Content:
1. General Provisions;
(2) Terms and definitions used in these regulations;
3. Description of payment services provided by the Payment Organization;
4. Procedure and terms of provision of payment services to clients by the Payment Organization;
5. Description of conducting operations in the System;
6. Cost of payment services (tariffs) rendered by the Payment Organization of services;
7. Procedure for interaction with third parties providing technological support of payment services rendered by the Payment Organization;
8. Information on the risk management system used by the Payment Organization;
9. Procedure of dispute settlement and dispute resolution with clients (payers);
10. Procedure for compliance with information security measures, requirements to software and hardware and equipment necessary for provision of payment services;
11. Measures taken against a participant of the payment system for violation of the payment system rules;
12. Procedure for changing the terms and conditions and amending these rules; 1. General Provisions.
1.1 These Rules of payment organization LLP "SredaPay (SredaPay)" (hereinafter referred to as "SredaPay Rules", "these SredaPay Rules"), determine the order, procedure and conditions ensuring the implementation of payment transactions in the system "SredaPay (SredaPay)" (hereinafter referred to as "the System") and establish general requirements for the procedure of rendering the following payment services: - services for processing payments initiated by the customer in electronic form and transferring the necessary information to the bank, organization performing certain types of banking operations to make payment and (or) transfer or accept money on these payments. The SredaPay Rules are developed in accordance with the Law of the Republic of Kazakhstan "On Payments and Payment Systems" dated July 26, 2016 (hereinafter - the Law on Payments), the Rules of organization of activities of payment organizations approved by the Resolution of the Board of the National Bank of the Republic of Kazakhstan No. 215 dated August 31, 2016, the Charter of "SredaPay (SredaPay)" LLP and determine the procedure for organization of activities of "SredaPay (SredaPay)" LLP as a Payment Organization.
1.2 These SredaPay Rules are developed, approved by the supreme governing body of the payment organization "SredaPay (SredaPay)" and are binding for all Participants making payments in the SredaPay System. Each of the Participants confirms and guarantees that he/she has all rights and powers necessary and sufficient for joining to these Rules and fulfillment of obligations in accordance with all their terms and conditions.
1.3 The order of conclusion of contracts with individuals for provision of payment services is carried out in strict accordance with the Civil Code of the Republic of Kazakhstan stipulated in part 5 of article 395 and shall be deemed concluded from the moment of performance of actions stipulated in the public offer on the use of the System and placed on the official website of the payment organization "SredaPay (SredaPay)" LLP: www.sredapay.kz.
2. Terms and definitions used in these regulations.
2.1. Operator - SredaPay LLP (SredaPay), which manages the Payment Organization and ensures its functioning, including the collection, processing and transmission of information generated during transactions in the System.
2.2. Payment Accounting System (the System) - a hardware and software complex, as well as related tools and resources used by the System Operator to provide the Services.
2.3 System Participants/Participants - the System Operator, Merchant, Sender, Bank.
2.4. Merchant - a legal entity or a natural person operating without establishing a legal entity (individual entrepreneur), in accordance with the governing legislation, which ensures execution and performance of the Customers' Order and in favor of which the Customer makes a payment in payment for the supplied Goods, performed Works, rendered Services and which has entered into a separate agreement with a payment organization.
2.5. Sender/Customer - an individual or legal entity, who has placed an Order to receive Goods, Works, Services from the Merchant using the Payment Acceptance Service of the System.
2.6. Bank - accepting and disbursing funds to Merchants, when carrying out transactions of purchase of goods or services by Cardholders on the Merchant's website with the use of Payment Cards (their details) under the terms of the Internet Acquiring Agreement;
2.7. Offer - an agreement with individuals, legal entities for provision of payment services placed on the official website of the payment organization and considered concluded upon approval of the Client in performance of payment services by the payment organization.
2.8. Security / security procedures - a set of necessary measures and software and hardware information protection means designed to certify the rights of holders (clients of the payment organization) of payment cards to use payment cards and to detect errors and/or changes in the content of transmitted and received electronic messages when using payment cards.
2.9 Authorization - permission by the Operator for the holder of payment cards to conduct transactions with the use of these payment cards in the payment organization, including granting access to his/her personal account. The procedure of authorization shall be established by the Operator.
2.10. Authentication - procedures and complex of measures established by the Operator and communicated to the Clients/Participants of the Payment Organization to confirm the authenticity and correctness of electronic messages, as well as to establish the fact of transmission of an electronic message directly by the Member of the Payment Organization indicated as the sender.
2.11. Continuity of functioning of the Payment Organization is a complex property of the Payment Organization, denoting its ability to prevent violations of proper functioning and ability to restore proper functioning in case of its violation.
2.12. Login - a unique sequence of symbols denoting the Client's conditional name in the Payment Organization and used for the purposes of his/her authorization for access to the personal account in the Payment Organization.
2.13. Password - a unique sequence of symbols, known only to the Client, intended for access to the services of the Payment organization.
2.14. Personal account - a personal section of the Clients in the System on the Internet resource of the Payment organization, through which the Client has access to information on all transactions made in the System, provided by these Rules and concluded agreements. The list of services provided through the Client's personal account shall be established by the Operator.
2.15. Identification - a procedure stipulated by these Regulations, which consists in establishing the Client's identity on the basis of the identity document provided by the Client to the Operator and other documents necessary for identification required by these Regulations, and registration of the Client with the Payment Organization with entering his/her personal data to the Payment Organization.
