BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player



Location: Central Bank of Bahrain Volume 1—Conventional Banks > Part A > High Level Standards > GR General Requirements > GR-6 Open Banking > GR-6.3 Security of Communication Sessions and Authentication > GR-6.3.11
  • GR-6.3 Security of Communication Sessions and Authentication

    • GR-6.3.1

      Conventional retail bank licenseesG must ensure that communication sessions with PISPs and AISPs including merchants, relies on each of the following:

      (a) a unique identifier of the session;
      (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;
      (c) timestamps which must be based on a unified time-reference system and which must be synchronised according to an official time signal.
      Added: April 2019

    • GR-6.3.2

      Conventional retail bank licenseesG must ensure secured identification when communicating with AISPs and PISPs.

      Added: April 2019

    • GR-6.3.3

      Conventional retail bank licenseesG must ensure that, when exchanging data via the internet, with PISPs and AISPs, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

      Added: April 2019

    • GR-6.3.4

      PISPs and AISPs must keep the access sessions offered by conventional retail bank licenseesG as short as possible and they must actively terminate the session as soon as the requested action has been completed.

      Added: April 2019

    • GR-6.3.5

      When maintaining parallel network sessions with the PISPs and AISPs, conventional retail bank licenseesG must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

      Added: April 2019

    • GR-6.3.6

      Conventional retail bank licensees'G sessions with PISPs and AISPs must contain unambiguous reference to each of the following items:

      (a) the customer and the corresponding communication session in order to distinguish several requests from the same customer;
      (b) for payment initiation servicesG , the uniquely identified payment transaction initiated;
      (c) for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the transaction.
      Added: April 2019

    • GR-6.3.7

      Conventional retail bank licenseesG must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.

      Added: April 2019

    • GR-6.3.8

      Conventional retail bank licenseesG must comply with each of the following requirements:

      (a) they must provide access to the same information from designated customer accounts and associated payment transactions made available to the customer when directly requesting access to the account information, provided that this information does not include sensitive payment data (such as customer security credentials or other personalised data, the holding of which or the use of which is not authorised by the customer; and data which may be used by the holder for unauthorised, fraudulent, illegal or activity or transactions);
      (b) they must provide, immediately after receipt of the payment order, the same information on the initiation and execution of the payment transaction provided or made available to the customer when the transaction is initiated directly by the latter;
      (c) they must, upon request, immediately provide AISPs and PISPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation must consist of a simple 'yes' or 'no' answer.
      Added: April 2019

    • GR-6.3.9

      In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the conventional retail bank licenseesG must send a notification message to the relevant PISP or AISP which explains the reason for the unexpected event or error.

      Added: April 2019

    • GR-6.3.10

      Where the conventional retail bank licenseeG offer a dedicated interface, it must ensure that the interface provides for notification messages concerning unexpected events or errors to be communicated by any PISP or AISP that detects the event or error to the other licensees participating in the communication session.

      Added: April 2019

    • GR-6.3.11

      Conventional retail bank licenseesG must provide access to information from customer accounts to AISPs whenever the customer requests such information.

      Added: April 2019

    • Secure authentication

      • GR-6.3.12

        Conventional retail bank licenseesG , AISPs, and PISPs, must have in place a strong customer authentication process and ensure the following:

        (a) no information on any of the elements of the strong customer authentication can be derived from the disclosure of the authentication code;
        (b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and
        (c) the authentication code cannot be forged.
        Added: April 2019

      • GR-6.3.13

        Conventional retail bank licenseesG , PISPs and AISPs must adopt security measures that meet the following requirements:

        (a) the authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction; and
        (b) the authentication code accepted by the licensee maintaining customer account corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer;
        (c) a SMS message must be sent to the customer upon accessing the online portal or application and when a transaction is initiated;
        (d) any change to the amount or the payee must result in the invalidation of the authentication code generated.
        Added: April 2019

    • Independence of elements of strong authentication

      • GR-6.3.14

        Conventional retail bank licenseesG , AISPs and PISPs must establish adequate security features for customer authentication including the use of the following three elements:

        (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
        (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
        (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
        Added: April 2019

      • GR-6.3.15

        Conventional retail bank licenseesG , AISPs and PISPs must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis.

        Added: April 2019

Back to top