis provided that thelicensee is able to demonstrate to CBB that it has established robust controls to mitigate the relevant key risks.Amended: July 2021
Added: April 2019