2.16. Application for Identification - an application of a natural person for identification in the Payment Organization, drawn up according to the form established by the Bank, to be filled in by the Member of the Payment Organization - natural person for the purpose of identification in accordance with these Rules and containing a condition of conclusion of the relevant agreement between the Bank and the Member of the Payment Organization - natural person, in accordance with the terms of the Offer.
2.17. Transaction Order - an order generated by the Client to the Operator, containing necessary and sufficient information for making a payment in the Payment System.
3. Description of payment services provided by the Payment Organization.
3.1 Services on processing of payments initiated by the client in electronic form and transfer of necessary information to the bank, organization, carrying out certain types of banking operations, for making payment and (or) transfer or accepting money on these payments, shall be rendered by the Payment Organization on the basis of agreements concluded with the bank / second-tier banks and the Payment Organization and shall ensure acceptance of payments initiated with the use of payment cards with indication of details of the destination of the respective payment and beneficiary of the respective payment.
4. Procedure and terms of provision of payment services to clients by the Payment Organization.
4.1 The service of processing payments initiated by the customer in electronic form and transferring necessary information to the bank, organization performing certain types of banking operations for making payment and (or) transfer or accepting money for such payments shall be rendered as follows:
1. The Payment Organization, within the framework of agreements concluded with the Bank, shall ensure acceptance of payments initiated with the use of payment cards with indication of details of the purpose of the respective payment and beneficiary of the respective payment with subsequent provision of transfer of details of the payment for its execution in favor of the respective Bank, whose agent is the Payment Organization, and the Bank in its turn shall execute the Customer's instruction transmitted through the Payment Organization in electronic form.
2. initiation of payment transactions/payments by the Customer shall be made through the Internet on the Merchant's website, Merchant's mobile application and other applications - providing the possibility for the Customer to initiate orders for debiting money from the Customer's bank account/the Customer's bank card in electronic form, with their crediting in favor of the Bank for the purpose of subsequent execution of the Customer's order/instruction received by the Payment Organization from the Customer and transmitted by the Payment Organization to the Bank.
3. When rendering services, the Payment Organization shall perform the following actions: - The Client through the Internet / cell phone, goes to the Merchant's website and if he/she wants to purchase goods or services, he/she goes to the Payment Organization's website; - The Client gets acquainted with the tariff / amount of commission fee for providing the Payment Organization with the respective service; - The Client gets acquainted with the terms and conditions of payment service provision and agrees with the terms and conditions of the agreement-offer placed on the website of the Payment organization; - The Client initiates a payment in favor of the Service Provider by means of the payment system; - The Client enters in the payment system the details for execution of the payment by the Bank; - For payment of the payment the Customer enters the details of the bank card, bank account; - The Payment Organization initiates the Customer's order received in electronic form by means of a request to the Bank; - The Bank, having received a confirmation from the Payment Organization and the Customer, debits from the bank account/bank card the amount of the transaction initiated by the Customer, taking into account the commission fee of the Payment Organization. - The Payment Organization shall receive from the bank the confirmation of execution of the Transaction; - The Payment Organization shall issue an electronic check to the Customer, confirming the Customer's transaction and debiting the Customer with the Payment Organization's commission.
4.2 Terms of payment service provision - within 1 (one) business day following the day of payment acceptance. Scheme of cash flow and information flows when rendering the payment service: Withdrawal and transfer of funds
5. Description of conducting operations in the System.
5.1 Procedure for making payments under civil law transactions:
5.1.1 The Operator shall provide information support to the Customer when the Customer transfers payments in favor of Merchants as payment for provided goods, works, services.
5.1.2 The Operator determines the list of Merchants for the Client and has the right to limit it depending on the restrictions given on the System Website.
5.1.3. the Client sends to the Operator an order to make a payment in favor of the Merchant using payment cards. The payment transaction shall be deemed completed at the moment of receipt by the Merchant of a notification on crediting the money, by the Client - of a notification on successful completion of the payment. Execution of the order to make a payment leads to a decrease in the amount of money on the card account of the Client by the amount of payment and commission, if any. 5.1.4 Payment for goods, works, services and other transactions with the use of payment cards in the absence of the amount required for the transaction on the Client's card account - shall not be made.
5.1.5. the Merchant shall provide the Customer with a check in the form of an electronic document confirming the made payment in case of payment via the System.
5.2 Procedure for making refunds under payment transactions with the use of payment cards.
5.2.1 In case of necessity to make a refund to the Client-payer, the refund shall be made on the terms and in the manner provided by these Rules, agreement with the Client, the current legislation of the Republic of Kazakhstan.
5.2.2 In case the necessity to cancel a completed payment and/or transfer was caused by a software failure and/or Operator's error, which occurred through the fault of the Operator, the refund shall be made to the accounts of the transaction participants by means of a reversal operation - restoration of the Participants' rights to the money belonging to them, involved in this payment or transfer, at the moment of the transaction start.
5.2.3 In case the refund to the Customer is the result of one of the parties' refusal to fulfill the agreement concluded between the Merchant and the Customer, the refund on the completed payment is performed upon the Merchant's application. Reaching an agreement on making a refund shall be carried out by the Merchant and the Customer without participation of the Operator. The fulfillment of mutual obligations preceding the submission of such application shall be carried out in the manner and on the terms and conditions stipulated by the agreement between the Merchant and the Customer.
