E-Wallet Security Controls

P.O. Box 2992 Riyadh 11169,

Kingdom of Saudi Arabia
Tel.: +966 11 4633 000,
www.sama.gov.sa
Table of Contents

Section Page No.

Introduction 3
Registration Controls considerations 3
General Control considerations 3
1- Introduction

Digital innovation and the growth of technologies introduces many

opportunities and risks associated. SAMA has been realizing the associated risk,
initiating required controls, and monitoring the maturity of cyber security.
Therefore, this document covers required controls for the innovation of E-
Wallet technology.

2- Registration Control considerations:

1- E-Wallet registration should be for one National ID/Iqama and linked to one
phone number only.
2- “Service Provider” should establish a secure process to validate and
authenticate users. Validation and authentication process should be
through trusted party.
3- E-Wallet Registration process should include one-time-password
mechanism (OTP) as a form of authentication.
4- “Services Provider” should notify users through SMS once registration is
completed.
5- E-Wallet should be assigned to one-device only.

3- General Control considerations:

1- “Service Provider” should use official application stores, and implement

detection measures and takedown of malicious apps and websites.
2- “Service Provider” should develop installation restriction mechanism for
privilege escalation devices such as “Jailbreak” for iOS and “Root” for
Android.
3- Application and server communications should be encrypted using secure
protocols.
4- “Services Provider” should use non-caching techniques.
5- “Service Provider” should record logs for all activities which should include
sufficient details.
6- “Service Provider” should implement session timeout configuration.
7- Terms & Conditions should cover “Security Threats, wallet availability, and
frauds reporting process”.
8- “Service Provider” should conduct awareness program to all users on
regularly basis. That should cover terms & conditions and general security
awareness such as sharing password.
9- Develop password policy for registration and operation. “Service Provider”
is required to assess the password policy against best practices.
Password policy should include as minimum:
a. Length.
b. Complexity Requirements
c. Number of Incorrect logon attempts.
10- E-Wallet should be password protected for each log in.
11- Multi-factor authentication should be implemented for the following
processes:
a) Sign-on;
b) Transfer between wallet to wallet (for the first time as minimum)
c) Payment of utility and government services (for the first time as
minimum);
d) Password reset;
e) Wallets reactivations;
12- Multi-factor authentication using different delivery channel than used in the
sign-on (e.g. call customer service, callback) should be implemented for
transfer money out of the wallet (e.g to IBAN) (for the first time as minimum).
13- “Service Provider” should not allow to transfer money form organization
wallet to other organization wallet.
14- “Service Provider” should conduct continues monitoring for all activities.
15- “Services Provider” should develop inactive accounts policy.
16- “Service Provider” should develop process for account deactivation
/reactivation.
17- Sensitive information should be protected. “Service Provider” should
develop a process to safeguard “Privacy” and “Data Security” of these
accounts. Such information includes “Displaying name of account owner”.
18- “Services Provider” should develop proper process for moving the E-wallet
to a new device.
19- “Service Provider” should establish procedure to deactivate accounts if
fraud/cyber-attacks occur.
20- “Service Provider” should maintain the application and to release patches
and updates when necessary.