Financial and capital market Commission, the provisions of regulations No 112 in 2015 on July 7 (financial and capital market komisijaspadom meetings of Protocol No 25 p. 2) Financial and capital market information system security rules, regulations Issued pursuant to the financial and capital market Commission of the law article 7, first paragraph, point 1, of the law of credit institutions article 34.1, second paragraph, the third subparagraph of article 50, and payment services, electronic money, article 45 of the law on the financial instruments market law 123.5 the second paragraph of article 124 article 1.1, part of the law "on private pension funds ' in article 28 of the sixth part i. General questions 1." financial and capital market information system security regulations "(hereinafter-the the rules are binding on Latvia) registered in the financial and capital market participants (hereinafter operator): credit institutions, credit unions, payment institutions, electronic money institutions, insurance companies, insurance intermediaries, private pension funds, regulated market organizers, Latvian Central Depositary, brokerage firms, investment management firms and alternative investment fund managers. 2. the aim is to limit the market participants and customers for the provision of services of information systems to be used (hereinafter also – IR) risks generally striving for care information system risk management (risk appetite), as well as to provide uniform structured requirements for market participants IS the security risk management. 3. minimum requirements. The operator may introduce additional safeguards, depending on the classification levels of information resources and the risk analysis carried out in the light of the services of the company, number of employees, and information technology (hereinafter IT) the level of use. II. Terms 4. Audit trail-records available for analysis, which tracked data for specific events IS (access, input, change, delete, output, etc.). 5. Outsourcing provider, third party after market operator's request, IT IS the operators and management, development, security, audit, or other market participant provided a necessary service that is associated with this. 6. security measures-technical or organisational measures, which are certainly risk management and reduce the risk to acceptable ISO level. 7. Vulnerability – IS not entirely, allowing some particular risks materialise and affect the IS security. 8. information system-data input, storage and processing system that provides specific functions and provides lietotājpieej to the data stored in it or information. 9. Confidentiality of the information-providing access to information only to authorized persons. 10. Information integrity, information and its processing methods, the accuracy, correctness and completeness. 11. Access to information – opportunity to persons authorized to use the information at a specific time and place. 12. Information resource-information unit containing a data file containing the IS stored, processed and IS available to users, as well as all the information IS input and output documents, regardless of the media type. 13. Information resource holder – a person who is responsible for information resources and work with them on behalf of the operator. 14. Authentication factors (elements)-remote user authentication used for authentication features that are known only to the user (such as your password, PIN), which is in use, or belong only to the user (for example, code card, code, calculator, mobile phone), or what is the user's unique characteristics (such as fingerprints). 15. IS security – IS confidentiality, integrity and availability requirements. 16. IS security incident — adverse event or offence as a result of which are endangered or may be compromised IS the safety (t.sk. Or the computer network attacks, operational equipment, which result or may result in unauthorized access to the IR, denial of service). 17. IS the user – the person within the limits of the powers conferred on the IS used. 18. Risk – IS associated with the functioning of the Organization's alleged inability fully and quality to perform some of his obligations or functions as the likelihood of unwanted event and its consequences. 19. Technological resources – IS a component that includes the sistēmprogramm, applications, utilities, sistēmfail, computer, network, hardware, and other equipment which will ensure the IR activities. 20. The technological resource holder – a person who is responsible for the technological resources and work with them on behalf of the operator. 21. Definitions relating to internet payment services, see annex I of these rules under point 8. III. Organization of the security of information systems of management accountability and 22 support 22.1. market participants shall be responsible for the management of the IS security policy and IT strategy and implementation, staff duties and responsibilities, as well as the organisation of control adequate allocation of resources IS security and audit functions to make the ISO. 22.2. The IS security policy objective is to define market position and control of the aid IS in line with the security market and customer needs. 23. the regulations 23.1. The market operator shall confirm the hierarchically structured set of documents that define the ISA Management, t.sk. Is security management. Defining security management, ISO sets the ISO security objectives, roles, responsibilities, and IS the application of the security measures. 23.2. The market operator shall document at least the ISA management processes that can lead to failure of the IS a security risk. 23.3. The market operator shall ensure the availability and accessibility of regulations updating the employees. 23.4. The market operator shall determine the employees ' liability for non-compliance with the regulations. 14.6. The market operator shall establish and maintain up-to-date information and data flow diagram. 24. IS security or the IR risk management function (hereinafter IR security function) 24.1. The market operator shall ensure the IS a security feature, to the realization of the risk control and IR security measures. 24.2. IS security functions within a market participant shall ensure at least: 24.2.1. IS security, regulatory development and updating; 24.2.2. IS the classification and risk management and coordination hazards identification; 24.2.3. management information on compliance with the safety requirements and relevant IR security incident; 24.2.4. monitoring the security measures laid down; 24.2.5. employee training and information IS security; 24.2.6. IS security incident management; 24.2.7. membership IS restored and continuity planning. 24.3. The market operator shall ensure IS security functions independent of the IS development and maintenance functions and responsibilities directly to inform market participants IS essential for the management of security events. If on IS security officer their duties performed in combination, then followed the principle of separation of duties – the performer may not be his to control. 25. The IS audit function 25.1. The market operator shall ensure the IS audit function to ensure the implementation of security measures IS independent examination. 25.2. The Audit function can also provide outsourcing provider. 25.3. A market until March 1 of each year shall be transmitted to the financial and capital market Commission, for the previous year, performed with the IR security audit list, specifying the subject of the audit objectives and audit, the analyst. 26. the Outsourcing of the management of the market participant can 26.1. use third party provider-outsourcing-services. Make all market participants used outsourcing. 26.2. Outsourcing arrival does not release the operator from the law or the contract with its clients determine responsibility – it is responsible for the outsourcing of work to the same extent as on your own. ISA security level, if the IS develops or maintains an outsourced provider, must not be lower than the market's. 26.3. before taking a decision on the acquisition of the outsourcing market assess suppliers and, taking into account the requirements of quality and safety of services, including accessibility, assess the risks, as well as the termination of the service strategy. 16.4. A market contract with the external service provider shall include the requirements for the control of outsourcing, for example, a clear description of the service, security requirements, confidentiality obligations, a right to service the information necessary for the supervision of outsourcing provider immediately to report the incidents, the right to terminate the contract. 