Decree No. 2 / 2022 Coll.
Decree amending Decree No. 7 / 2018 Coll., on certain conditions for the performance of the activities of the payment institution, the administrator of the payment account information, a small-scale payment service provider, an electronic money institution and a small-scale electronic money issuer
Valid
Effective from 01.07.2022
Zobrazeno prvních 200 z celkem 299 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
2
DECLARATION
of 22 December 2021
amending Decree No 7 / 2018 Coll., on certain conditions for the performance of the activity of a payment institution, the administrator of payment account information, the small-scale payment service provider, the electronic money institution and the issuer of small-scale electronic money
The Czech National Bank provides pursuant to § 263 of Act No. 370 / 2017 Coll., on payment, for implementation of § 16 (5), § 17 (3), § 20 (4), § 46 (2), § 48 (4), § 59 (4), § 65a (2), § 74 (6), § 75 (3), § 78 (4) and § 100 (4) of this Act:
Decree No 7 / 2018 Coll., on certain conditions for the performance of the activities of the payment institution, the administrator of the payment account information, the small-scale payment service provider, the electronic money institution and the issuer of small-scale electronic money, are amended as follows:
1. Paragraph 1, including the title and footnote 1, reads as follows:
Subject matter
This decree implements the relevant provisions of the European Union1) and provides for
(a) the manner in which certain requirements for the payment institution's management and control system, the electronic money institution and the payment account information administrator are met;
(b) the way in which the requirements of the security and operational risk management system and the complaint and complaint management system of the small-scale payment service provider and the small-scale electronic money issuer are met;
(c) rules for calculating the amount of own funds and capital adequacy of the payment institution and electronic money institution, including the individual approaches that may be applied in the calculation of capital adequacy;
(d) the minimum level of insurance premiums and the minimum level of comparable collateral for the payment institution, the electronic money institution and the payment account information manager.
(1) Article 4 (46), Article 8 (2), Article 9, Article 9 (1) / part / EU and Article 9 (2) of Directive (EU) 2015 / 2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market amending Directives 2002 / 65 / EC, 2009 / 110 / EC and 2013 / 36 / EU and Regulation (EU) No 1093 / 2010 and repealing Directive 2007 / 64 / EC. Article 5 (2), Article 5 (3), Article 5 (4) and Article 5 (6) of Directive 2009 / 110 / EC of the European Parliament and of the Council of 16 September 2009 on the taking up and prudential supervision of electronic money institutions';
2. Part two, including the title, reads:
METHOD OF IMPLEMENTATION OF CERTAIN REQUIREMENTS
METHOD OF IMPLEMENTATION OF CERTAIN REQUIREMENTS FOR MANAGEMENT AND CONTROL SYSTEM OF PAYMENT INSTITUTIONS
(K § 20 (4) of the Act)
Internal rules
(1) The payment institution shall incorporate the requirements laid down for the management and control system and the procedures for their implementation into its internal rules, which shall mean the strategies, organisational rules, plans and other internal principles and procedures of the payment institution.
(2) The paying institution shall establish and apply the procedure for the adoption and amendment of internal rules and shall ensure that internal rules are regularly evaluated and, where appropriate, adjusted.
(3) The paying institution shall ensure that internal rules are in accordance with the information provided in the application for authorisation to operate the payment institution or its annexes, on the basis of which the authorisation was granted, possibly amended in accordance with Article 11 of the Act.
(4) Payment institutions shall take into account in their internal rules the general guidelines and recommendations issued by the European Banking Authority, the European Securities and Markets Authority, the European Insurance and Occupational Pensions Authority or the Joint Committee of European Supervisory Authorities and addressed to payment service providers.
(5) Payment institutions shall ensure that all workers are familiar with and comply with the relevant internal rules and any changes thereto to the extent necessary.
Approval and decision-making processes
The payment institution shall ensure that the authorisation for the approval and signature of documents in the context of the activity of the payment institution is clearly established and that all relevant approval and decision-making processes and control activities, including the related responsibilities and powers in the context of the activity of the payment institution and its internal rules, can be recorded, stored and traced and reconstructed. To this end, it shall also adjust its information and communication systems accordingly.
