State Bank of Pakistan has finally issued “Regulations for The Security of Internet Banking” that will be implemented in the banking industry from 1st April next year. They will be applicable for financial and non-financial transactions through internet irrespective of software tool used by banks and access devices used by customers.
Internet Banking has become an important delivery channel for banking services enabling banks to offer traditional banking services like access to one or multiple accounts for fund transfers, bill payments and card payments etc through internet using gadgets like smartphone, tablets and laptops.
There are nearly two million Internet Banking users in Pakistan, a number that has been been growing as commercial banks launch and promote their mobile apps after introduction of 3G/4G services in Pakistan.
However, the security of Internet Banking has become a major concern for the regulatory authorities because of increasing IT security risks which may lead to serious financial risks in case of any major security breach.
Reporting of Security Breach
Banks are directed to report in detail all established security breaches and analysis reports to their designated Payment Systems Departments on quarterly basis, explaining impact of security breach on institution’s business, systems, applications and customers.
Banks should submit details to central bank related to source of security breach discovery, nature of security breach, reasons for the occurrence of security breach (e.g. Breach of controls, Procedures were not followed, weaknesses in implemented security controls etc, and action(s) taken to rectify the security breaches.
Internet Banking Security Framework
Banks shall develop, implement and regularly review Internet Banking Security Framework based on the key security objectives including security and integrity of data and systems, to ensure that customers’ information has not been modified and systems are free from unauthorized access.
Banks shall maintain confidentiality of customers’ data in storage, during processing and in transit, Banks must also provide access to systems for registered users with reliability.
Security Controls Implementation
The banks shall ensure that appropriate security arrangements and security controls to protect IT assets (such as systems, applications, networks, data, and information and communication systems) are in place. Banks shall develop a set of controls based on the Security Risk Assessment document, commensurate with the risk levels to meet the control objectives.
Each bank shall define its set of minimum baseline Security Controls that include Access Controls (Access Rights Management, Electronic Authentication etc), Network Access Controls, Operating System Access Controls, Application Access and Remote Regulations for the Security of Internet Banking Access Controls.
Registration/enrollment for Internet Banking customers should be done prior to offering Internet Banking products and services after due verification through appropriate means.
In order to authenticate customers who use Internet Banking products and services the bank shall implement Two Factor Authentication (2FA) such as Passwords ( 1 factor) and One time tokens, Dongles etc (2nd factor).
Banks shall implement additional layered security programs for high value transactions processed through Internet Banking.
Authentication controls should also take into account failed log-in attempts, frequency of password changes, session time outs and re-authentication of customers based on predefined criteria.
Banks shall conduct periodic risk assessment of authentication controls to identify threats and vulnerabilities based on changes in applications’ functionality, threats due to changes in internal and external environment, changes in customers’ preferences and actual security breaches.
Security Controls Monitoring
Banks shall develop and implement a formally approved mechanism for the monitoring of Security Controls. An analysis of the effectiveness of existing or proposed Security Controls Monitoring methods shall be part of this monitoring mechanism.
Banks shall ensure their monitoring of network activity by collecting and analyzing the host and network data related to security events. Examples of security events include privileged access to sensitive operating systems, configuration changes, and access to critical applications etc.
Readers can read complete regulations here