26.5. Outsourcing, t.sk. cloud computing, a market participant is obliged to maintain the necessary control over information resources that contains information about the operator's customers. The operators classified IS a safe way is physically or logically distinct from outsourcing provider's other clients IS. To prepare and regularly update the service interruption plan, providing data, software and technical resources of the return and deletion of customer information to the service provider. 16.5. The market operator shall carry out the monitoring of the quality of the outsourcing and security control, t.sk. receive reports on quality of service and incidents. 16.6. The operator, if it provides outsourcing to third parties, using their own IR, including authentication, it is the duty of the outsourcing solution for controlling the third-party company. Market participants shall inform partners about the risks associated with the use of such services. Security requirements in the event of non-compliance to the operator is obliged to cease cooperation. IV. System of information resources management 27. Resource ownership 27.1. The market operator shall designate in writing the IS resources (information and technological resources) the holder for all the information and technological resources. 27.2. the obligations of the holder of information resources are as follows: 27.2.1. classify his holdings in existing information resources; 27.2.2. participate in his holdings of existing information resources and related risk analysis and ISO to approve it; 27.2.3. confirm access rights IS; 27.2.4. approve the changes to ISA and implementation; 27.2.5. determine the requirements for creating an audit trail; 27.2.6. collaborate with the technological resources of the holder of the IR functionality and security. 27.3. the participant of the market of information holders training in their duties. 27.4. The technological resource holder is responsible for the following: 27.4.1. technological resources to ensure the physical and logical protection; 27.4.2. collaborate with the holders of information to enforce his claim on information resources and access to them; 27.4.3. participate in risk analysis, identify the resources associated with the process IS to assess the risks and likelihood of these risks; 27.4.4. ensuring ISO restore procedures, if technological resources have been damaged and disrupted the functioning of ISA or impossible; 27.4.5. collaborate with the holder of the IR information resources IS the functionality and security. 27.5. Resource holder obligations can be instructed to perform resource guardians – who ordered the holders and everyday are responsible for the relevant ISA resources or part of it. 28. classification classification IS 28.1. the objective is to assess the importance of ICTS and ensure its protection according to the level of classification. Make all market participants IS determining the classification, IS privacy, values and level of availability, and documented. 28.2. the level of privacy IS granted by the operator depending on the damage that could be caused to the employer of the information or if the operator is allowed to access that IS not authorized. 28.3. the level of Value IS assigned by the operator depending on the damage that could be caused to the employer of the information or if the operator does not ensure the integrity of the ISO. 28.4. the level of resources available IS determined by the operator depending on the operator's operating needs (business requirements), in view of the harm which might be caused to the employer of the information or if the operator does not ensure the availability of resources, and the ISO determines the allowable time IS may not be available (Recovery time objective), and the allowable time period for which data can be lost (Recovery point objective). 28.5. Operator applied IS the classification that matches these terms and with at least two levels of each classification category. 28.6. market participants according to the level of classification of information to determine use of classified information and protection requirements. V. Risk analysis and management of Risk analysis and 29 management objectives are: to determine the permissible or 29.1. acceptable risk (risk limit or appetite); 29.2. to assess the likelihood of the hazard of the ISA, which IS the risk is intentionally (intentionally) or negligently made, action or inaction or possible events that may cause ISA security incident; 29.3. to assess the potential harm to the employer information, market participant or any other person, without the IS security; 29.4. to determine the appropriate and necessary security measures if the risk is not acceptable; 29.5. accept after security measures the residual risk (compliance with specified risk limits). 30. Risk analysis is a regular process. Market participant is performed throughout the life cycle of the ISA, URt.sk., starting IS important when a project IS changes, becoming the new significant threats, the occurrence of significant incidents or increasing their total number. 31. Market risk analysis is conducted using the approved methodology. Market participant using a risk analysis methodology that allows you to effectively realize these rules laid down in paragraph 29. 32. A market plan and implement security measures if the risk analysis, the estimated risk is not acceptable, and planned security measures determine the marketing priorities, deadlines and responsible. 33. the security measures are designed to reduce the residual risk to an acceptable level. Operator safety measures shall be based on the costs and the possible loss of samērojamīb. Vi. Staff role in the security of information systems 34. Market risk management carried out in the framework of the measures of employee resulting from an act or an omission IS the security risks, as well as the role of employees IS safety measures and promote the awareness of the staff IS ready and the need for protection. 35. The market operator shall ensure that the IS user level of knowledge is an appropriate use of ICT needs. 36. market participants before the present employees with the governing documents. 37. The market operator shall determine the IS user: 37.1. the responsibility for the operation of regulatory documents IS not complied with; 37.2. the responsibility for all activities that are carried out with the ISA his user name; 37.3. the obligation to respect the obligation of confidentiality in relation to the data that comes into the person's possession, carrying out job responsibilities; 23.2. the obligation to inform the appropriate person (for example, ISA security principal) for IT security incidents and threats. 38. security awareness promotion 38.1. The market operator shall at regular intervals carry out systematic measures to promote the awareness of each employee IS the protection and promote employee awareness of common IR security (security awareness). 38.2. The market operator shall determine how and how often employees are informed and trained on IS security issues. 38.3. The market operator shall carry out training in the protection of classified information. VII. Physical and environmental security management 39. Market risk management IS carried out in the framework of the measures of physical protection, which protects from unwanted ambient (fires, floods, temperature, etc.), technical (inadequate electricity supply, the electromagnetic field exposure, etc.) and human factors (intentionally or unintentionally damage, theft, etc.). 40. The IS infrastructure (technological resources, t.sk, disk array servers, network equipment and cable etc., except for the end user of technological resources) physical protection of 24.9. Market IS infrastructure operates limited access spaces, physical protection, which provides the only access to the authorised person. If it is determined by the technological necessity, then, operating outside the restricted access to the premises IS technological resources physically restrained. ISA infrastructure facilities deployed in buildings where there is less risk, the likelihood of implementation. 40.2. The market operator shall determine which persons may enter this provision in paragraph 24.9 spaces and their access to the register. This list includes only those persons who work duties require physical access to ICT infrastructure. 40.3. The IS infrastructure third party premises may stay only in the presence of the persons who have the right of access to the IS infrastructure. 