Safety and operational risk management system
(1) The paying institution shall implement measures to mitigate these risks and control mechanisms to manage the security and operational risks associated with the payment services it provides. Payment institutions shall establish and maintain effective procedures for the management of security and operational incidents, including for the detection and classification of serious security and operational incidents.
(2) Payment institutions under the safety and operational risk management system also manage risks in the field of information and communication technologies and security, which include at least:
(a) the risk of loss as a result of a breach of data confidentiality, integrity of systems and data, or of the availability of systems and data, or of the inability to change information and communication systems within a reasonable time and with reasonable costs where the environment or activities change;
(b) security risks arising from a lack or failure of internal processes or external events, including cyber attacks or a lack of physical security.
(3) The details of risk management in the field of information and communication technologies and security to which the payment institution is or could be exposed in connection with the payment services provided by it are set out in the Annex to this decree.
(4) The payment institution shall develop a security of information policy defining the principles and rules for the protection of confidentiality, integrity and availability of data and information of the payment institution and payment service users. The payment institution shall, in its internal rules, adapt the security measures in accordance with the risk management details set out in the Annex to this Regulation.
Complaints and complaints system
(1) A payment institution shall establish and apply procedures for the handling of complaints and complaints by payment service users which:
(a) they are approved by the person who actually manages the activities of the payment institution in the field of the provision of payment services, and that person also checks their compliance on an ongoing basis;
(b) are specified in the internal Regulation;
(c) enable their proper investigation and ensure the identification and mitigation of potential conflicts of interest in their handling.
(2) The payment institution shall register internally, in accordance with the time limits laid down for the complaint and the complaint and the handling thereof, in a manner that complies with the information security requirements.
(3) The payment institution will set up a complaint and complaint settlement system by allowing it to provide the Czech National Bank, upon request, without undue delay, with information on complaints and complaints, including specific procedures for handling them.
(4) Payment institutions shall continuously analyse the data on complaints and complaints and the results of their processing in order to ensure the identification and resolution of any systemic deficiencies and potential risks, at least:
(a) analyse the reasons for individual complaints and complaints and identify the main causes of each type of complaints and complaints;
(b) assess whether the identified main causes may affect other processes, services or products, including those which are not directly concerned by the complaint or complaint;
(c) in the case of systemic deficiencies, it shall always remove identified causes of complaints and complaints.
(5) Payment institutions
(a) provide the payment service user, on request and at all times in connection with confirmation of receipt of a complaint or complaint, with written information about his complaint or complaint procedure, in the Czech language or in another language, if agreed with the payment service user;
(b) make the information referred to in point (c) available to payment service users and to the public through e-mail addresses of payment service users or in any other way agreed with payment service users in their business premises and, where websites are set up, also on them, at least in the Czech language;
(c) provide comprehensive, accurate and up-to-date information on the complaint and complaint procedure, including:
1. details of how to file a complaint or complaint, in particular the type of information that a payment service user must provide, and contact details of the person or service of the payment institution to whom the complaint or complaint is to be sent;
2. information on the period within which the payment service user will be informed of the handling of the complaint and the indicative time limit for processing the complaint or complaint;
3. substantial interim information on the processing of complaints or complaints;
4. information on the contact details of the Czech National Bank, the Financial Arbiter's Office and the Ombudsman's Office.
(6) Payment institutions
(a) make efforts to reasonably require it to obtain and verify all relevant evidence and information relating to the complaint or complaint;
(b) communicate with the payment service user in a simple and understandable way;
(c) provide answers without undue delay and not later than within the deadlines laid down in Section 258 of the Act; If it is unable to comply with these deadlines, it shall inform the payment service user of the reasons for the delay and the date on which the complaint or complaint is completed;
(d) when making an opinion which does not fully comply with the requirements of the payment service user, it shall explain in detail the solution to the complaint or complaint and shall provide information on the possibility of the payment service user to insist on complaints or complaints and contact the Financial Arbiter's Office, the Czech National Bank and the right to equal treatment and protection against discrimination to the Ombudsman's Office, including contact details of the institution or the court.
