Central Bank of Kuwait enhances security for e-wallet transactions

• The Central Bank of Kuwait mandates banks to use advanced monitoring, add authentication for Apple Pay and Samsung Pay through the bank’s app, and allow customers to manually activate e-wallets.

• The Central Bank requires banks to let customers manually activate card addition to e-wallets like Apple Pay and Samsung Pay, with no automatic activation or OTP sent without prior activation.

• The Central Bank emphasized the importance of adding a feature to the bank’s application that allows customers to view their cards and identify any electronic wallets, such as Apple Pay or Samsung Pay, linked to them.

The Central Bank of Kuwait has urged local banks to establish robust mechanisms for monitoring financial transactions conducted through coded cards in electronic wallets like Apple Pay and Samsung Pay.

According to Al Anba newspaper, this initiative involves leveraging card coding technologies and advanced data analytics to enhance banking security. The approach focuses on tracking user behavior, location patterns, and transaction frequency to proactively detect and address potential fraud.

The Central Bank of Kuwait, in an official letter on security controls related to card coding seen by Al-Anba newspaper, has called on banks to implement effective security requirements in their monitoring systems. These requirements include analyzing customer behavior, the geographical location of transactions, and the frequency of operations.

The card coding process enhances the security of electronic payment transactions by replacing sensitive card information, such as the full card number (PAN), with a ‘Token’ code. This code is used to complete transactions instead of the original card data, significantly reducing the risk of data breaches or misuse.

The Central Bank’s requirements emphasize the need for banks to adopt advanced monitoring and analysis techniques to enhance the security of financial operations, prevent fraud, and ensure transactions are conducted safely and legitimately. This involves focusing on analyzing patterns and evaluating transactions based on various security criteria to identify suspicious activities and stop illegal operations before they occur.

The insurance mechanisms mandated by the Central Bank are based on three key monitoring and analysis elements. The first element focuses on customer behavior by analyzing usual spending patterns, such as transaction amounts, types of operations, and timing.

If a transaction significantly deviates from the established pattern—such as a large purchase or a transaction with an unfamiliar merchant—the system raises an alert or halts the process for verification.

The second element considers geographical location, comparing the transaction’s execution location with the customer’s known location. Transactions from suspicious countries, regions, or locations far from the customer’susual area may be rejected or require additional confirmation.

The third element involves monitoring the repetition of operations by tracking the number of consecutive transactions within a short time frame. An abnormal increase in activity, such as multiple repeated payment attempts within a brief period, may signal potential fraudulent activity.

The Central Bank has called on banks to develop a mechanism allowing customers to choose whether to activate the service of adding bank cards to electronic wallets such as Apple Pay and Samsung Pay. The service must not be automatically activated for all customers, and no transactions related to coded cards should be processed unless the customer has explicitly activated this service in advance. For example, this includes refraining from sending the one-time verification code (OTP) required to add a bank card to an electronic wallet.

The Central Bank also emphasized in its directive that if a customer adds their bank card to an electronic wallet, such as Apple Pay or Samsung Pay, from outside the bank’s application, the following procedures must be implemented:

• Implement an additional security step requiring authentication through the bank’s application to activate the bank card, along with an explanation of the purpose of the authentication.
• Block requests to add cards from outside the bank’s application if they originate from outside Kuwait, unless the customer contacts the bank to confirm the addition of the card personally.

The Central Bank emphasized the importance of adding a feature to the bank’s application that allows customers to view their cards and identify any electronic wallets, such as Apple Pay or Samsung Pay, linked to them.

The feature should also specify the types of devices through which activation was performed, such as iPhone, Android phone, or smart watch.

Additionally, the Central Bank highlighted the need to comply with Article (32) of the instructions for regulating electronic payment of funds, issued in May 2023. This article mandates the development of policies, procedures, systems, and controls necessary to detect and address fraud.

It also requires reporting fraud cases and related incidents to the competent authorities and providing continuous updates to the Central Bank within the specified timeframe and format determined by the it.

The Central Bank called for strict adherence to the directives outlined in its letter and requested a detailed timeline for implementing the required measures.

Three benefits of the new procedures

1. Fraud prevention: Achieved through the early detection of suspicious activities.
2. Enhanced security: By offering additional protection for customer data and the codes used.
3. Increased confidence: Ensuring the safety and security of financial transactions, which strengthens customer trust in banks.