25.1. The market operator shall ensure the IS infrastructure indoor climate (humidity, temperature URu.tml.) IS used for the operation of the infrastructure hardware manufacturer. 25.2. The market operator shall be equipped with IR room infrastructure security alarm and detectors. 40.6. Market technological resources administering staff jobs separate limited access spaces. 41. Media physical protection of market participants made 41.1. the necessary security measures for the physical medium of protection depending on the IS classification, but in whatever form (t.sk. dismantled drive equipment, paper, Flash memory card, URu.tml.). 41.2. The market operator shall determine the order in which used stored and safely destroy the media. 41.3. Market media under the protection of the output data apparatus of physical protection, preventing unauthorized acquisition of information resources (such as printers equipment protection, limiting the use of interfaces). 25.7. If media containing sensitive ICT resources, is designed to destroy, then players will do it in a way that would not be possible to restore data. 42. The market operator shall take additional measures of physical protection depending on the ISO classification level. If necessary, physical protection measures may be offset by logical Defense (software and processes). VIII. Information System access rights management 43. new IS user registration, assignment of cancellation and blocking the market operator shall be carried out in accordance with documented request which confirms the information resource. Documentation for the method must be able to carry out effective current right of access control. 44. Each operator IS the user and the administrator is assigned a unique user code. 45. user authentication 45.1. authenticating the User aims to make sure that an IS classified using the authorized user code owner. 45.2. The market operator shall determine the means of authentication (for example, passwords, codes calculator, private key, biometric features, etc.), use t.sk. password (password length, complexity, term of validity, the repeatability limit). 45.3. the password IS stored in encrypted form. Enter your password, it may not be legible on the screen. Password change immediately if it could be or is unauthorised become known to another person. 28.2. Creating, delivering and enabling authentication feature, the operator shall ensure that it is available only to the owner of the user code (t.sk. secure personalization and user password creation process). 45.5. If market participants used technology permits, in addition to the built-in administrator account operator creates an individual account for each administrator who is used in the daily maintenance of the ISO. ISA administrator code and copies of passwords stored in a secure location with limited access outside network connected to engineering resources. 46. The right of access IS a market participant shall be determined in accordance with the approved documented roles or user profiles. Is a user access only to the information and functions that are necessary for the performance of his duties. This requirement must be respected in determining technological ICT users also (account) rights. 47. IS the user's or administrator's job responsibilities change or termination in the event of a market participant shall immediately change or block IS the user and administrator rights. 48. The market operator shall at regular intervals carry out current permissions check to control this rule 46 and 47. compliance with the requirements. IX. Communications and operations management 49. Employees, performing the IS maintenance, the operator determines the duties and responsibilities and ensure interchangeability and qualifications. Process control to ensure separation of duties. 50. the configuration management and control 50.1. The market operator shall take technological resources and their current configuration. 50.2. The market operator shall determine any request, authorize, tested and technological resources. 50.3. Market risk control framework and controls the configuration of ISA maintained, taking into account the recommendations of security practices (hardening standards) and the known system vulnerabilities. 50.4. Market risk control framework and make the necessary technological changes in technological resources and reduce the standard configuration functionality to the required amount. 50.5. The market operator shall promptly take the necessary IS the standard software update works (t.sk. Security fix installation). 51. the protection of computer networks 51.1. The market operator internal computer networks separate from the external network. The data flow between internal and external computer networks allow only those services that are necessary for the function of the market participants. 51.2. The market operator shall establish and maintain an up-to-date computer network and connection scheme. 51.3. The market operator shall conduct regular checks on the existence of any external connections and make sure that there are only those connections that meet the market's operational needs. 51.4. Market risk control framework exercises necessary and possible additional data flow restrictions (t.sk. application, site containment) between the internal and external networks. 51.5. Market operator carries out monitoring of computer networks and vulnerabilities (t.sk. of malware). 51.6. If ISA Administration is performed from a remote location, the operator uses the cryptography features (such as a virtual private network (VPN)) and safe (at least two factor) user authentication. 32.1. The use of wireless data transmission technology, a market risk management framework provides the additional protection to ensure only authorized the use of ICTS. 52. the PC and device protection 52.1. The market operator shall determine what information resources may be stored and how to protect personal data processing equipment, t.sk. desktop and portable computer (hereinafter PC), Smartphone, Tablet PC URu.tml. 52.2. the PC is installed and used only in the software and in a configuration set operators, which also lays down the procedure and take measures for protection against harmful programs via, for example, antivirus software, the software restriction policy. 52.3. Pc functionality in a market limited to job needs the function level, t.sk. control the computer's port and the connection of equipment, controls access to the public network information (blacklisting, whitelisting) and logically separated access to the public network (internet) information from the internal organisation IS using, such as virtualization. 52.4. Pc is connected only to certain network operators. 52.5. The market operator shall ensure that when a user leaves your PC unattended, to resume use of the ISA, or connect to the network operators may only when user authentication has been performed. 52.6. with PCs that have enhanced physical security, t.sk. portable devices used outside the premises of operators, classified information is transmitted and stored in encrypted form. 52.7. The market operator shall make all the existing personal computer for use outside the premises of operators, records to determine which person uses the equipment. 52.8. If the market allows employees to work using their own PCs, it determines the order of use. This procedure must not reduce the level of protection IS established. 52.9. In the event of a remote access market IS through a Smartphone or Tablet PC, the security must be protected in the event of an incident, to prevent customer or market sensitive data from falling into the possession of a third party (for example, protected access to the device, the data is not stored on the device or after sessions are automatically deleted). 53. Data Backup copying 53.1. To limit the risks to the integrity and availability of market data, backup copying. 33.1. The market operator shall develop documented data backup creation, determining what technology and operations are defined in the data backup and restoration of production information, as well as how often and to what extent you create backup copies of the data, taking into account the allowable time IS may not be available (Recovery time objective), and the time period for which data may be lost (Recovery point objective), as well as how often you perform the copy and restore procedures. 53.3. The market operator shall ensure that at least the IR, which provide the market participant or its customers essential services, data backup copying is carried out with the method that minimizes the risks (of the IS physically or logically separate data carriers). The data from the backup stored in the IS geographically separate location. 