LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION 2018 CANADIAN PAYMENTS ASSOCIATION

Similar documents
CANADIAN PAYMENTS ASSOCIATION LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION

Standard COM-002-2a Communications and Coordination

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS STANDARD 005 STANDARDS FOR THE EXCHANGE OF FINANCIAL DATA ON AFT FILES

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

IATF Transition Strategy Presenter: Cherie Reiche, IAOB

Director, Major Projects and Resilience. To: Planning and Performance Committee 6 November 2014

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Critical Cyber Asset Identification Security Management Controls

Payment Card Industry (PCI) 3-D Secure (PCI 3DS) Qualification Requirements for 3DS Assessors

Telecommunications Equipment Certification Scheme FEBRUARY 2017

General Information Technology Controls Follow-up Review

SECTION.0900 LEAD-BASED PAINT HAZARD MANAGEMENT PROGRAM FOR RENOVATION, REPAIR AND PAINTING

Standard CIP Cyber Security Critical Cyber Asset Identification

Continuing Professional Education (CPE) CPE Rules for Pesticide Advisors

HKIB Continuing Professional Development (CPD) Scheme

Regulating Cyber: the UK s plans for the NIS Directive

Standard CIP Cyber Security Critical Cyber Asset Identification

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

Qualified Source Test Individual SES QSTI Certification/Verification Program AETB Accreditation. Proposed EPA Regulations

December 21, 1998 BY ELECTRONIC MAIL AND HAND DELIVERY

Request for Proposal for Technical Consulting Services

CONTINUING PROFESSIONAL DEVELOPMENT SCHEME (CPD) FOR AATSL MEMBERS

Standard CIP Cyber Security Security Management Controls

An unofficial translation, in case of any discrepancies between the English version and the original Swedish version the latter will prevail.

Data Processing Clauses

Standard CIP 007 3a Cyber Security Systems Security Management

SUBJECT: PRESTO operating agreement renewal update. Committee of the Whole. Transit Department. Recommendation: Purpose: Page 1 of Report TR-01-17

Administrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs

COMMERCIAL FURNACES CERTIFICATION PROGRAM

Battery Program Management Document

PROTEC INSTRUCTOR LICENSE TERMS & CONDITIONS

IATF Transition Strategy Presenter: Mrs. Michelle Maxwell, IAOB

Achievements to remove and prevent barriers

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018

RULES GOVERNING CERTIFICATION FOR Water Treatment Operators & Associates

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Superannuation Transaction Network

ACH Rules Compliance Audit Requirements Request for Comment

A. Introduction. B. Requirements and Measures

HONG KONG INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS

Rules for LNE Certification of Management Systems

Audit Report. Scottish Bakers. 30 March 2015

For the Certification of Operations Located in Canada to the Canadian Organic Regime (COR)

A s c e r t i a S u p p o r t S e r v i c e s G u i d e

Clearswift Managed Security Service for

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Schedule Identity Services

Municipal Law Enforcement Officer Certified-M.L.E.O. (c) Certification Application Guide

AGENCY APPLICATION AND PARTICIPATION AGREEMENT MISSOURI POLICE CHIEFS CHARITABLE FOUNDATION CERTIFICATION PROGRAM

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

BOT Notification No (1 September 2017)-check

Global Statement of Business Continuity

ICE STORAGE BINS CERTIFICATION PROGRAM

Guidance: Operational Conditions Precedent (OCPs) September 2016 Version 1

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

REPORT 2015/149 INTERNAL AUDIT DIVISION

Electronic Service Provider Standard

Continuing Professional Education Policy: Requirements for Certification and Qualification Programs. (formerly known as Administrative Directive #4)

NATIONAL INSTRUMENT NATIONAL REGISTRATION DATABASE

Updated: 2014 January. Continuing Professional Education (CPE) Policy

Standard CIP 007 4a Cyber Security Systems Security Management

Standard INT Dynamic Transfers

Audit Report. The Prince s Trust. 27 September 2017

Municipal Law Enforcement Officer Certified-M.L.E.O. (c) Certification Application Guide Program Features