METHOD OF IMPLEMENTATION OF CERTAIN REQUIREMENTS FOR MANAGEMENT AND CONTROL SYSTEM OF ELECTRONIC MONEY INSTITUTION
(K § 78 (4) of the Act)
For an electronic money institution, paragraphs 2 to 5 shall apply mutatis mutandis.
METHOD OF IMPLEMENTATION OF CERTAIN REQUIREMENTS FOR MANAGEMENT AND CONTROL SYSTEM OF PAYMENT ACCOUNT INFORMATION
(Paragraph 48 (4) of the Law)
(1) Paragraph 2 and 3 shall apply mutatis mutandis to the administrator of payment account information.
(2) In order to meet the requirements of the security and operational risk management system, the payment account information administrator shall act mutatis mutandis in accordance with Section 4.
(3) In order to meet the requirements for handling complaints and complaints, the payment account information manager shall proceed mutatis mutandis in accordance with Section 5.
METHOD OF IMPLEMENTATION OF THE REQUIREMENTS FOR THE SAFETY, OPERATIONAL RISK MANAGEMENT SYSTEM AND THE COMPLAINING AND RECRACING SYSTEM FOR THE PAYMENT SERVICES OF SMALL SCOPE
(Paragraph 59 (4) of the Law)
(1) A small-scale payment service provider shall reflect the requirements laid down for the security and operational risk management system and the complaint and complaint management system into its internal rules and shall act mutatis mutandis in accordance with Article 2 (2) to (5) for the fulfilment of the requirements for such internal rules.
(2) In order to meet the requirements for approval and decision-making processes concerning the safety and operational risk management system and the complaint and complaint management system, a small-scale payment service provider shall act mutatis mutandis in accordance with Article 3.
(3) In order to meet the requirements of the system for the management of security and operational risks related to the provision of payment services, a small-scale payment service provider shall act mutatis mutandis in accordance with Section 4.
(4) In order to meet the requirements of the complaints and complaints settlement system, a small-scale payment service provider shall act mutatis mutandis in accordance with Section 5.
METHOD OF IMPLEMENTATION OF THE REQUIREMENTS FOR THE SAFETY AND OPERATING RISK MANAGEMENT SYSTEM AND THE COMPLAINING SYSTEM AND RECLAIMS OF THE ELECTRONIC MONEY ISSUER
(K § 100 (4) of the Act)
(1) A small-scale electronic money issuer shall reflect the requirements laid down for the safety and operational risk management system and the complaint and complaint management system into its internal rules and shall act mutatis mutandis in accordance with Article 2 (2) to (5) for the fulfilment of the requirements for such internal rules.
(2) In order to comply with the requirements for approval and decision-making processes relating to the safety and operational risk management system and the complaint and complaint management system, the small-scale electronic money issuer shall act mutatis mutandis in accordance with Article 3.
(3) In order to meet the requirements of the safety and operational risk management system, the small-scale electronic money issuer shall act mutatis mutandis in accordance with Section 4.
(4) In order to meet the requirements of the complaints and complaints system, the small-scale electronic money issuer shall act mutatis mutandis in accordance with Section 5. ';
footnotes 2 to 4 are deleted.
3. Paragraph 27 (4) reads as follows:
"(4) A payment institution which also carries out business activities other than those for which it is authorised to perform on the basis of an authorisation granted under the law (" hybrid payment institution ') shall not include in the own funds designated under paragraph 1 those items or parts thereof which are used for the pursuit of activities other than those for which it is authorised under the law.';
4. In Paragraph 34, the following paragraph 1 is added:
"(1) Capital shall be calculated mutatis mutandis as own funds under Article 4 (1) (118) of the Regulation. ';
Paragraphs 1 to 5 shall be renumbered paragraphs 2 to 6.
5. Paragraph 34 (4) reads:
"(4) An electronic money institution which carries out business activities other than those for which it is entitled under an authorisation granted under the law may not include in the own funds designated under paragraph 1 those items or parts thereof which are used for the pursuit of activities other than those for which it is authorised under the law."
6. the following Annex is added:
"Annex to Decree No 7 / 2018 Coll.
