CBB Volume 5: Contents

Central Bank of Bahrain Volume 5—Specialised Licensees
Specific Modules (By Type of Licensee)
Type 7: Ancillary Service Providers
Part A
High Level Standards
AU Ancillary Service Providers Authorisation Module
AU-4 Information Requirements and Processes
Skip to Content
Whole SectionText only Print Print Manager Link


The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:

(a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;
(b) the procedures in place to authorise access to sensitive payment data;
(c) a description of the monitoring tool;
(d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;
(e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;
(f) the expected internal and/or external use of the collected data;
(g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;
(h) confirmation that access to sensitive customer data is not available to the applicant;
(i) an explanation of how breaches will be detected and addressed; and
(j) an annual internal control programme in relation to the safety of the IT systems.
Added: December 2018
(1 Version)
Dec 1 2018 onwards
Back to top