Financial Planning Institute of Southern Africa SETTING THE STANDARD. Continuous Professional Development (Cpd) Policy

Standard Development Timeline

UNIFORM STANDARDS FOR PLT COURSES AND PROVIDERS

Qualification and Renewal Criteria for certification to engage in the practice of accounting

ALABAMA STATE BOARD OF PUBLIC ACCOUNTANCY ADMINISTRATIVE CODE

CPEA and CPSA CPD Reporting January 2017

REVISION 5. International Automotive Task Force TRANSITION STRATEGY ISO/TS IATF Dated 1 March

Provider Monitoring Process

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

NOTICE OF AMENDMENT TO THE 2014 NACHA OPERATING RULES SUPPLEMENT #1-2014

PRODUCT CERTIFICATION SCHEME FOR ENERGY DRINKS

Statement on Continuing Professional Education 2003*

OCA Commissaire Policy

Payment Card Industry (PCI) Data Security Standard Validation Requirements

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Areas of impact for client consideration taken from the Rules for achieving IATF recognition Third edition for ISO/TS

Data Processing Agreement

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

STCP Amendment Proposal Form

I. PURPOSE III. PROCEDURE

Professional Evaluation and Certification Board Frequently Asked Questions

CPE Frequently Asked Questions

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Upcoming PIPEDA Changes What is changing and what to do about it

IT CONTINUITY, BACKUP AND RECOVERY POLICY

2. DEFINITIONS The words and phrases used in this SLA shall have the following meanings assigned to them:

CPE Frequently Asked Questions

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Criteria for SQF Certification Bodies

RULES GOVERNING THE CERTIFICATION of Backflow Prevention Assembly Testers Effective as of February 26, 2018

Analysis of CIP-006 and CIP-007 Violations

Internal Audit Follow-Up Report. Multiple Use Agreements TxDOT Office of Internal Audit

Transcription:

LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION 2018 CANADIAN PAYMENTS ASSOCIATION This Rule is copyrighted by the Canadian Payments Association. All rights reserved, including the right of reproduction in whole or in part, without express written permission by the Canadian Payments Association. Payments Canada is the operating brand name of the Canadian Payments Association (CPA). For legal purposes we continue to use Canadian Payments Association (or the Association) in these rules and in information related to rules, by-laws, and standards.

CONTENTS IMPLEMENTATION AND REVISIONS... 4 CPA AVAILABILITY... 5 NEW PARTICIPANT TESTING AND CERTIFICATION... 5 NEW PARTICIPANT TECHNICAL QUALIFICATIONS... 5 LVTS AND SUPPORTING INFRASTRUCTURE CHANGE TESTING... 5 FIRST LEVEL... 5 SECOND LEVEL... 6 THIRD LEVEL... 6 PARTICIPANT CHANGE MANAGEMENT... 6 PARTICIPANT CHANGE TESTING... 7 REQUIRED ASSISTANCE... 7 TEST AND TRAINING BIC... 7 OTHER TESTING... 7 ONGOING PARTICIPANT TRAINING... 7 CPA BUSINESS CONTINUITY TESTING... 8 PARTICIPANT BUSINESS CONTINUITY TESTING... 8 PARTICIPANT SYSTEM TESTING... 8 CLS CONTINGENCY TESTING... 9 EVIDENCE OF COMPLIANCE... 9 2

REPORT... 9 APPENDIX I - PRO FORMA MANAGEMENT ATTESTATION STATEMENT... 10 APPENDIX II - PRO FORMA MANAGEMENT ATTESTATION STATEMENT... 12 3

IMPLEMENTATION AND REVISIONS LVTS Rule 11, December 1998: as amended November 25, 2002, November 24, 2003, May 31, 2004, August 14, 2006, January 28, 2008, August 16, 2010, January 1, 2013, January 5, 2015, April 18, 2016, January 3, 2017, and August 21, 2017. 4