Details on risk management in ICT and security
Proportionality
1. The payment institution shall comply with the risk management requirements for information and communication technologies and security (hereinafter referred to as ICT and security risks) in a manner appropriate to the size of the payment institution, its organisational structure and the nature, scale, complexity and risk of the services and products it provides or intends to provide.
Strategic and operational management, organisational arrangements
2. The person who actually manages the activities of the payment institution in the field of the provision of payment services (hereinafter referred to as "the manager") shall ensure that the payment institution has an adequate internal governance and internal control framework for ICT risks and security. The manager shall clearly define the roles and responsibilities for ICT functions, ICT risk management and security, including information security and continuous performance of activities and the continued functioning of the payment institution, including for himself.
3. The manager shall ensure that the number of staff of the payment institution and their competence and experience are adequate for the ongoing support of the operation of the payment institution in the field of information and communication technologies, ICT risk management and security, and for the implementation of its ICT strategy and for the budget allocated to it. Payment institutions shall ensure that all workers receive appropriate training at least once a year, focusing on ICT and security risks, including information security (point 49).
4. The manager shall be responsible for establishing and approving the strategy of the payment institution in the field of information and communication technologies within the framework of the overall strategy of the payment institution, overseeing the implementation of that strategy and establishing an effective ICT risk management and security framework.
5. The ICT strategy is consistent with the overall strategy of the payment institution and defines:
(a) how payment institutions' information and communication technologies should be developed in order to effectively support the overall strategy of the payment institution, including the definition of organisational developments, changes in information and communication technology systems (ICT systems) and key third party dependencies;
(b) the planned strategy and development of ICT architecture, including third party dependency;
(c) understandable objectives in the field of information security, focusing on ICT systems and services, staff and processes in the field of information and communication technologies.
6. The payment institution shall establish sets of action plans containing the measures necessary to implement the ICT strategy. Such plans shall be communicated to all relevant staff and other relevant persons, including suppliers and external service providers or activities, which mean outsourcing providers, intra-group providers of which the payment institution is a member, or other external providers (hereinafter referred to as "external providers'), where applicable and relevant. The payment institution shall regularly review the action plans and ensure their continued relevance and suitability. The payment institution shall establish processes to monitor and evaluate the effectiveness of the implementation of its ICT strategy.
7. The payment institution shall ensure that the risk mitigation measures defined under the risk management system are effective even if any operational functions of the provision of payment services or ICT systems or services in the field of information and communication technologies (hereinafter referred to as ICT services) are outsourced.
8. For the smooth use of ICT systems and ICT services, the payment institution shall ensure that contracts and similar service level arrangements with all external providers include:
(a) the objectives and measures related to information security, including specific requirements and criteria; In this respect, the minimum requirements for cyber security, the specifications of the payment institution's life cycle, all requirements concerning data encryption, network security processes and security monitoring and the location of data centres,
(b) operational procedures and procedures for dealing with one-off events or a series of related events of an unplanned payment institution that has or is likely to have an adverse impact on the integrity, availability, confidentiality or authenticity of services (hereinafter referred to as "security and operational incident"), including the transfer to a higher level of management and reporting.
9. The payment institution shall monitor and ensure that external providers ensure the required level of security objectives, measures and operational tasks of the payment institution that are outsourced.
ICT Risk Management and Security System
10. The payment institution shall recognise and manage the risks of ICT and the security to which it is or could be exposed in relation to the payment services it provides. In doing so, it shall apply procedures and controls to ensure that all such risks are identified, evaluated, measured, monitored, reported and restricted in accordance with the approved level of willingness of the payment institution to access those risks, and the projects and systems implemented and the activities carried out comply with other internal rules laid down by the payment institution and the requirements laid down by the laws, regulations or remedies imposed by the Czech National Bank.
11. Payment institutions shall entrust the responsibility for and supervision of ICT risk management and safety. Payment institutions shall ensure the independence and objectivity of this control function by appropriately separating it from the ICT operational activities. This control function shall be directly responsible to the manager and shall be responsible for monitoring and monitoring the ICT risk management and safety system. It also ensures that ICT risks and safety are identified, evaluated, measured, monitored and reported. The payment institution shall ensure that this control function is not subject to any internal audit.
