Cybersecurity Statement of Guidance for Regulated Entities

Payment Cards & Systems

Regulated Entities who accept, store, process, and/or transmit cardholder data should:

1. Ensure they are in compliance with Payment Card Industry Data Security Standard (PCI DSS);
2. Implement secure measures that apply to payment systems such as point of sale (PoS) terminals, online services and payments (mobile platforms, etc.); and 
3. Conduct risk assessment to identify possible fraud scenarios. 
    

Use of the Internet

Regulated entities should:

1. Establish policies and controls to guard against attacks and minimise impact of attacks on internet systems where they provide financial services and clients transact;
2. Ensure transactions performed over the internet, as well as credentials, personal data and sensitive personal data are protected, authenticated and secured against exploits, such as account takeovers;
3. Evaluate security requirements associated with Internet systems and adopt industry standard encryption algorithms;
4. Consider the deployment of two–factor authentication (2FA) for all types of online financial systems and transaction-signing for authorising transactions;
5. Maintain high-resiliency and availability of online and supporting systems;
6. Put in place measures to plan and track capacity utilisation and guard against attacks such as denial of service (DoS) attacks;
7. Take appropriate measures to minimise exposure to other forms of cyber attacks such as Business E-mail Compromise (BEC) attacks; and
8. Ensure adequate information is provided on their website detailing information about the regulated entity including its physical address and their head office.