CPA AVAILABILITY The Association shall login to the testing and training regions of the LVTS and shall be available for testing and training as required. The Association shall set up a Payment Message testing terminal in the LVTS testing environment for sending and receiving test payment messages for testing purposes. NEW PARTICIPANT TESTING AND CERTIFICATION All applicants for participation in the LVTS must meet the technical qualification requirements set out in LVTS Rule 3, LVTS Service Level Description and CSN Service Level Description developed by the Association. NEW PARTICIPANT TECHNICAL QUALIFICATIONS All technical qualification requirements will be tested by the Association and will include the requirement for an applicant to process at least one day s volume of test payments utilizing all system components of the LVTS environment with all normal LVTS Cycle steps in place. This testing will be witnessed and monitored by the Association to ensure that complete and accurate testing is completed. The applicant must provide to the Association a complete record of its test results including a record of its monitoring activities for the test day including evidence of payment reconciliation. LVTS AND SUPPORTING INFRASTRUCTURE CHANGE TESTING If changes are made to LVTS there will be three (3) levels of testing involving the Participants. For each change an acceptance test working group appointed by the LVTS Working Group will oversee all testing and will define and run all required acceptance testing. This acceptance test working group will report back to the Participant User Group. All Participants will be required to participate in the user acceptance tests for any such changes. FIRST LEVEL The first level of testing will be to check out any Participant interface changes which have been made to support the new or changed feature(s) and which are required to be used in the user acceptance testing of the change. Each Participant will coordinate any such testing in the same manner as it would for changes to one or more of its own systems. 5

SECOND LEVEL The second level of tests will be the formal user acceptance testing. This will be a formal documented test. The Association will co-ordinate this testing and will ensure that technical assistance is available in case of problems. THIRD LEVEL The third level of testing is Participant acceptance testing. This testing will be against the tested software release and it will be up to each Participant to assess its testing needs at this level. The Association will provide assistance if requested. PARTICIPANT CHANGE MANAGEMENT a) Where a Participant plans to implement a system change that may potentially impact its LVTS operations or other LVTS Participants, the Participant must complete a Participant System Change Notification form in order to determine whether the CPA must be notified of the change. Note: For a copy of the most recent version of the Participant System Change Notification form, please refer to the Payments Canada Member Portal. b) If, upon completion of a Participant System Change Notification form, the risk rating on the form is 6 or higher, the Participant must submit the Participant System Change Risk Assessment and Notification form to the Association at least thirty (30) days in advance of implementing the change. c) If the Association determines that a proposed change (with a risk rating of 6 or higher) could potentially impact LVTS operations or other LVTS Participants, the Association may increase the risk rating and, if increased, will advise the Participant of the change in risk rating within ten (10) days of making the change. d) If the Association determines that there are issues with timing or risks associated with a change, the Association will provide the Participant with at least fifteen (15) days advance notice that the implementation schedule must be revised. e) Despite subsection b), where a Participant must implement an emergency change to resolve an operational incident and the change is considered high risk, the Participant shall provide the Association with at least one hour advance notice prior to making the emergency change. If it is not possible to provide 6

advance notice prior to implementing the change, the Participant must notify the Association no later than the next business day following the implementation. PARTICIPANT CHANGE TESTING Notwithstanding section 11.8, whenever a Participant makes changes to its CBT or any other system which supports its LVTS operations, the Participant must test any new hardware, software and/or procedures using the LVTS test and training environment. This test and training environment will normally be available 24 hours per day. The Participant must co-ordinate and pre-arrange its testing with the Association. It is up to each Participant to determine what is to be tested and to set its own parameters accordingly. REQUIRED ASSISTANCE If a Participant requires that other Participants and/or the Association take part in the testing it is the responsibility of the Participant to request the assistance of the other Participant, to co-ordinate the testing activities with the Association and to structure the testing to be mutually agreeable to all parties. While it is not required that another Participant take part in the testing for the requesting Participant such requests should be considered as reciprocal assistance. TEST AND TRAINING BIC Each Participant must provide the Association with a test and training S address (BIC) to be entered into the closed user group to support LVTS testing and training. The Association must be provided this BIC at least three (3) weeks prior to the start of the testing period, unless the Participant in question has already used this BIC in LVTS testing. OTHER TESTING The Association may conduct such other testing relating to system upgrades, Participant system changes, including Bank of Canada system changes, or LVTS changes. Each Participant shall participate in mandatory testing coordinated by the Association, with the exception of CLS testing which is only mandatory for CLS Participants. ONGOING PARTICIPANT TRAINING The test and training facility of the LVTS may be used by a Participant subject to the requirement that such training be coordinated and pre-arranged with the Association. 7