12. In order to ensure an efficient ICT risk management system and the safety of a payment institution, key roles and responsibilities, relevant hierarchical relationships and their respective responsibilities shall be defined. Payment institutions shall ensure that ICT risk management and security are fully integrated into the payment institution's risk management system, including ensuring the effectiveness and consistency of the links within that system and consistent with the different processes of the risk management system.
13. The ICT Risk Management and Safety System includes processes for:
(a) the determination of the payment institution's willingness to take such risks in accordance with the payment institution's willingness to take risks;
(b) recognition and evaluation of the risks to which the payment institution is exposed;
(c) taking measures to reduce the occurrence or impact of such risks;
(d) monitoring the effectiveness of the measures and the number of notified security and operational incidents in the field of payment, including those under Section 221 of the Act that have an impact on information and communication technology activities and, where necessary, the adoption of measures;
(e) reporting those risks and measures to the manager;
(f) recognition and evaluation of these risks arising from any significant change in ICT systems and ICT services, processes or processes or following any significant security and operational incident.
14. Payment institutions shall ensure that the ICT risk management and security system is properly documented and continuously improved on the basis of the knowledge gained. At least once a year, the manager shall approve and review the settings of the ICT risk management system and safety.
15. The payment institution shall identify and map business functions, roles and support processes in terms of their importance and links with each other in relation to ICT risks and safety.
16. The payment institution shall also identify the information to be protected (hereinafter referred to as the "information asset '), support business functions and support processes and establish and update their monitoring. A payment institution is always able to manage information assets that support its critical business functions and processes.
17. The paying institution shall classify identified business functions, supporting processes and information assets as referred to in paragraphs 15 and 16 in terms of their criticality.
18. In order to define the criticisms of these identified business functions, support processes and information assets, the payment institution shall at least consider confidentiality, integrity and availability requirements. Payment institutions shall clearly define obligations and responsibilities regarding information assets.
19. The payment institution shall review the adequacy of the classification of information assets and the relevant documentation whenever carrying out risk assessments.
20. A paying institution recognises ICT risks and safety that have an impact on identified and classified business functions, support processes and information assets, according to their criticism. This risk assessment shall be carried out, including documentation, at least once a year and at all times with all major changes in infrastructure, processes or processes affecting business functions, support processes or information assets. On this basis, the payment institution shall update the valid risk assessment.
21. The paying institution shall continuously monitor the threats and vulnerabilities relevant to business functions, support processes and information assets and regularly review the risk scenarios affecting them.
22. On the basis of the risk assessment, the payment institution shall determine the measures leading to the reduction of recognised ICT risks and safety to a level appropriate to the level of the payment institution's willingness to access risks. Payment institutions shall also determine whether changes to existing business processes, control measures, ICT systems and ICT services are needed. Payment institutions shall consider the time needed to make such changes and the time to take appropriate provisional measures to limit ICT risks and security to the extent that the payment institution is willing to take such risks.
23. The paying institution shall take measures to limit the identified risks of ICT and security and to protect information assets in accordance with their classification.
24. The paying institution shall ensure that the results of the risk assessment are clearly and in a timely manner notified to the manager.
Internal audit on ICT risk and security
25. The internal audit function shall apply a risk-oriented approach and shall independently review the compliance of all the activities of the payment institution related to information and communication technologies and security with the principles and procedures of the payment institution and external requirements, examine whether these principles and procedures are respected in the departments concerned and provide objective independent assurance. The internal audit function provided by the payment institution internally or externally shall provide the manager with independent assurance on the effectiveness of the ICT risk management and security system on a regular basis. Personnel providing an internal audit function shall be competent and have sufficient experience regarding ICT risks and security, payments and shall be independent of the payment institution or payment institution concerned. The frequency and focus of audits shall be consistent with the severity of these risks.
26. The executive shall approve the audit plan, including any audits in the field of information and communication technology and any substantial changes thereto. The audit plan and its implementation, including the frequency of audits, shall reflect the inherent risks of ICT and the safety of the payment institution, shall be proportionate to and regularly updated.
