Skip to Content
Whole SectionText only Print Print Manager Link


AISPs and PISPs must maintain an up to date security policy document containing the following information:

a) A detailed documentation of the technology architecture and of the systems and the network elements providing:
i. a description of the business IT systems supporting the business activities;
ii. the type of authorised connections from outside, such as with partners, service providers, entities of the group and employees working remotely, including the rationale for such connections;
iii. for each of the connections, the logical security measures and mechanisms in place, specifying the control the licensee will have over such access as well as the nature and frequency of each control,
iv. process for the opening/closing of communication lines, and description of security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
b) the logical security measures and mechanisms that govern the internal access to IT systems;
c) the physical security measures and mechanisms of the premises and the data centre of the licensee, such as access controls and environmental security;
d) the security of the account information and payment initiation processes, which should include:
i. the customerG authentication procedures used for both consultative and transactional access, and for all underlying payment instruments;
ii. an explanation of how safe delivery of tokens to the legitimate customerG ; and
iii. a description of the integrity of authentication factors, tokens and online and mobile applications at the time of both initial enrolment and renewal.
Added: December 2018
(1 Version)
Dec 1 2018 onwards
Back to top