Central Bank of Kuwait sets deadline for bank card encryption

The Central Bank of Kuwait has mandated that all local and foreign bank branches operating in Kuwait complete the implementation of enhanced security measures for bank card encryption by the end of 2025.

This directive, according to Al-Rai daily, aims to bolster the protection of customer accounts against cyber threats and fraud, aligning with global standards such as the Payment Card Industry Data Security Standard (PCI-DSS).

The timeline set by the Central Bank is shorter than some banks had anticipated, as they had expected the deadline to extend into 2026.

The Central Bank’s initiative focuses on several key areas to strengthen card security:

• Transaction Monitoring — Banks are required to develop mechanisms that monitor financial transactions, considering factors like customer behavior, geographical location, and transaction frequency.
• Customer Control Over Wallet Integration — Customers must have the ability to opt into adding their bank cards to digital wallets such as Apple Pay and Samsung Pay. No transactions related to encrypted cards will occur unless the customer has activated this service.
• Enhanced Authentication for External Wallet Additions — When customers add their bank cards to digital wallets outside the bank’s application, an additional authentication step via the bank’s app is required. Requests from outside Kuwait must be verified by the customer contacting the bank directly.
• Visibility of Card Information — Banks should provide a feature within their applications that allows customers to view their cards registered in digital wallets, specifying the devices used for activation.

This move aligns with Article 32 of the Central Bank’s Instructions for Regulating Electronic Money Payments, issued in May 2023. The article emphasizes the development of policies and controls to detect and combat fraud, requiring banks to inform the Central Bank of any fraud cases within specified timelines and formats.

Tokenization, the process of replacing sensitive card information with a unique identifier or token, offers several advantages such as:

• Enhanced Security — By using tokens instead of actual card details, the risk of data breaches and fraud is significantly reduced.
• Seamless Integration — Tokenization can be easily integrated into existing payment systems, enhancing security without overhauling infrastructure.
• Compliance with PCI-DSS — Implementing tokenization helps banks comply with PCI-DSS requirements, which are designed to protect cardholder data.

Understanding Card Tokenization

Card tokenization involves replacing sensitive card information, such as the card number, expiration date, and CVV, with a unique token. This token has no exploitable value and can be used in place of the actual card details during transactions. Even if intercepted, the token cannot be used to access the original card information, thereby enhancing transaction security.

The Central Bank’s directive underscores its commitment to strengthening the cybersecurity framework of Kuwait’s banking sector, ensuring that both banks and customers are better protected against evolving digital threats.