27. The payment institution shall establish arrangements for the timely verification and correction of critical findings of audits in the field of information and communication technologies.
Information security
Information security policy
28. The payment institution shall ensure that the information security policy is consistent with the objectives of the payment institution in the field of information security and is based on the results of the risk assessment. Information security policy shall be approved by the manager.
29. Security policy shall include a description of the main roles and responsibilities in the field of information security management and the requirements for staff and external providers, processes and technologies related to information security. All personnel and external providers shall be required to ensure the security of the information of the payment institution corresponding to the activities they carry out, the tasks entrusted to them and the powers they possess. The information security policy shall ensure the confidentiality, integrity and availability of critical logical and physical assets, resources and sensitive data of the payment institution both on deposit and on transfer and use. All workers and external providers are familiar with the security policy.
30. On the basis of the information security policy, the payment institution shall take security measures to limit the risks of ICT and the security to which it is or might be exposed. The measures cover the following areas:
(a) internal governance in accordance with the requirements of points 10, 11 and 25;
(b) logical safety,
(c) physical safety,
(d) security of information and communication technology operations;
(e) security monitoring;
(f) reviews, evaluations and testing of information security;
(g) training and information in the field of information security.
Logical safety
31. The paying institution shall establish, document and apply procedures for the control of the logical approach, including checks to monitor anomalies. The payment institution shall monitor the application of these procedures and review them regularly. Such procedures shall be based at least on the following principles:
(a) the principle of knowledge only required, the principle of minimum authorisations and the principle of separation of functions; the payment institution manages the access authorisation to the information assets and its support systems in such a way that the user, including the system user (hereinafter referred to as the "user '), knows only what is necessary, even in the case of remote access; users have only such access rights as are strictly necessary to fulfil their obligations in order to prevent unauthorised access to a large set of data or to prevent the allocation of combinations of access rights that can be used to circumvent control measures;
(b) the principle of user competence; payment institutions shall as far as possible limit the use of general and shared user accounts and ensure user identification for actions carried out in ICT systems;
(c) the principle of privileged access authorisations; the payment institution strictly controls privileged access to the system through the strict limitation of administrator accounts and other accounts with increased access rights to the system and ensures close supervision of those accounts, providing remote administrative access to critical ICT systems only so that the user knows what is necessary and only when a strong verification of user identity is used;
(d) the principle of recording the activity of the user; the payment institution shall ensure the keeping of audit records and monitoring of at least all activities of privileged users, the security of access records so as to prevent their unauthorised modification or deletion, and their storage for a period commensurate with the criticism of identified business functions, supporting processes and information assets; the payment institution uses this information to facilitate the identification and investigation of unusual service activities;
(e) the principle of access management; a payment institution shall ensure that access rights are granted, withdrawn or modified in time, in accordance with pre-determined approval procedures involving the owner of an information asset, in the event of termination of an employment relationship or a similar relationship, access rights are immediately withdrawn;
(f) the principle of revision of access authorisations; the payment institution ensures that access rights are regularly reviewed to ensure that users do not enjoy excessive privileges and that access rights are withdrawn as soon as they are no longer necessary;
(g) the principle of equivalent authentication methods; the payment institution shall promote verification methods that are robust enough to ensure, mutatis mutandis and effectively, compliance with the principles and procedures of access control, consistent with the criticisms of ICT systems, information or processes to which it is treated, including at least complex passwords, two-factor verifications or other strong verification methods, depending on the risk involved.
32. Payment institutions shall ensure that remote access through data applications and ICT systems is limited to the minimum necessary to provide the relevant service.
Physical safety
33. A payment institution shall establish, document and apply measures for the physical security of a payment institution to ensure the protection of its premises, data centres and sensitive areas from unauthorised access and from environmental risks.
34. The payment institution shall ensure that physical access to ICT systems is granted only to authorised persons, the authorisation is granted in accordance with the tasks and responsibilities of the person concerned and is limited to persons who are properly trained and whose activities are monitored. The payment institution shall ensure that physical access is regularly reviewed and, where necessary, unnecessary access rights revoked.