5.2.4 The Merchant has the right to make a refund to the Customer's payment card, in cash or in any other way agreed with the Customer.
5.2.5 In case the refund is made to the payment card, the Merchant is obliged to perform the operation on refund of the payment amount within 5 (five) business days from the moment of forming the application for refund and recognizing the obligation to refund. The Customer and Merchant may agree on a longer refund period. The Customer shall not have the right to demand a reduction of the refund term.
5.2.6 If it is not possible to make a refund to the Customer's payment card within the term provided in this section, the Customer has the right to request a refund in cash or in any other way agreed with the Merchant.
5.2.7 The refund is made in the full amount of funds received by the Merchant, except for cases when the original nature of the transaction implies commissions for making the refund.
5.2.8. the Operator's Commission, shall not be subject to mandatory refund, but may be refunded at the Operator's discretion.
5.2.9. In case the Customer-Sender makes a mistake when filling in the Transaction Order and subsequently transfers money in favor of another Customer, the money is refunded by agreement between the Customers. In case of the Receiving Customer's refusal to return the money to the Sending Customer, the Sending Customer shall not be entitled to submit claims on such operations to the Operator.
5.2.10. The Client is familiarized and agrees that when making payments to Merchants, the refund of which is not carried out within the System, the Client shall independently apply to the Merchant directly on the issue of such refund. In this case, the Operator undertakes to provide the Client with information support in the course of proceedings on such issues.
5.3 Procedure for recording and displaying transactions related to payments made in the Payment System.
5.3.1 All transactions made and/or initiated by the Members in the System, including, assignments of the right of claim, payment for goods, works, services of Merchants, redemption, as well as other transactions with the use of payment cards, shall be accounted for and recorded.
5.3.2 At any moment of time the identified Client can get information about the performed operations in the System. The payment history is available in the Client's/Merchant's personal cabinet.
5.3.3 The Operator undertakes to keep information on all operations performed in the System for 5 (five) years from the date of performance.
5.4. Procedure for making payments by the Customer:
5.4.1. the Client has the right, with the consent of the Operator, in cases where the operation is not limited by the technical capabilities of the System, the method of depositing money through a payment card in the System or other conditions provided for by the Rules, the current legislation of the Republic of Kazakhstan, other circumstances brought to the attention of the Client when attempting to carry out the operation, to exercise his right to buy/sell goods, services through the interface.
5.4.2 If the Operator has doubts about the legitimacy of such transaction, the Operator has the right to block the transaction until the Operator is provided with proof that the card account belongs to the Client.
5.4.3 In order to make electronic payments, the Client shall send a Transaction Order to the Operator, providing the data requested by the Operator. After sending the Operational Order, the Customer shall be sent a transfer number of the established sample, as well as a transaction code, provided by sending an sms-message to the mobile number specified by the Customer as a login, by means of displaying it in the System interface. To perform certain categories of transactions, the Client may be requested to provide additional verification data confirming the Client's identity and/or his/her rights to manage the card account.
5.4.4 The minimum and maximum amounts of payments, as well as commission fees are set by the Operator within the framework of the current legislation of the Republic of Kazakhstan and are brought to the Client's attention in the process of formation of the Operational Order until its confirmation.
5.4.5 From the moment of transfer of data on made payments, the Operator shall not be liable for unauthorized use by third parties of data, which include transaction number and transaction code.
5.4.6. the Client undertakes obligations not to carry out illegal financial transactions, illegal trade, operations on legalization (laundering) of proceeds of crime, any other operations violating the legislation of the Republic of Kazakhstan through the System.
6. Cost of payment services (tariffs) provided by the Payment organization of services Tariffs of the payment organization "SredaPay (SredaPay)" LLP on payment services*:
1.Service for processing payments initiated by the customer in electronic form and transferring necessary information to a bank, organization performing certain types of banking operations for making payment and (or) transfer or accepting money on these payments: No. Name of service categories Amount of additional commission charged from the Customer
- The final cost of the commission charged from the Client is set by the Payment Organization independently within the limits of acceptable values specified in the agreements concluded between "SredaPay" LLP and service providers (Merchants) and other persons providing services to Clients.
- The above list of services is not exhaustive and may be supplemented as new Merchant agreements are entered into.
7. Procedure for interaction with third parties providing technological support of payment services rendered by the Payment Organization
7.1 Third parties are legal entities and individual entrepreneurs performing any work and rendering any services to the Payment Organization or acting in its interests who are not members of the company group of the Payment Organization and are not employees of the Payment Organization.
7.2 The connection of third party information systems to the Payment Organization's systems shall be made on the basis of the concluded contract for provision of information and/or technological services and agreement on non-disclosure of confidential information.
7.3 The agreement on non-disclosure of confidential information establishes the obligation of the third party to observe confidentiality of information, as well as responsibility for disclosure of confidential information to which it gains access.
7.4 The contract or non-disclosure agreement to be entered into shall take into account model provisions for third party compliance with information security requirements. The requirements shall include, at a minimum, the following: - responsibility and obligations for maintaining the required level of information security; - measures for notification of information security incidents and violations in the information protection system.
7.5. Procedure for interaction with service providers.
7.5.1 The commercial department of the Payment Organization shall identify the need of individuals/legal entities for a certain payment service of Service Providers (Merchants) and conduct marketing research of feasibility, competitiveness, consumer capacity.