53.4. The market operator shall protect backup data against unauthorized use or damage. 54. The IS monitoring the market operator IS 54.1. monitoring for at least the following objectives – take preventive action IS a security maintenance and timely identification of the incident. Monitoring measures are applied according to the ISO classification. 54.2. The market operator shall carry out regular monitoring of ISA: 54.2.1. timely identification of both internal and external threats; 54.2.2. identifying system vulnerabilities, and fix them; 54.2.3. monitoring unauthorized use of equipment and software, and its prevention; 54.2.4. controlling an IR and equipment configuration changes; 54.2.5. monitoring IS the process, equipment and availability. 55. the audit trail management 55.1. to identify the user actions and the IS operator error, sort, store and analyze the audit trail. 55.2. Audit trail logging operators shall include at least all successful and unsuccessful connection to the appropriate time and user codes. Additional audit trail shall be made on the ISA parameter change, t.sk. for working with user accounts, as far as it can be used to provide technological solutions. 55.3. market participants use methods and tools, which allow you to effectively analyze the audit trail. These tools are available only to authorized personnel. 55.4. The market operator shall ensure the integrity of the audit trail. 55.5. market participants synchronizes all it IS time tracking, which are interconnected to Exchange data, or transaction processing. 56. Cryptography use 56.1. Market participants, depending on the level of confidentiality of information resource uses the cryptography features. 56.2. The market operator shall determine the cryptographic products, as well as their protection. X. remote security management services 57. Market, customers, offering remote services provide services security management to minimize customer risks. 58. the requirement for security internet payment determined in the annex to these provisions. 59. The market operator shall perform customer identification, and other necessary measures to remote authentication feature of the services receive only its owner. Client authentication (Tools, software) are required, delivered and activated in a safe way. 60. Transferring customer data, protected by cryptographic means. Transferring customer data, it may not be encrypted if the information does not contain the other data of the customer and the customer accepts possible risks. 61. The operator uses at least one factor client authentication if: 61.1. service allows you to view only the information about the customer's account, which does not include third-party data, t.sk. account balance, transaction history, account number; 61.2. service includes the use of financial instruments (purchase/sale). 62. The client user access is blocked by up to five auth attempts. 63. An inactive session is locked, no more than fifteen minutes. Client user access again will activate the safe way. 64. The operator client security awareness program provides customers with a full frame information on remoting services risks and information on how to safely and effectively use IS. Market participant before the client gives you access to remote services and continue cooperation regularly inform the customer of the market participant and client rights and responsibilities, the use of the service, the security measures required on the client side (t.sk. client workstation, mobile equipment), the authentication features for safe use and operation in the event of loss, as well as measures to identify potential fraudulent activity, t.sk. money mule. 65. Market, communicate with clients, assess the information content and, if necessary, use a secure form of communication. 66. before remote service deployment, becoming new threats or making significant changes to the ISA, the operator carries out security checks or tests. 67. The market operator shall keep, for at least 18 months, the audit trail of the Remoting service and refuse connections using (t.sk. the source IP address, time) and user transactions and other transaction information necessary for identification. XI. the development of information systems and change management 68. The market operator manages the IS development and change management processes to minimize security risks and to develop ICT for IR and other related IS. 69. The market operator shall determine IS the development, acquisition, testing, implementation, and change management processes. 70. The IS development started a market determined 70.1. for IS the person responsible for the project, t.sk. in accordance with these provisions is determined to develop the IR resource holders. 70.2. The persons responsible for carrying out the project and it IS ISA, which can affect the new IR, risk analysis, as well as setting the IR security requirements and risk control measures. 70.3. holders of the IS drawn up in cooperation with the employee responsible for security, make ISA ISA security requirements. 71. The IS development operator IS 71.1. development environment separated from the environment of use. 71.2. The market operator shall document each IS. The documentation shall contain the necessary information to be able to make use of the ISO quality, maintenance and management of change (for example, ISA, ISA administrator description and user instructions, etc.). 71.3. The operator must keep and use the appropriate level of classification in this dossier. 72. IS testing Before introduction of 72.1. ISA market participant under the plan IS carried out tests. The test plan IS also included in the functional requirements, not t.sk. The is a security test. 72.2. Market IS distinguished a test environment from the use of the environment. 72.3. Test and development environment does not use use environmental data, however, if the IS security risk mitigation purposes, a test or development environment you need to use use environmental data, then use it and apply the the same security measures as the use of the environment (t.sk. the award, authentication, audit trail procedures). 73. the introduction of the ISA IS established IS 73.1. holders of the authorization, certifying that the testing has been completed and IS ready for implementation. 73.2. before commissioning use ISA market employee training. 73.3. The market operator shall ensure that the IS version control. 74. the change management 74.1. changes take place only under the ISO related ISA holders permission. 74.2. The market operator shall analyse how the changes will affect existing security measures and IS granted access to the available information and or changes do not diminish the IS security level. 46.2. The market operator shall take ISA documentation additions. 74.4. The market operator shall draw up guidance on the activities of the emergency (unplanned) changes in circumstances and determine who is entitled to take a decision on the emergency changes. The operator determines how measures are planned to reduce the need for prevention to make emergency changes, and take measures to prevent unauthorized changes. 75. Stopping the use of ICTS by eliminating or transferring it to another person, t.sk. in cases where the market participant is terminated for some type of action from this ISA, the operator shall take the necessary security measures, t.sk. risk analysis. XII. Incident Management Incident Management 76. the objective is to minimize the impact of security incidents IS on the market for customers and market activities and reduce their risk of recurrence. 77. The market operator shall establish and implement in practice the IS security incident management process that includes at least: 77.1. IS security incident identification; 77.2. incident mitigation and relief; 77.3. tracking the incident incident register; 77.4. the event IS security incident analysis (t.sk. causes and risk mitigation measures) and the management of information activities; 77.5. evidence required. 78. market participants until March 1 of each year shall be transmitted to the financial and capital market Commission last year IS recorded in a list of security incidents, including information about the groups or categories of incidents, in addition to adding the incident impact assessment and the total number of incidents with this level of impact. 79. ISA restore 79.1. Operator provides timely IR activities and restoring data, if the matter IS downtime. 