35. The payment institution shall take appropriate measures to protect against environmental risks which are proportionate to the importance of the buildings and the critical nature of the operations or ICT systems located in such buildings.
Security of ICT operations
36. The payment institution shall establish, document and apply procedures to prevent and minimise the impact of security incidents in ICT systems and ICT services. Such procedures shall include:
(a) identifying potential vulnerabilities that are evaluated and corrected by updating software and firmware, including software provided by the payment institution to users, by making critical security corrections or by introducing compensatory measures;
(b) implementation of requirements to ensure the basic configuration of all network components;
(c) the introduction of network segmentation, data loss prevention systems and network traffic encryption in accordance with data classification;
(d) the introduction of end points protection including servers, workstations and mobile devices; Before such points are allowed access to the business network, the payment institution shall assess whether the end points comply with the defined safety standards,
(e) the introduction of mechanisms for verifying the integrity of software, firmware and data;
(f) encryption of stored and transmitted data in accordance with data classification.
37. The paying institution shall continuously examine whether changes to the existing operational environment affect existing security measures or require further measures to mitigate risks. Payment institutions shall ensure that such changes are properly planned, tested, documented, approved and implemented.
Security monitoring
38. The payment institution shall carry out ongoing security monitoring. To this end, it shall establish, document and apply procedures to detect and respond to unusual activities which may have an impact on the security of information of the payment institution. In the context of ongoing security monitoring, a payment institution is able to detect and report physical or logical disturbances and breaches of confidentiality, integrity and availability of information assets. The payment institution shall:
(a) relevant internal and external factors, including business functions and administrative functions in the field of ICT;
(b) transactions to detect misuse of access by a third party or within a payment institution;
(c) potential internal and external threats.
39. The payment institution shall have an organisational structure which allows it to identify and monitor continuously security threats with a significant influence on its ability to provide services. The payment institution shall actively monitor technological developments in order to be aware of security risks. The payment institution shall apply measures in particular to identify possible leaks of information, malicious codes and other security threats and publicly known vulnerability to software and hardware and to check the corresponding new security updates.
40. Security monitoring helps the payment institution understand the nature of security and operational incidents, identify trends and support its investigations.
Review, evaluation and testing of information security
41. A payment institution shall apply different procedures and tools for reviews, evaluations and testing of information security in order to ensure effective identification of vulnerability in ICT systems and ICT services by means of differential analysis compared to information security standards or other means, compliance reviews, information systems audits and physical security checks. The payment institution shall consider other best practices such as source-code reviews, vulnerability assessments, penetration tests and exercises simulating real penetration into ICT systems.
42. The payment institution shall establish and apply a framework for testing the security of information which verifies the reliability and effectiveness of its information security measures, taking into account the threats and vulnerability identified by the risk monitoring and risk assessment of ICT and security.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 2 / 2022 Coll., amending Decree No. 7 / 2018 Coll., on certain conditions for the performance of the activities of the payment institution, the administrator of payment account information, a small-scale payment service provider, an electronic money institution and a small-scale electronic money issuer |
|---|---|
| Regulation Type | - |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 06.01.2022 |
|---|---|
| Effective from | 01.07.2022 |
| Effective until | - |
| Status | Valid |
Public Contracts 4
Smlouva o provozování Systému veřejného sdílení jízdních kol
Statutární město Hradec Králové
nextbike Czech Republic s.r.o.
28.06.2024
Notifications
Smlouva o nájmu prostor v datovém centrum
Národní rozvojová banka, a.s.
T-Mobile Czech Republic, a.s.
01.11.2022
Notifications
Smlouva o smlouvě budoucí o zřízení služebnosti k pozemkům p.č. 4/2, 436, ... k.ú. Žabovřesky; částk...
Statutární město Brno
GasNet, s.r.o.
774 CZK
10.10.2022
Smlouva o smlouvě budoucí o zřízení služebnosti k pozemkům p.č. 66/1, 66/17, ... k.ú. Komín
Statutární město Brno
CETIN a.s.
1 029 CZK
13.07.2022
Source:
Hlídač státu
(CC BY 3.0 CZ)
The regulation text is for informational purposes only.
Comments 0