7.5.2 The Financial Department conducts economic justification of the Service Provider's cooperation in the Payment Organization's system, as well as identifies the payment load on the Clients.
7.5.3 In case of positive decision on the issue of Merchants involvement, all necessary documents within the requirements of the Law of the Republic of Kazakhstan "On Combating Legalization (Laundering) of Proceeds of Crime and Terrorism Financing" are requested from the latter and a full compliance risk analysis is performed.
7.5.4 If there are no compliance risks, technical documentation for connection of the Service Provider to the Payment Organization's system shall be exchanged via API technical interaction protocol.
7.6 Conclusion of a contract with Merchants.
7.6.1 After carrying out all necessary actions specified in Section
7.1. hereof the Agreement shall be concluded between the Payment Organization and Merchants.
7.6.2 The Payment Organization shall conclude an agreement with the Merchant on rendering payment services (or) Technical Interaction Agreement with obligatory granting the Payment Organization the right to accept payment in favor of the Merchant, and also obligatory providing for the possibility of involvement of Payment Agents/subagents by the Payment Organization.
8. Information on the risk management system used by the Payment Organization.
8.1 The risk management system is a system of organization, policies, procedures and methods adopted by the Payment Organization for the purpose of timely identification, measurement, control and monitoring of risks of the Payment Organization to ensure its financial stability and stable functioning.
8.2 In order to effectively manage risks, the Payment Organization has developed a risk management policy, which consists of systematic work on the development and practical implementation of measures to prevent and minimize risks, identification, measurement, control and monitoring of risks, evaluation of the effectiveness of their application, as well as control over all monetary transactions. To this end, the Paying Organization has assigned an employee (in the absence of such an employee, these functions are performed by the Director), who performs risk management functions, whose tasks include:
1. risk analysis and assessment, which includes systematic determination of: risk analysis objects; risk indicators on risk analysis objects, determining the need to take measures to prevent and minimize risks; assessment of possible damage in case of risks;
2. development and implementation of practical measures for risk management taking into account: probability of risk occurrence and possible consequences; analysis of application of possible measures for risk prevention and minimization.
8.3 The security deposit paid to the Payment Organization by the Payment Agent under the agreement in the amount necessary for acceptance of payments shall be used under the agreements with payment agents in order to prevent financial risks. If the amount of security deposit is exhausted, the system automatically blocks acceptance of payments.
8.4 When developing procedures for risk identification, monitoring measurement and control, the Payment Organization shall take into account, but not limited to, the following factors:
1) The size, nature and complexity of the business;
2) the availability of market data for use as inputs;
3) The state of information systems and their capabilities;
4) qualifications and experience of the personnel involved in the market risk management process.
8.5 Risk identification, measurement, monitoring and control procedures cover all types of assets, liabilities; cover all types of market risk and their sources; allow for regular assessment and monitoring of changes in factors affecting market risk, including rates, prices and other market conditions; allow for timely identification of market risk and taking measures in response to unfavorable changes in market conditions.
8.6 The main task of risk management in the Payment Organization is to maintain acceptable ratios of profitability with safety and liquidity indicators in the process of management of assets and liabilities of the Payment Organization, i.e. minimization of losses.
8.7 Effective risk level management in the Payment Organization shall solve a number of problems - from risk tracking (monitoring) to its cost estimation. The level of risk associated with one or another event is constantly changing due to the dynamic nature of the external environment of the Payment Organization. This forces the Payment Organization to regularly clarify its place in the market, to assess the risk of certain events, to revise relations with clients and to evaluate the quality of own assets and liabilities, therefore, to adjust its risk management policy. The process of risk management in the Payment Organization includes: anticipation of risks, determination of their probable size and consequences, development and implementation of measures to prevent or minimize related losses. All this implies development by the Payment Organization of its own risk management strategy in such a way as to timely and consistently use all opportunities for the development of the Payment Organization and at the same time to keep risks at an acceptable and manageable level.
8.8 The goals and objectives of the risk management strategy are to a large extent determined by the constantly changing external economic environment in which the company has to operate.
8.9 Risk management is based on the following principles:
1) forecasting of possible sources of losses or situations that may bring losses, their quantification;
2) financing of risks, economic incentives for their reduction;
3) responsibility and obligation of managers and employees, clarity of risk management policies and mechanisms;
4) coordinated risk control for all subdivisions of the Payment Organization, monitoring the effectiveness of risk management procedures.
8.10. The risk management system is characterized by such elements as measures and methods of management.
8.11. Risk management measures:
1) determination of the organizational structure of risk management ensuring control over fulfillment by the agents and subagents of the Payment Organization of the risk management requirements established by the risk management rules of the Payment Organization;
2) definition of functional responsibilities of persons responsible for risk management or relevant structural units;
3) communication of relevant information on risks to the management bodies of the Payment Organization;
4) determination of indicators of uninterrupted functioning of the Payment Organization;
5) determination of the procedure for ensuring uninterrupted functioning of the Payment Organization;
6) determination of risk analysis techniques;
7) determining the procedure for exchange of information required for risk management;
9) determining the procedure for interaction in controversial, non-standard and emergency situations, including cases of system failures; determining the procedure for changing operational and technological means and procedures;
10) determination of the procedure for assessing the quality of functioning of operational and technological means, information systems; 11) determination of the procedure for ensuring information protection in the Payment Organization.