79.2. The market operator shall draw up an operational recovery plan IS in accordance with the market participant's business continuity plan. 79.3. IR activities in the recovery plan includes operators IS to restore services in order of priority, resources are used, to do list and responsible employees. 49.3. Market in accordance with the procedure laid down above shall have regular ISA restore processes involved training and documented testing of the plan and change it back to ensure the plan is up-to-date. XIII. concluding issues 80. These provisions of section II of annex 10, paragraph shall enter into force by January 1, 2016. 81. To 2017 April 1, this provision of the services set out in the annex of the secure client authentication may be used in place of at least two-factor authentication. 82. Be declared unenforceable in the financial and capital market Commission of 26 March 2014 rules no. 49 "financial and capital market information system security regulations". Financial and capital market Commission and the President of p.i. licensing legal department director g. Romeik 1. pielikumsFinanš capital market Commission 07.07.2015. regulatory arrangements no 112 safety rules for payments on the internet I. scope and definitions 1 scope these requirements internet payment security based on payment services and electronic cash law article 11, first paragraph, point 5, which makes payment institutions to introduce strict management measures and adequate internal control mechanisms. 2. the requirements apply to the provision of payment services offered by payment service providers, as defined in the payment services and electronic cash law article 2, second paragraph, with the help of the internet. 3. without prejudice to the payment service provider's liability for payment transaction risk monitoring and evaluation. They are developing their own security policy and implement appropriate security, emergency, accident management and business continuity measures commensurate with the provision of payment services inherent risk. 4. Claim the purpose is to identify the common minimum requirements the following internet payment services regardless of access device: 4.1 payments with the card in the internet, including the payments with a virtual card, as well as credit card information to register to use the service "virtual wallet" (payment card); 4.2. credit transfers (credit transfers); 4.3. direct debit mandate and the issue of electronic (e-mandate); 4.4. electronic money transfers between two electronic money accounts via the internet (e-money). 5. payment integratori1 offering payment services is considered to start in either of the internet payment service for recipients (and thus for payment service providers), or of the aid scheme concerned external technical service providers, or for payment service providers. In the latter case, the Treaty lays down that payment integrator meets the requirements set out in this annex. 6. scope of claims does not include: 6.1 other internet services provided by the payment service provider, using their payment Web site (for example, e-brokerage, online contracts); 6.2. payment, if the instruction is done by mail, phone, voice mail, or using SMS technology; 6.3. mobile payments, with the exception of the browser-based payments; 6.4. credit transfers, if a third party accesses the customer's payment account; 6.5. payment transactions by the company through special network; 6.6. card payments using anonymous and non-refillable physical or virtual prepaid cards, if not a permanent link between the issuer and the cardholder; 6.7. the settlement of payment transactions and post (clearing). Definitions in this annex 7 in addition, the following definitions shall apply: 7.1. Authentication: a procedure which allows the payment service provider to verify identity of the client. 7.2. Secure client authentication: a procedure that is based on two or more of the following elements that qualify as knowledge, ownership and characteristics: (i) the only known to the user) data, such as a static password, code, personal identification number; (ii)) only the user-owned authentication to use for the device, for example, the code calculator, smart card, mobile phone; III) user's biometric data such as fingerprints. In addition, the selected elements are mutually independent, that is, one item is lost, the other (s) element (s) is (are) at risk. At least one of the elements must be unique and not to be used (except for the inherent characteristic), and such that it is not possible to secretly obtain via the internet. Secure authentication procedure is one that protects the confidentiality of the authentication data. 7.3. the authorization is a procedure that verifies that the customer has the right to perform a specific action, such as the right to wire the funds or access to protected data. 7.4. Authentication data is usually confidential information, for the purposes of authentication by the client. On the authentication data used for authentication is treated as a device (for example, the code calculator, smart card) or the user's biometric data. 7.5. the protected data in the context of this annex, depending on the methods of use and the designated protection mechanisms are considered authentication data, and other data to be used to make the payment or access the authentication data the authentication data management. 7.6. The transaction risk analysis is risk assessment associated with a specific transaction, taking into account criteria such as customer methods of payment (character), the related value of transactions, the type of product and the requested profile. 7.7. The virtual card is a payment card with a solution, they have an alternative, temporary card number to reduce the validity period, limited use, predefined payment restriction and can use online purchases. 7.8. The virtual wallet is a solution that allows a customer to register the data relating to one or more of the payment instrument to make payments to multiple e-merchants. 7.9. The E-mandate solution is optional, which topped the SEPA direct debit scheme, allowing the customer to issue, amend and revoke the direct debit mandate in the electronic environment. II. Requirements for internet payment security and safety to the General control environment control 1. Payment service providers implement and regularly review security policy internet payment services. 1.1. safety policy must be properly documented and reviewed regularly (in accordance with section II of this annex, point 2.4). Policy approved by the management. It determines the objectives of security and acceptable level of risk. 1.2. security policy defines roles and responsibilities, including information security risk control function with the right to give a direct message to senior management level, and the obligation to make regular security reviews of internet payment services, including the management of the protected data, taking into account risk assessment, control and mitigation. Risk assessment 2. Payment service providers perform and document the risk assessment in relation to internet payment security and related services both before the introduction of the service (s), and regularly thereafter. 2.1. Payment service providers, implementing risk control function, carry out and document the detailed risk assessment internet payments and related services. Payment service providers consider ongoing monitoring of results concerning the security risks associated with internet payment services they offer or plan to offer, taking into account: (i) the use of technological solutions); II) from external service providers received services; III) customer technical environment. The payment service provider to assess the risk associated with the chosen technology platforms, their construction and architecture, programming techniques and procedures, both in its pusē2 and pusē3, as well as the client security incident monitoring process (see section II of this annex, point 3). 2.2. on the basis of the risk assessment, the payment service provider shall determine whether, and to what extent the existing security measures, the technologies used and the services or procedures are required for the change. Payment service providers take into account the time required for the implementation of the changes (including the implementation of the client side) and the necessary temporary measures to reduce security incidents and fraud. 