• GR-5B.1 GR-5B.1 Physical Security Measures for Payment Service Providers Owning or Operating Cash Dispensing Machines (CDMs) or Kiosks

    • General Requirement

      • GR-5B.1.1

        Where CDMs/Kiosks are installed at an outdoor location, the Payment Service Providers (PSPs) must provide adequate shade covering the area above the customers and the machine.

        Added: April 2019

    • Record Keeping

      • GR-5B.1.2

        PSPs must record the details of the site risk assessments and retain such records for a period of five years from the date of the CDMs/Kiosks installation, or for any other period required by the Ministry of the Interior or the CBB from time to time, whichever is the longer.

        Added: April 2019

    • CDM/ Kiosk Alarms

      • GR-5B.1.3

        In addition to alarming the premises, PSPs must alarm the CDM/Kiosk itself, in a way which activates audibly when the CDM/Kiosk is under attack. The system must be monitored by remote signaling to an appropriate local police response designated by the Ministry of Interior. PSPs must consider the following:

        (a) The design of the system must ensure that the CDMs/Kiosks have a panic alarm installed;
        (b) The design of the system must give an immediate, system controlled warning of an attack on the CDMs/Kiosks, and all CDMs/ Kiosks must be fitted with fully operational fraud detection and inhibiting devices;
        (c) A maintenance record must be kept for the alarm detection system and routine maintenance must be conducted in accordance with at least the manufacturer's recommendations. The minimum must be two planned maintenance visits and tests every 6 months; and
        (d) The alarm system must be monitored by the PSP's head office 24 hours daily. It must automatically generate an alarm signal if the telephone/internet line fails or is cut.
        Added: April 2019

    • Closed-circuit Television (CCTV)

      • GR-5B.1.4

        PSPs must ensure that the Cash Dispensing Machines (CDMs) and Kiosks owned and operated by them are equipped with closed-circuit television (CCTV). The location of camera installation must be carefully chosen to ensure that images of the CDM/Kiosk are recorded, however keypad entry or the screen of the CDM/Kiosk must not be captured by the CCTV recording. The camera must support the detection of the attachment of alien devices to the fascia (external body) and possess the ability to generate an alarm for remote monitoring if the camera is blocked or otherwise disabled.

        Added: April 2019

      • GR-5B.1.5

        As a minimum, the CCTV activity must be recorded (preferably in digital format) and, where risk dictates, remotely monitored by the PSP's head office.

        Added: April 2019

      • GR-5B.1.6

        When a CDM or Kiosk is located in an area where a public CCTV system operates, the PSP must liaise with the authority responsible for the CCTV system to include the CDM/Kiosk site in any preset automatic camera settings and request regular sweeps of the site. The CCTV system must not be able to view the CDM/Kiosk keypad or screen, thereby preventing observation of PIN entry.

        Added: April 2019

      • GR-5B.1.7

        PSPs must ensure that the specifications of CCTV cameras meet the following minimum requirements:

        (a) Analogue Cameras:
        Resolution — Minimum 700 TVL
        Lens — Vari-focal lenses from 2.8 to 12mm
        Sensitivity — Minimum 0.5 Luminance
        (Lux) without Infrared (IR), 0 Lux with IR
        IR — At least 10 to 20 meters (Camera that detects motion); and
        (b) IP Cameras:
        Resolution — 2 MP — 1080 p
        Lens — Vari-focal lenses from 2.8 to 12mm
        Sensitivity — Minimum 0.5 Lux without IR, 0 Lux with IR
        IR — At least 10 to 20 meters.
        Added: April 2019

    • CCTV Network Systems

      • GR-5B.1.8

        Notices of CCTV cameras in operation must be put up for the attention of the public. CCTV records must be maintained for a minimum 45-day period. The transmission rate (in terms of the number of frames per second) must be high enough to make for effective monitoring. The CCTV system must be operational 24 hours per day.

        Added: April 2019

    • CDMs/Kiosks Lighting

      • GR-5B.1.9

        Banks must ensure that adequate and effective lighting is operational at all times within the CDMs/Kiosks environment. The standard of the proposed lighting must be agreed with the Ministry of the Interior and other relevant authorities, and tested at least once every three months to ensure that the lighting is in good working order.

        Added: April 2019

    • Fire Alarm

      • GR-5B.1.10

        PSPs must ensure that effective fire alarm and fire defense measures, such as a sprinkler, are installed and functioning for all CDMs/Kiosks. These alarms must be linked to the main offices of the PSP.

        Added: April 2019

    • Cash Replenishment

      • GR-5B.1.11

        All physical cash movements between PSP offices and offsite CDMs/Kiosks must be performed by specialized service providers.

        Added: April 2019

    • CDMs/Kiosks Service and Maintenance

      • GR-5B.1.12

        PSPs must maintain a list of all details on maintenance, replenishment and inspection visits by staff or other authorized parties.

        Added: April 2019

    • Europay, MasterCard and Visa (EMV) Compliance

      • GR-5B.1.13

        Prepaid cards issued by PSPs in the Kingdom of Bahrain must be EMV compliant. Moreover, all POSs, CDMs and Kiosks must be EMV compliant for accepting cards issued in the Kingdom of Bahrain. In this context, EMV compliant means using chip and online PIN authentication. However, contactless card payment transactions, where no PIN verification is required, are permitted for small amounts i.e. up to BD 20 per transaction, provided that licensees bear full responsibility in case of fraud occurrence.

        Added: July 2019

      • GR-5B.1.13A

        Where contactless payments use Consumer Device Cardholder Method (CDCVM) for payment authentication and approval, then the authentication required for transactions above BD20 limit mentioned in Paragraph GR-5B.1.13 is not applicable given that the customer has already been authenticated by his device using PIN, biometric or other authentication methods. This is only applicable where the debit/credit card of the customer has already been tokenized in the payment application.

        Added: July 2020

      • GR-5B.1.14

        Licensees must ensure, with effect from 1st October 2019, that any new POS terminals or devices support contactless payment using Near Filed Communication "NFC" technology.

        Added: October 2019

      • GR-5B.1.15

        Licenseesmust ensure, that any payment card issued or reissued on or after 12th October 2019 supports contactless payment using Near Field Communications "NFC" technology.

        Added: October 2019