8.12. Methods of risk management in the Payment Organization shall be determined taking into account the specifics of the Payment Organization's activity, risk management model, payment clearing and settlement procedures, number of funds transfers and their amounts, time of final settlement.
8.12.1 Methods of risk management:
1) establishment of limit amounts (limits) of obligations of agents and subagents of the Payment Organization taking into account the risk level; 2) establishment of security deposit of agents and subagents of the Payment Organization within the framework of rendered payment services;
3) management of the order of execution of orders by officials;
4) execution of settlement in the Payment Organization by the end of the working day;
5) ensuring the possibility of providing the limit;
6) use of irrevocable bank guarantees;
7) other ways of risk management.
9. Procedure for settling disputes and resolving disputes with clients (payers)
9.1 In case the Payer has any claims to the Payment Organization on any disputable situation related to the provision of payment services, the Payer shall have the right to send a corresponding claim to the Payment Organization in writing.
9.2 The Payer is obliged to address the Payment Organization with a written application, drawn up in an arbitrary form, containing an indication of the disputable situation (hereinafter referred to as the "Claim"), in one of the following ways: 1. by sending it by postal mail to the address - Finance@sredapay.kz 2. by personal visit to the office of the Payment Organization and its provision by hand to the address: the Republic of Kazakhstan, Almaty, 56 Abylai Khan Avenue, office 46, 4th floor.
9.3 In each of the above mentioned ways of sending the Payer's Claim to the Payment Organization it shall be subject to registration by the Payment Organization by assigning the date and serial number of incoming correspondence. The date of receipt of the Payer's Claim by the Payment Organization shall be deemed the actual date of registration of the incoming application of the Payer.
9.4 Appeals to the technical support service of the payers by phone, sending messages through the feedback form on the WEB-site of the System shall not be recognized as an appeal to the payment organization with a Claim and (or) be considered as pre-trial settlement of disputes.
9.5. All Claims sent by the payers to the Payment Organization shall be accompanied by duly executed copies of documents confirming the facts stated in the Application, as well as the following documents:
1. a notarized copy of the payer's identity document;
2. a document confirming payment (check).
3. additionally, a notarized copy of the agreement on provision of cellular communication services concluded with the cellular operator and granting the payer the right to use the Subscriber number specified by the payer when registering the User Account in the System, etc. may be requested.
9.6. The Payment Organization shall review the received Claim of the Payer and prepare a response for sending within 30 (thirty) days from the day of receipt of the respective Claim of the Payer:
1. for proper consideration of the Payer's Claim and preparation of the response by the Payment Organization;
2. Involves employees of competent departments (technical, legal, calculation, and other structural units to obtain clarifications, additional information and other data regarding the disputed situation) in a comprehensive study of the dispute;
3. requests and receives additional documents (or their copies), explanations and other information from the payer. Upon request of the Payment Organization the Payer shall provide the information and documents (or copies thereof) requested by the Payment Organization for the purpose of proper pre-trial settlement of the dispute;
4. conducts a thorough analysis of the information and explanations received to form a complete and accurate response to the Payer's Claim; 5. prepares a reasoned written response to the Claim to the Payer.
9.7 Any dispute, if it was not resolved amicably in a pre-trial procedure, shall be finally resolved in court in accordance with the current legislation of the Republic of Kazakhstan.
10. Procedure for observance of information security measures, requirements to software and hardware and equipment necessary for provision of payment services.
10.1 Procedures for compliance with security measures
10.2 The following processes shall be carried out as part of information security planning: - defining information security goals and objectives; - determining directions for the development of the information security system.
10.3 The following processes are carried out as part of the implementation of information security activities: - Ensuring that the Company's computers and telecommunications resources are used as intended by its employees, independent contractors and other users. - identifying, responding (countering attacks in real time), resolving and analyzing the causes of information security incidents. - asset access controls. - antivirus protection.- asset backups. - business continuity management. - registration, analysis and control of information security events.
11 - identification of vulnerabilities in the information systems of the Payment Organization, using which threats to information security can be realized. - cryptographic protection, determining requirements for the organization of work, operation, safekeeping and safe use of cryptographic protection means. - formation of principles of making changes, procedure of installation, modification and maintenance of information systems of the Payment Organization. - the physical security of the assets. - network perimeter defense. - Compliance with the terms of all software licenses, copyrights and laws relating to intellectual property.
10.4 Internal and external (independent) information security control/audit are performed as part of the information security activity verification.
10.5 Within the framework of improvement of information security activities the results of the information security system of the Payment Organization shall be analyzed.
10.6. Information security system of the Payment Organization
10.6.1 The information security system, which is a set of information protection measures applied in the Payment Organization, shall be created in accordance with the methodology of information security management. Means and measures, preventing unauthorized access to software and hardware means, applied in the Payment Organization, including software and hardware means of protection, shall ensure the level of information protection and preservation of its confidentiality in accordance with the requirements established by the legislation of the Republic of Kazakhstan. All employees shall undertake to take all necessary measures to maintain confidentiality, prevent unauthorized use and protect identification data from unauthorized access by third parties.
10.7 Ensuring the security of computing networks.
10.7.1 Protection of the network infrastructure of the Payment Organization is one of the main tasks of information security. The whole information infrastructure of the Payment Organization is an environment of critical data processing. Taking into account the fact that the main business functions related to data processing are realized by means of information infrastructure components connected by a computer network, protection against network threats is a priority direction of information security provision. Server
10.7.2 Access to the terminal session of the server is performed by authentication. A maximum of 2 terminal sessions may be used at the same time. Workstations
10.7.3 Internet access of workstations shall be performed by connecting to Wifi router with WPA2-PSK type connection security. All workstations shall be connected only to the local network of the Payment Organization. Control of restrictions of incoming and outgoing connections is carried out by means of firewall configuration. Access to workstations is performed by user authentication by Active Directory domain account. The account password is given to the employee on personal responsibility for access to his/her workstation. The password can be changed by the System Administrator.
10.7.4 Backup and recovery of data stored in accounting systems is provided by means of continuous backup/restore systems used by the System and Microsoft Data Protection Manager. The backup procedures are controlled by:
1) notifying the responsible employee in case of a successful/failed backup;
2) testing the recovery of information system databases at least once (1) a year.
10.7.5 The software implements the ability to output output documents to the screen, printer or file.
10.7.6 The software implements the ability to exchange electronic documents.
10.7.7. Registration and identification of events occurring in the information system with saving the following attributes: event start date and time, event name, user who performed the action, record identifier, event end date and time, event execution result is recorded by means of the DBMS used, including:
1) module for event collection.
2) A module to analyze and manage network events and flows from devices, endpoints, servers, antivirus, firewalls, and various intrusion prevention systems.
10.8 Managing user access to data
10.8.1 User access to data is a risk factor of information security. The process of access control is regulated in the Payment Organization. Provision of users' access to data is carried out in accordance with the principle of minimum necessary privileges for performance of job duties. Also in the Payment Organization the password policy management system is implemented and maintained.
10.9 Account management and password protection
10.9.1 Users work in the OS and IS under unique accounts. It is not allowed for a user to work under another user's account and "Administrator" account, as well as to include the user in the privileged group "Administrators". The "Guest" account in the operating system must be disabled. Authentication on the server is performed by connecting to the terminal and entering by the user of personal data created by the System Administrator. To provide temporary access to the Company's resources (for persons who are not Company employees, for employees who need to get temporary access to the Company's resources, etc.) it is necessary to use temporary accounts (with fixed validity period) in the OS.
10.9.2 User account requirements include, but are not limited to, account requirements:
1) accounts, including system and service accounts, in system and application software, as well as information protection systems and tools (including access to firewall management and anti-virus software) are protected by strong authentication methods;
2) each user of the information system is assigned a unique identifier (account name);
3) the inadmissibility of the use of accounts shared between multiple users, group and shared accounts, passwords and other means of authentication.
10.9.3 The data entry forms used use the control of completeness of the entered data or directories of fields required to be filled in to perform and register operations, in case of performing functions or operations without complete filling in of all fields, the program can provide recording of the corresponding entry in the journal and/ or issuing of the corresponding notification;
10.9.4 The software used for conducting and registering operations shall ensure search of information by criteria and parameters defined for the given information system, with saving the request, as well as sorting of information by available parameters, as well as possibility to view information for previous dates, if such information is to be stored in the information system;
10.9.5 Information processing and storage is performed by date and time;
10.9.6 Information systems use automated generation of internal logs by means of the operating system used, additionally critical events are recorded for monitoring of IT infrastructure elements:
1) local area network;
2) physical servers;
3) virtual servers;
4) application software: transaction processing services, database management systems;
5) cloud services. This provides the collection and display of basic status metrics, events, as well as the formation of a log\report of events for a certain date range or completely. OS and IS account passwords Equipment passwords
10.9.7 The password for OS and IS accounts shall be at least 8 characters long for users and privileged users, as well as for service, system, embedded or technological accounts. The user password must be sufficiently complex and contain at least a combination of uppercase and capital letters and numbers. The use of special characters is also possible, but not required. The password for privileged users, as well as for a service, system, built-in or technological account must contain characters of all four categories: lower case letters, upper case letters, numbers and special characters (@, #, $, &, *, %, etc.). Passwords for OS and IS accounts must be changed: for systems that support automatic password change, the password is changed monthly (every 30 days), and for systems that do not support automatic password change, the password is changed every 3 months (90 days), the exception is SQL. in which the password is changed only if the employee has forgotten the previously issued password. Passwords on equipment (routers, switches, wireless access points, office PBX, video recorders, etc.) must be changed by the System Administrator every 180 days. When changing the password, the new password must not repeat any of the last 12 passwords used by this user. This requirement does not apply to ISs that do not have this feature implemented. A password must not include meaningful words, word combinations, common abbreviations, as well as information easily identifiable with its owner - first names, surnames, account names, phone numbers, pet names, names of organizations, etc. The password must not include easily computable combinations of symbols (first names, surnames, name of the automated workstation, etc.), as well as common abbreviations (computer, LAN, USER, etc.). Built-in accounts
10.9.8 The default passwords set by the IS manufacturer for built-in accounts shall be changed when the IS is commissioned. This also applies to any server and communication equipment, if technically possible. It is strictly forbidden to use built-in Administrator accounts (SA for 1C and SQL server, root in Unix, etc.) - for daily work, for launching services and services or for access to network resources. The use of built-in accounts is allowed only in cases that require the details of this account (OS recovery, recovery of damaged data, system, in some cases, system updates, etc.). Logging of all actions must be enabled for built-in Administrator accounts. All unused accounts should be disabled or deleted. When an employee is terminated
10.9.9 When an employee is dismissed, his/her account shall be deleted/disabled. When an employee goes on any type of vacation or sick leave, the accounts in the OS and IS should be locked until the moment of returning to work. Users are prohibited from disclosing information about their accounts. Users are prohibited to provide access to their accounts to other employees of the Company or third parties. In case of business necessity, it is allowed to work on the personal computer of another employee under his/her account with the verbal permission of his/her immediate supervisor. The exception is the performance of his/her job duties by the System Administrator when setting up the user's computer or laptop on the basis of a paper application. In this case, the System Administrator may perform the application in the absence of the user, but in this case, after all the work is done, the System Administrator must turn off the user's computer (if the user never came to his workplace). If an employee goes on vacation or is transferred to another division, the employee should take care of transferring the necessary information to the person replacing him/her, and the immediate supervisor should supervise this process. If a user is absent from the workplace for 5 minutes (inactive state of the computer), the computer should be automatically switched to a password-locked state. The locking is performed through the OS settings on the employee's workstation. In addition, each employee of the Company, leaving his/her workplace, is obliged to lock his/her account by pressing the key combination "Windows logo+L" or "CTRL+ALT+DELETE" on the keyboard and then press "Lock computer".
10.10. Ensuring anti-virus protection
10.10.1 The information infrastructure of the Payment Organization is connected with the external environment (Internet), therefore the threat of malware penetration is very relevant. Antivirus tools shall be used to protect against this threat. The rules for making changes to systems and information infrastructure in general are regulated to avoid malware penetration. Only licensed software or software distributed free of charge can be used as antivirus software.
10.10.2 The server must have anti-virus software installed to automatically check all files and e-mail received on this server. At least once a week on the terminal server with the installed OS, a full scan of all computer disks for virus infection shall be performed. The antivirus software on the server should be updated at least once a day, automatically through appropriate antivirus software settings. Workstations
10.10.3 Each personal computer of the Company shall have anti-virus software installed with the function of automatic checking of all files and e-mail coming to this computer. At least once a week each personal computer of the Company shall have a full scan of all disks of the computer for viruses. Antivirus software on personal computers shall be updated at least once a day automatically through appropriate antivirus software settings. If any malware is detected infecting the computer RAM during the scanning process, the infected computer shall be immediately disconnected from the local network of the Payment Organization for further testing and treatment.
10.11. Ensuring physical security
10.11.1 Protection from unauthorized physical access to the information infrastructure components is the most important task of information security. Physical access of the employees of the Payment Organization and representatives of external parties to the components of the server information infrastructure is limited and is provided only for performance of job or contractual obligations.
10.11.2 Protection against unauthorized access shall be provided:
10.11.2.1. use of network equipment meeting the characteristics with indicators specified in the table:
10.11.2.2 Use of software on network equipment:
1) Threat Prevention - includes functionality of IPS, Antivirus, Anti-Bot, Anti Spyware;
2) URL-Filtering - filtering user URL requests by category;
3) GlobalProtect - allows users to connect to local network resources through Palo Alto Networks firewall. It also enables the ability to check the remote host for compliance with certain security rules, such as the presence of antivirus on the client device, the current version of the OS with all current updates. Bandwidth in Firewall mode (App-ID enabled) 940 Mbps Bandwidth in Threat Protection mode 610 Mbps Bandwidth in IPSec VPN mode 400 Mbps Maximum number of concurrent sessions 128,000 Maximum number of "new" sessions 8,300/c Maximum number of VPN tunnels/tunnel interfaces 1,000 Maximum number of security zones 30 Maximum number of security rules 1,500 15
4) WildFire - the ability to use the public cloud of specialized information security services companies to scan suspicious files for malicious activity.
10.12.Ensuring the integrity of databases and complete safety of information in electronic archives and databases in case of complete or partial power failure at any time at any part of the equipment is ensured:
10.12..1. storing information using a database management system (hereinafter referred to as DBMS) Microsoft SQL Server of at least Standard Edition version no older than 2016;
10.12..2. utilizing SQL Server AlwaysOn technology, a high availability and disaster recovery solution that includes, but is not limited to, the following features:
1) Metadata and notification distribution - service and hosted application metadata, configuration and state are stored on each cluster node, changes in metadata or node state are automatically propagated to other nodes in the cluster;
2) Resource management - individual nodes in a cluster can provide physical resources such as direct-attached storage, network interfaces, and access to shared disk storage;
3) Health monitoring - determining the health of the main node and health between nodes is accomplished through a combination of clock-type networking and resource monitoring;
4) Failover coordination - each resource is configured to reside on a primary node, and each can be moved automatically or manually to one or more secondary nodes. The serviceability-dependent failover policy controls the automatic transfer of resources between nodes in the cluster. Nodes and hosted applications receive failover notifications, allowing them to continue performing their assigned functions without interruption or data loss.
10.13.Location of equipment used for database processing and storage in compliant data centers:
1) guaranteed power supply;
2) ensuring the necessary climatic regime;
3) 24/7 monitoring and maintenance;
4) automatic gas fire extinguishing complex;
5) 24-hour guarded territory;
6) CCTV systems;
7) delineation of physical access and organizational procedures for controlling access to all premises;
8) Internet access port at speeds of 100 Mbps or more.