2.3. the assessment of Risk should be assessed in the framework of the security of the data protected also. 2.4. Payment service providers reporting risk scenarios and existing security measures at major incidents that affect service, before major infrastructure or changes in procedure and when new risks are identified. In addition, the risk assessment General review shall take place at least once a year. And review of the risk assessment results, approval of management. Incident monitoring and reporting 3. Payment service providers shall ensure consistent and integrated monitoring, security incident handling and control, including security-related customer complaints processing. Payment service providers shall establish procedures for reporting to management on such incidents. Important payment security incidents are reported in the financial and capital market Commission. 3.1. Payment service providers are available in the security incident procedures and security related customer complaints monitoring, treatment and control, and they report on such incidents, the company's management. 3.2. Payment service providers is available immediately to report the financial and capital market Commission for substantial payment security incidents relating to payment services provided. 3.3. The payment service provider is available to collaborate with the relevant judicial authorities in relation to significant incidents of payment security, including data protection violations. 3.4. Payment service providers with contracts require e-merchants that store, process or transmit protected data, collaborate on important payment security incident, including violations of data protection and payment service providers, both with the relevant supervisory authorities. If the payment service provider learns that e-trader does not cooperate as required by the contract, it will take steps to comply with the obligations laid down in this agreement, or terminate the contract. Risk control and mitigation 4. Payment service providers implement safety measures in the appropriate security policy to mitigate the identified risks. These include multiple levels of security that one defensive line breaking case involved the next line of Defense ("defence in depth"). 4.1. Establishing, developing and maintaining internet payment service, payment service providers shall pay particular attention to the obligation of separation according to the IT environment (for example, development, test and production environments) and due to the "least privileges" as a basis for the implementation of the principle of right of access pārvaldībai4. 4.2. Payment service providers are available in the appropriate security solutions to protect networks, Web sites, servers and communication links to violence or attacks. Payment service providers cut off servers all the extra functions to protect (strengthen) and prevent or reduce the risk of vulnerabilities in applications. Different application access to the data to reduce to a minimum in accordance with the principle of "least privilege". To limit counterfeit Web sites that mimic legitimate payment service provider site, use of the transactional Web sites offering internet payment services, protected by a trusted certificates, issued by the payment service provider's name, or other similar authentication methods. 4.3. Payment service providers establish procedures to monitor, control and restrict access to protected data: (i)); II) logical and physical critical resources such as networks, systems, databases, security modules, etc. Payment service providers create, store and analyse appropriate audit trail. 4.4. Izstrādājot5, developing and maintaining internet payment service, payment service providers shall ensure that the data collection is essential for the samazināšana6 main function: protected data processing, t.sk. archiving and visualization, is likely to be reduced to a minimum. 4.5. the Internet payment service security check risk management control functions to ensure their safety and effectiveness. All changes of subject specific change management procedures, ensuring that the changes are properly planned, tested, documented and implemented. Based on the changes made and observed the security risks, the tests are repeated on a regular basis and examine certain possible attack scenarios. 4.6. The payment service provider at certain security measures periodically audits to ensure their stability and efficiency. The audit also internet payment services. This audit of regularity and objective, take into account the related security risks. Audited by competent and independent (internal or external) experts who are not involved in the internet payment service provided by the development, implementation and maintenance. 4.7. If the payment service provider of internet payment services, security functions are transferred to outsourcing providers contract with the external service provider shall include the provisions, which require compliance with the principles laid down in this annex and guidelines. 4.8. Payment service providers contract with e-merchants, acting (i.e., stored, processed and transmitted) with protected data, requires that they implement appropriate security measures for their IT infrastructure in accordance with section II of this annex 4.1-4.7 points, to avoid the theft of protected data e-business systems. If the payment service provider learns that e-merchants is not implemented the necessary security measures, this Act to comply with the obligations laid down in the contract, or termination. 5. Traceability of the payment service providers is available on the procedures to ensure that all transactions, as well as the e-mandate is the appropriate procedure for tracking. 5.1. Payment service providers shall ensure that the service includes security mechanisms that provide detailed logging of the transaction, including the transaction includes the order number, the transaction time stamp changes parameterization as well as any access to the e-mandate and business data. 5.2. Payment service providers shall ensure that the audit trail allows you to trace a transaction or e-mandate for data processing, t.sk. additions, changes or deletion. 5.3. Payment service providers regularly review and analyze the audit trail of transactions and for this purpose, use the methods and tools that allow it to perform effectively. These procedures implement only the authorized personnel. SPECIAL control and security measures for INTERNET payments in the initial identification of the customer and information 6. Customers are appropriately identified in accordance with the laws of the Republic of Latvia aktiem7 and the relevant European legislation regarding the criminal money-laundering novēršanu8, and they confirm the readiness to make internet payments before they are granted access to such services. The payment service provider shall provide the customer with sufficient initial, regular or emergency information as appropriate for this service and the necessary requirements (for example, equipment, procedures) to make secure payments on the internet. 6.1. The payment service provider to ensure the customer research and make sure that the customer has submitted the necessary identity supporting dokumentus9 and other relevant information, before being granted access to the internet payment services. 10 6.2. Payment service providers shall ensure that the original informācija11 that is passed to the client containing all necessary information with regard to internet payment service. If necessary, it shall include: 6.2.1. clear information on the requirements of the customer's computer equipment, software, or other necessary tools (such as antivirus software, firewalls); 6.2.2. requirements for authentication data the correct and safe use; 6.2.3. detailed description of the actions to be taken to the customer will be able to submit and approve payment transactions and/or obtain information, including explanations about the consequences of the action taken; 6.2.4. the requirements of client devices and software released safe and correctly; 6.2.5. the action to be taken in the authentication data or customer equipment or software for access or transactions, loss or stolen; 6.2.6. the actions to be taken in case of abusive use of the account or if it is suspected; 6.2.7. the payment service provider and the customer's description of the respective obligations and liabilities, taking into account the specific internet payment service. 