A Participant may make use of the Association s standard training exercises or a Participant may devise its own when using this facility. CPA BUSINESS CONTINUITY TESTING a) The Association shall conduct business continuity testing for the LVTS central system at least twice per calendar year in accordance with the requirements outlined in the LVTS Service Level Description. b) The Association shall conduct business continuity testing for the LVTS system administration services (people and premises) at least twice per calendar year. The testing will take place during an LVTS Cycle, and will consist of the Association accessing the LVTS central system using its alternate site workstation to generate reports to ensure connectivity. PARTICIPANT BUSINESS CONTINUITY TESTING a) Subject to subsection b), each Participant shall conduct business continuity testing for its alternate site (people and premises) at least twice per calendar year. The test will consist of the Participant processing payments from its alternate site during an LVTS Cycle. Each Participant shall provide to the CPA, by way of a management attestation statement (attached as Appendix I), confirmation that it has conducted two business continuity tests within the last calendar year and confirm that payments were successfully processed from its alternate site. The management attestation statement shall be received by the CPA no later than January 31 of the following year. b) Each Participant that regularly processes payments from its primary and alternate sites during an LVTS cycle shall provide to the CPA, by way of a management attestation statement (attached as Appendix II), confirmation that it has successfully processed payments from those locations during the last calendar year. The management attestation statement shall be received by the CPA no later than January 31 of the following year. PARTICIPANT SYSTEM TESTING Each Participant shall conduct disaster recovery testing at least once per calendar year. The test(s) will consist of the Participant successfully sending, receiving and processing Payment Messages using its back-up payments technology and supporting systems (e.g. data centre). All functionalities do not need to be tested at the same time. Each Participant shall provide to the CPA, by way of a management attestation statement (attached as Appendices I or II as applicable), confirmation that 8

it has conducted such testing within the last calendar year and confirmation that this testing was successfully completed. The management attestation statement shall be received by the CPA no later than January 31 of the following year. CLS CONTINGENCY TESTING The Association and each Participant involved in CLS-related payments processing shall execute CLS contingency testing in accordance with the procedures in Appendix III of LVTS Rule 12. EVIDENCE OF COMPLIANCE REPORT Where the Association, in its discretion, requests confirmation of the completion of any procedure or step by a Participant such confirmation shall be by way of a current (completed with the previous 18 months) audit report, pertinent extract, or management attestation statement dealing with any such steps or procedures, filed with the Association by the Participant s internal audit group, inspection group or management representative executed by a duly authorized officer of the Participant. The Association shall provide to all Participants a complete report of any testing relating to the LVTS which are conducted or supervised by the Association in accordance with the provisions of this Rule. 9