10.14.Ensuring secure support and operation of the information infrastructure
10.14..1. To ensure maximum transparency and security of development, implementation and operation of the components of the information infrastructure, the Payment Organization, as well as their software, changes made to the information infrastructure shall be subject to testing and registration. Information security requirements shall be taken into account during development, implementation and operation of information systems, individual components and software. 10.15.Monitoring of the information infrastructure
10.15..1. Monitoring of information infrastructure is necessary for the timely identification of information security incidents and vulnerabilities. Monitoring shall be carried out in respect of systems performance, data access, systems operation, security. Vulnerability checks shall be performed to assess the overall level of security of the information infrastructure of the Payment Organization. Independent audit of the security system and internal controls shall be conducted on a regular basis at least once a year.
10.15..2. The retention period for information on information security incidents shall be at least 5 (five) years.
10.15..3. The Payment Organization shall determine the procedure for taking urgent measures to eliminate information security incident, its causes and consequences.
10.15..4. The Payment Organization shall keep a log of information security incidents reflecting all information on information security incident, measures taken and proposed corrective measures.
10.15..5. Information systems involved in conducting and storing transactions shall ensure automated generation of report forms submitted by e-money system operators to the National Bank, as well as reports on conducted transactions;
10.15..6. The Payment Organization shall provide the National Bank with information on the following identified information security incidents:
1) exploitation of vulnerabilities in application and system software;
2) unauthorized access to the information system;
3) a denial-of-service attack on an information system or data network; 4) infecting the server with a malicious program or code;
5) unauthorized transfer of electronic money due to violation of information security controls;
6) other information security incidents that threaten the stability of the e-money system operator's activity.
10.15..7. Information on information security incidents specified in this clause shall be provided by the Payment Organization as soon as possible, but not later than 48 hours from the moment of detection, in the form of an information security incident card. A separate information security incident card shall be filled in for each information security incident
10.16.Information Security Incident and Vulnerability Management
10.16..1 All detected information security incidents shall be recorded and investigated to determine their causes and prevent their recurrence. Information security vulnerabilities detected during the performance of monitoring activities shall be recorded for the purpose of further planning of actions to eliminate them.
10.16..2 The Payment Organization shall ensure functioning of the information security system, which is a set of organizational, software and technical measures and information security management system aimed at protection of the Organization's assets from information security threats.
10.16..3. Information security activities take the form of Deming's cyclical model of "planning → implementation → verification → improvement → planning" and are part of the overall management system.
10.16..4. The information security management system shall ensure protection of information assets of the Payment Organization, allowing the minimum level of potential damage to the business processes of the Payment Organization.
10.16..5. The Payment Organization shall ensure appropriate level of information security management system, its development and improvement.
10.17. Ensuring uninterrupted operation of the information infrastructure
10.17.1 Since one of the objectives of information security is to ensure the availability of information, measures to protect information infrastructure components from failure play a significant role. Duplication of critical information infrastructure components is used to ensure fault tolerance. Backup means ensure guaranteed restoration of business processes after failure of one or several components of information infrastructure, and also ensure minimization of time of restoration of services and business processes. The Payment Organization shall ensure uninterrupted operation of the System in the 24/7/365 mode (24 hours a day, 7 days a week, 365 days a year), except for the time of preventive maintenance.
10.17.2 The software used for conducting and recording operations shall provide search of information by criteria and parameters defined for the given information system, with saving the request, as well as sorting of information by available parameters, as well as possibility to view information for previous dates, if such information is to be stored in the information system;
10.17.3 Information processing and storage shall be performed by date and time;
10.17.4 Information systems use automated generation of internal logs by means of the operating system used, additionally critical events are recorded for monitoring of IT infrastructure elements:
1) local area network;
2) physical servers;
3) virtual servers;
4) application software: transaction processing services, database management systems;
5) cloud services. This provides collection and display of basic status metrics, events, and generation of event log/report for a certain date range or completely.
11. Measures taken against a participant of the payment system for violation of the rules of the payment system
11.1 The Management of the Payment Organization shall regulate the issues related to: - determination of objectives and strategy for achieving the goals of information security in the Payment Organization; - allocation of resources for implementation of information security activities in the Payment Organization; - making decisions regarding key risks of information security breaches. - The Manager of the IT Department is responsible for: determination of information security requirements and control over fulfillment of these requirements in the Payment Organization; control over overall efficiency of information security provision, its compliance with current and future business requirements. - Process and asset owners are responsible for: - allocation of authority and responsibility for implementation of information security measures (confidentiality, integrity, availability) for their assets adequate to the existing risks; - elimination of non-conformities based on the results of audits/inspections of IS provision within the established timeframe.
11.2 All employees of the Payment Organization shall be responsible for compliance with the requirements of internal regulatory documents of the Payment Organization governing information security, as well as timely notification of violations and shortcomings of information security that they have detected.
11.3 Responsibility of the employees of the Payment Organization for violation of information security requirements shall be determined by the internal labor regulations of the Payment Organization, as well as provisions of internal regulatory documents. In some cases, violation of information security requirements by employees shall entail criminal, administrative, civil and other liability provided for by the legislation.
12. Procedure for changing the terms and conditions and amending these rules;
12.1 Amendments and/or additions to these Rules may be made either by approving a new edition of the Rules or by preparing the text of amendments and/or additions to the Rules.
12.2 In case of disagreement of the Member with changes and/or amendments to the Rules or tariffs, the Member has the right to refuse further use of the Payment Organization.
12.3 Further use of the services of the Payment Organization after any changes and/or amendments to the Rules come into force means that the Members agree with such changes and/or amendments.