6.3. Payment service providers shall ensure that the contract with the client is stating that the payment service provider may block the payment of certain transaction or instrumentu12 based on security considerations. The contract provides for client communication methods and conditions, as well as the ways in which the client can communicate with the payment service provider to unlock the internet payment transactions or the service in accordance with the payment service and electronic money. Secure client authentication 7. Internet payment, as well as access to the protected data enables to secure client authentication. Payment service provider implements a secure client authentication procedure under the conditions laid down in that annex. 7.1. Payment service providers perform a secure client authentication client internet payment transaction authorization (including United credit transfers and e-cash transactions) and electronic direct debit mandate for service or modification (e-mandate). However, the payment service provider may use an alternative client authentication measures: 7.1.1. trusted beneficiary payments included in the approved payment of the previously created list or white list (white list); 7.1.2. transactions between one of the two customer accounts that maintain the same payment service provider; 7.1.3. transfers of the same payment service provider, if such option allows the payment service provider of the risk assessment; 7.1.4. small payments as referred to in the electronic payment services and money likumā13. 7.2. to access or change the protect data (including white list creation and modification), you need a secure client authentication. If the payment service provider offers informational services that do not represent the protected client or payment information such as credit card data, which can be misused for the purposes of fraud, the payment service provider may adjust your authentication requirements based on risk assessment. 7.3. in the case of transactions for all card payment service provider should be issued cards support secure authentication of the card holder. All issued cards to be technically ready for use (registered) with secure authentication. 7.4. Payment service providers, offering payment card acceptance service, support technology that allows a vendor to perform secure cardholder authentication. 7.5. The payment service provider, offering to buy the service, request its e-merchants to support solutions that allows you to make secure issuing cardholder authentication for transactions with the card on the internet. Alternative authentication methods you can use pre-defined low-risk transaction categories, for example, on the basis of a risk analysis, transaction or small payments as referred to in the electronic payment services and money. 7.6. the virtual wallet service providers require a secure authentication, if the legal holder first recorded card data. 7.7. The virtual wallet providers support client authentication, if the client logs on to a virtual wallet payment services or carry out transactions with the card on the internet. Alternative authentication methods you can use pre-defined low-risk transaction categories, for example, on the basis of a risk analysis, transaction or small payments as referred to in the electronic payment services and money. 7.8. Virtual maps the original registration shall take place in a safe and reliable vidē14. Secure client authentication requires a virtual card data generation process, the card issued to the internet environment. 7.9. The payment service provider to ensure mutual ("two-ways") authentication to communicate with e-business, if you make an online payment or access protected data. Login authentication tools and/or software and their delivery to the client 8. Payment service providers shall ensure that the client's login authentication features that are required to use your internet payment services, and the supply is made in a secure way. 8.1. the logon authentication products and their delivery meet the following requirements: 8.1.1. related activities carried out in a secure and reliable environment, while taking into account the possible risks arising from devices that are not on the payment service provider; 8.1.2. the introduction of effective and safe procedures for authentication data, payment software and all internet payments associated with personalized delivery of devices. Internet delivered software signed a payment service provider that enables the customer to verify its authenticity and to make sure that it has not previously been used; 8.1.3. transactions with the card the customer has the option of registering for secure authentication regardless of the particular internet purchase. If activation is offered online shopping, do it by directing customers to a secure and trustworthy environment. 8.2. Payment card issuing assets contribute to the card holder's registration for secure authentication and allows holders to bypass registration, only exceptionally and only a limited number of cases, if justified by the risks associated with the particular transaction with the card specifics. Authentication attempts, barred, the authentication session expires 9. The payment service provider shall determine the maximum number of attempts the authentication requirements for internet payment services session limitation and the duration of the validity of authentication. 9.1. using one-time password authentication/unique, payment service providers shall ensure that the following password/code validity is limited to the minimum necessary. 9.2. The payment service provider shall determine the failed authentication attempts maximum, when access to the internet payment service is blocked (temporarily or permanently). Payment service providers ensure safe process blocked internet payment service activation. 9.3. Payment service providers shall set a time period after which an inactive internet payment services session is automatically terminated. Monitoring and supervision 10. Supervision and monitoring solutions, which are designed to prevent, detect and block fraudulent use of payment transactions, the payment service provider before the last mandate. Suspicious or high risk transactions subject to specific monitoring and evaluation process. Equivalent safety oversight and authorization solutions also introduces the e-mandate. 10.1. Payment service providers use fraud detection and prevention systems or solutions to identify suspicious transactions, the payment service provider before they authorize. This system is based on a parameterized rules (such as a lost or stolen card data black list) and monitor the client's atypical behavior patterns (for example, internet protocol (IP) addresses or change the IP range maiņa15 internet payment service during a session that identifies the geographical location of the IP pārbaudē16, not the typical e-commerce vendor categories or specific customer transaction data usually not etc.), and the ability to identify known fraud scenarios (for example able to detect computer viruses, the symptoms of infection during a session). Surveillance and monitoring solution volume, complexity and adaptation is determined under current data protection legislation, and are proportionate to the results of the risk assessment. 10.2. The payment service provider uses fraud detection and prevention systems or solutions to monitor e-merchant activity. 10.3. The payment service provider shall carry out inspection and evaluation of transactions sufficiently short period of time, not to unreasonably delayed the payment run. 10.4. If the payment service provider in accordance with its risk policy decides to block payment identified as potentially fraudulent, the payment service provider shall ensure payment blocking a possible shorter time needed for execution of the payment related to solve problems of security. Protected data security processing, t.sk 11. storing or forwarding, protected data, to ensure security. 11.1. all data used to identify and authenticate the client (for example, connecting, starting internet payment or issuing, amending or removing e-mandates), must be secured against theft, unauthorised access or alteration. 11.2. Payment service providers shall ensure that, when a protected exchange of data over the internet, provides secure communication between parties throughout the šifrēšana17 the communication sessions, to ensure the confidentiality and integrity of data using secure and widely accepted encryption methods. 