APPENDIX I - PRO FORMA MANAGEMENT ATTESTATION STATEMENT [LVTS Participant letterhead] [LVTS Participant name] CANADIAN PAYMENTS ASSOCIATION LVTS PARTICIPANT DISASTER RECOVERY TESTING ANNUAL MANAGEMENT ATTESTATION STATEMENT (DATE OF LETTER) Payments Canada Constitution Square, Tower II, 350 Albert, Suite 800 Ottawa, Ontario K1R 1A4 Attention: COO In accordance with section 11.15(a) 1 of the Canadian Payments Association s Large Value Transfer System Rules, [LVTS Participant] hereby confirms that during the period January 1, 20[YY] through December 31, 20 [YY], [LVTS Participant] successfully conducted testing of its alternate site (people and premises) payment processing capabilities on [#] occasions. Testing of the [LVTS Participants] s alternate site payment processing capabilities was conducted on [Month, Day]. (Note: Please include all dates in which the test was performed). In accordance with section 11.16 2 of the Canadian Payments Association s Large Value Transfer System Rules, [LVTS Participant] hereby confirms that during the period January 1, 1 Each Participant shall conduct disaster recovery testing for its alternate site at least twice per calendar year. The test will consist of the Participant processing payments from its alternate site during a production cycle. Each Participant must provide to the CPA, by way of a management attestation statement (attached as Appendix I), confirmation that it has conducted two disaster recovery tests within the last calendar year and confirm that payments were successfully processed from its alternate site. The management attestation statement must be received by the CPA no later than January 31 of the following year. 2 Each Participant shall conduct disaster recovery testing at least once per calendar year. The test will consist of the Participant successfully sending, receiving and processing Payment Messages using its back-up payments technology and supporting systems (e.g. data centre). Each Participant shall provide to the CPA, by way of a management attestation statement (attached as Appendices I or II as applicable), confirmation that it has conducted such testing within the last calendar year and confirmation that this testing was successfully 10

20[YY] through December 31, 20 [YY], [LVTS Participant] successfully conducted testing of its back-up payments technology and supporting systems (e.g. data centre) by sending, receiving and processing Payment Messages. As a result of this testing, [LVTS Participant] hereby confirms that we are in compliance with LVTS Rule 11.15(a) and 11.16 of the Canadian Payments Association for the calendar year ending December 31, 20[YY]. Yours truly, (Name of Senior Officer representing the LVTS Participant or the Senior Operational Committee representative) (Title of Officer) [ ] denotes customized information to be provided by LVTS Participant completed. The management attestation statement shall be received by the CPA no later than January 31 of the following year. 11

APPENDIX II - PRO FORMA MANAGEMENT ATTESTATION STATEMENT [LVTS Participant letterhead] [LVTS Participant name] CANADIAN PAYMENTS ASSOCIATION LVTS PARTICIPANT PAYMENT PROCESSING ANNUAL MANAGEMENT ATTESTATION STATEMENT (DATE OF LETTER) Payments Canada Constitution Square, Tower II, 350 Albert, Suite 800 Ottawa, Ontario K1R 1A4 Attention: COO In accordance with section 11.15(b) 3 of the Canadian Payments Association s Large Value Transfer System Rules, [LVTS Participant] hereby confirms that during the period January 1, 20[YY] through December 31, 20[YY], [LVTS Participant] successfully processed payments from its primary and alternate sites on a regular basis. In accordance with section 11.16 4 of the Canadian Payments Association s Large Value Transfer System Rules, [LVTS Participant] hereby confirms that during the period January 1, 20[YY] through December 31, 20 [YY], [LVTS Participant] successfully conducted testing of its 3 Each Participant that regularly processes payments from its primary and alternate sites during an LVTS cycle shall provide to the CPA, by way of a management attestation statement (attached as Appendix II), confirmation that it has successfully processed payments from those locations during the last calendar year. The management attestation statement shall be received by the CPA no later than January 31 of the following year. 4 Each Participant shall conduct disaster recovery testing at least once per calendar year. The test will consist of the Participant successfully sending, receiving and processing Payment Messages using its back-up payments technology and supporting systems (e.g. data centre). Each Participant shall provide to the CPA, by way of a management attestation statement (attached as Appendices I or II as applicable), confirmation that it has conducted such testing within the last calendar year and confirmation that this testing was successfully completed. The management attestation statement shall be received by the CPA no later than January 31 of the following year. 12

back-up payments technology and supporting systems (e.g. data centre) by sending, receiving, and processing Payment Messages. As a result of this testing, [LVTS Participant] hereby confirms that they are in compliance with LVTS Rule 11.15(b) and 11.16 of the Canadian Payments Association for the calendar year ending December 31, 20[YY]. Yours truly, (Name of Senior Officer representing the LVTS Participant or the Senior Operational Committee representative) (Title of Officer) [ ] denotes customized information to be provided by LVTS Participant 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback