Back Custom print Link Text Only Rich Text Print

  • OM-5.1 OM-5.1 Physical Security Measures

    • External Measures

      • OM-5.1.1

        Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

        January 2014

      • OM-5.1.2

        Other external entrances must have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances should have the following security measures:

        (a) Magic eye;
        (b) Locking device (key externally and handle internally);
        (c) Door closing mechanism;
        (d) Contact sensor with alarm for prolonged opening time; and
        (e) Combination access control system (e.g. access card and key slot or swipe card and password).
        January 2014

      • OM-5.1.3

        If additional security measures to those mentioned in Paragraph OM-5.1.2 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

        January 2014

      • OM-5.1.4

        External windows must have security measures such as anti blast films and movement detectors. For ground floor windows, licensees may also wish to add steel grills fastened into the wall.

        January 2014

      • OM-5.1.5

        Alarm systems should have the following features:

        (a) PIR motion detectors;
        (b) Door sensors;
        (c) Anti vibration/movement sensors on vaults;
        (d) External siren; and
        (e) The intrusion detection system must be linked to the licensee's (i.e. head office) monitoring unit.
        January 2014

    • Internal Measures

      • OM-5.1.6

        All areas where cash is handled must be screened off from customers and other staff areas.

        January 2014

      • OM-5.1.7

        Access to areas where cash is handled must be restricted to authorised staff only. The design of the teller area should not allow customers to pass through it.

        January 2014

      • OM-5.1.8

        Panic alarm systems for staff handling cash may be installed. The choice between silent or audible panic alarms is left to individual licensees. Kick bars and/or hold up buttons may be spread throughout the teller and customer service areas and the branch manager's office.

        January 2014

    • Cash Safety

      • OM-5.1.9

        Cash and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes should be located in strong rooms.

        January 2014

      • OM-5.1.10

        Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices must be installed in strong room doors. Strong room doors must be located out of the sight of customers.

        January 2014

      • OM-5.1.11

        Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

        January 2014

      • OM-5.1.12

        Licensees must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

        January 2014

    • CCTV Network Systems

      • OM-5.1.13

        All head offices and branches must have a CCTV network which is connected to a central monitoring unit located in the head office.

        January 2014

      • OM-5.1.14

        The location and type of CCTV cameras is left to the discretion of the licensee. At a minimum, CCTV cameras must cover the following areas:

        (a) Main entrance;
        (b) Other external doors;
        (c) Any other access points (e.g. ground floor windows); and
        (d) The service's hall.
        January 2014

      • OM-5.1.15

        Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) should be high enough to make for effective monitoring. Delayed transmission of pictures to the central monitoring unit is not acceptable. The CCTV system must be operational 24 hours per day.

        January 2014

    • Training and Other Measures

      • OM-5.1.16

        Licensees must establish the formal position of security manager. This person will be responsible for ensuring all licensee staff are given annual, comprehensive security training. Licensees must produce a security manual or procedures for staff, especially those dealing directly with customers. For licensees with three or more branches, this position must be a formally identified position. For licensees with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

        January 2014

      • OM-5.1.17

        The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

        January 2014

      • OM-5.1.18

        Licensees must consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All licensees are required to hold an insurance blanket bond (which includes theft of cash in its cover).

        January 2014

    • General Requirement

      • OM-5.1.19

        Licensees must maintain up to date Payment Card Industry Data Security Standards (PCI-DSS) certification. The initial certification must be obtained by 31st December 2017. Failure to comply with this requirement will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).

        Added: January 2017

      • OM-5.1.19A

        In order to maintain up to date PCI-DSS certification, licensees will be periodically audited by PCI authorised companies for compliance. Licensees are asked to make certified copies of such documents available if requested by the CBB.

        Added: January 2017

    • Geolocation Limitations

      • OM-5.1.20

        All financing companies issuing prepaid and/or credit cards must ensure that all Bahrain issued cards enable each customer to maintain a list of 'approved' countries for card ATM/Point of Sale (POS) transactions. Customers must be allowed to determine those countries in which their card must not be accepted as well as countries or merchant categories in which a card transaction would require a further level of authorisation, (for example, 2-way SMS). This requirement must be complied with by 28th February 2018.

        Added: April 2017

    • Europay, MasterCard and Visa (EMV) Compliance

      • OM-5.1.20AA

        All cards (credit, charge, prepaid, etc.) issued by licensees in the Kingdom of Bahrain must be EMV compliant. Moreover, all POS must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

        Added: April 2018

      • OM-5.1.20AAA

        Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph OM-5.1.20AA is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

        Added: July 2020

    • Provision of Cash Withdrawal and Payment Services through Various Channels

      • OM-5.1.20BB

        Licensees are allowed to provide payment services using various channels, including but not limited to, contactless, cardless, QR code, e-wallets, biometrics (iris recognition, facial recognition, fingerprint, voiceprint, etc.), subject to enrolling customers through registration process wherein customers' acceptance of products/services terms and conditions are documented and customers are properly authenticated.

        Added: April 2018

    • Prohibition of Double Swiping

      • OM-5.1.20A

        All card acquirer licensees must communicate to the concerned merchants that the CBB has directed to stop the practice of double swiping of payment cards by merchants at the merchant's POS terminals/ECR, with effect from 15th June, 2017.

        Added: July 2017

      • OM-5.1.20B

        For the purpose of Paragraph OM-5.1.20A, card acquirer licensee means a CBB licensee that enters into a contractual relationship with a merchant and the payment card issuer, under a card payment scheme, for accepting and processing payment card transactions. Card acquirers include three-party payment card network operators, who have outsourced their acquiring services to third party service providers.

        Added: July 2017

      • OM-5.1.20C

        For the purpose of Paragraph OM-5.1.20A, double swiping means swiping of a payment card by a merchant at the POS terminal/ECR for the second time, resulting in capturing and storing of payment cardholder data and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response.

        Added: July 2017

      • OM-5.1.20D

        All card acquirer licensees must include the following clause into the merchant agreements entered into with all their merchants and bring into force the said clause on or before 15th June, 2017: "Pursuant to the CBB directions and instructions, the merchant shall stop double swiping of a payment card at a merchant's point-of-sale (POS) terminal/electronic cash register (ECR) to capture or store cardholder and sensitive authentication data encoded on the magnetic stripe of a customer's payment card, after the merchant received the required card payment authorisation response. The merchant asserts its full compliance with the obligation contained in this clause and understands that any breach of this clause will expose the merchant to mandatory contractual and/or legal disciplinary actions by the relevant regulator and/or concerned Ministry."

        Added: July 2017

      • OM-5.1.20E

        All card acquirer licensees must:

        (i) Educate the concerned merchants on the regulatory requirement and continue to follow up the progress of the implementation to comply within the period stipulated in Paragraph OM-5.1.20A; and
        (ii) Educate and facilitate, where necessary, any merchant that has a valid business need to have cardholder data or non-sensitive information, to transmit such data/information through an integration option.
        Added: July 2017

      • OM-5.1.21

        Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

        Added: October 2019

      • OM-5.1.22

        Licensees must ensure, that any payment card issued or reissued (credit, debit, prepaid and charge cards) on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

        Added: October 2019