11.3. Payment service providers, offering the collector service, calls for e-merchants not storing any data protected. If e-merchant processing, i.e., stored or transferred, protected data, the payment service provider of the contract requires the operator to introduce e-mail necessary measures to protect this data. The payment service provider shall carry out regular checks and, if they find that the e-merchants, processing the data to be protected, not implemented necessary security measures, the payment service provider to comply with the obligations laid down in the contract, or end the contract. Customer information, education and communication with the client 12. Payment service providers, if necessary, provide help and guidance to customers for secure internet payment service. The payment service provider to communicate with your clients in such a way as to convince them about the authenticity of the received messages. 12.1. The payment service provider to ensure at least one reliable kanālu18 for permanent communication with customers about proper and safe use of the internet payment service. The payment service provider shall inform the customer about this channel and explains that any other payment service provider's name in the send message using other means, such as email, for correct and safe use of the internet payment service is not reliable. Payment service provider customers explains: 12.1.1. the order in which the customer must notify the payment service provider (suspected) for fraudulent charges, incidents or deviations in internet payment service and/or during a session on possible social inženierijas19 attempts; 12.1.2. future action steps, i.e. as a payment service provider will provide the answer to the client; 12.1.3. as the payment service provider shall inform the customer of (potential) fraudulent transactions or alert the customer on the attack (for example, phishing (phishing) email messages). 12.2. The payment service provider over a secure channel, inform the client of changes to safety procedures for internet payment services. All warnings of significant potential risks (such as warnings about social engineering) the payment service provider shall provide, through a secure channel. 12.3. The payment service provider to the customer, provide the assistance in relation to all questions, complaints, requests for support and notifications of incidents concerning internet payments and related services and shall inform customers about how such assistance can be obtained. 12.4. Payment service providers develop customer education and awareness programs to ensure customers ' awareness of the need for: 12.4.1. protect your passwords, code calculators and other confidential data; 12.4.2. properly manage personal device security (for example, a computer) using the component installation and update (anti-virus, firewalls, security patches); 12.4.3. assess the significant hazards and risks associated with the download software on the internet, the customer can be sure that your software is genuine and has not been modified; 12.4.4. to ensure that the payment service provider of internet payment website is real. 12.5. Payment service providers require e-merchants clearly separated with the payments-related processes from the online stores, so that customers can make sure when you get communication with the payment service provider, not by the payee (such as shifting customer and opening a separate window so that the payment would not be displayed in the frame e-merchant). Notifications and payment limit determination 13. Payment service providers determine the payment limits and gives your customers the ability to select risks further restrictive measures. They also provide alerts and customer profile management services. Before the internet payment service customers payment service providers limitus20 down payment relating to the services (such as limiting each individual payment amount or maximum total in this time period), and inform their customers. Payment service providers allow customers to block internet payment functionality. Customer access to information and the payment status of 14. Payment service providers shall ensure their customers payment information and promptly give customers the information they need to verify that the payment is properly started and/or completed. 14.1. The payment service provider of any laikā21 provides customers in real time in a safe and reliable environment check transaction (credit transfers or e-mandate), as well as the status of the account balance. 14.2. all detailed electronic statements and accounts are available in a safe and reliable environment. If the payment service provider shall inform the client of the availability of electronic communication (for example, through periodic e-statement service, or acknowledgement of the notification after the transaction execution) using alternative channels such as SMS, email, or letter, then the following statements must not be included in the protected data. If such data are included in the relevant notification, however, they must be masked.
1 payment integrator provides the payment recipient (that is, e-merchants) with a standardized interface for the payment services to be provided by the payment service provider. 2 for example, the sensitivity of the system to avoid paying session hijacking, SQL injection, cross-site scripting, buffer overflow, etc. 3 for example, the risks associated with media applications, browser plug-ins, frames, external links etc. use. 4 "all programs and everyone for the system user preferred to operate, using the least number of privileges required to complete the job." See Saltzer, J. H. "information-sharing protection and control system Multic", ACM interactions, of Association (1974), volume 17, no. 7, p. 388. 5 privacy protection. 6 reduction of data collection apply to personal data that are necessary to carry out the functions indicated in the least in the collection. 7 Criminal money laundering and terrorist financing Prevention Act and regulations 8 such as Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for money laundering and terrorist financing (OJ L 309, 25.11.2005, p. 15-36). See also Commission Directive 2006/70/EC (1 august 2006) laying down measures for the implementation of European Parliament and Council Directive 2005/60/EC in relation to a "politically exposed person" and the technical criteria for simplified customer due diligence procedures and for exemption due to the financial transactions carried out by an occasional or very limited basis (OJ L 214, 29-34, 04.08.2006.). 9 for example, passport, identification card or a secure electronic signature. 10 customer identification procedure is without prejudice to any exceptions provided for in the existing legislation on money laundering. The payment service provider shall not make a separate customer identification procedure for internet payment services provided such customer's identification is made, for example, in connection with other existing payment services or with the account opening. 11 this information complements the electronic payment services and money article 64 of the Act, which specify the information that the payment service provider shall provide the payment service user, before conclusion of a contract for the provision of payment services. 12 see payment services and electronic cash law article 81 on the payment instrument use restrictions. 13 see the small description of payment instruments and payment services, electronic money in article 62 of the Act, and the first subparagraph of article 78. 14 payment service provider environment of responsibility according to the customer and payment service provider that offers the service, authentication and confidential/protected information is also supported: i) the payment service provider of the premises; II) internet bank or other secure Web sites; III) ATM (ATM) services. (ATMs needs secure client authentication. Following authentication typically provides you with chip and PIN, or chip and biometric standards.) 15 IP address is a unique numeric code that uniquely identifies each computer connected to the internet. 16 "GEO-IP" test is checked, or issuing State matches the IP address from which the user starts a transaction. 17 Secure or full encryption refers to encryption of the source system and with the appropriate decryption, what happens to the final destination (ETSI EN 302 system, 109 V 1.1.1. (2003-06)). 18 for example, special mailbox provider's secure payment website. 19 social engineering in this context means technique for manipulating people to get information, such as e-mail or phone calls, or get information from social networks for the purpose of fraud or obtain unauthorized access to the computer or the network. 20 payment limits can be applied to the General (i.e., all payment instruments that allow you to make internet payments) or individually. 21 except in emergency situations, for technical reasons, or major incident.