BDL Decision No. 13790 · Lebanon cybersecurity readiness

BDL 13790 Cybersecurity Compliance Lebanon

A practical technical readiness guide for Lebanese electronic payment providers, payment gateways, wallet platforms, fintech operators, and regulated digital-payment teams preparing their cybersecurity, evidence, local data hosting, logging, hardening, business continuity, and penetration-testing posture under Banque du Liban Decision No. 13790.

A–EService categories under BDL Decision No. 13790 for electronic payment providers.
LocalCustomer and executed-operation data must be stored in Lebanon.
SIEMSystem logs, review mechanisms, and monitoring evidence matter.
PTPenetration-test commitment is part of the technical document set.

What changed for Lebanese payment and fintech operators?

Banque du Liban issued Basic Circular No. 1 / Basic Decision No. 13790 on 9 January 2026 for Electronic Payment Services Providers. From a cybersecurity perspective, the decision is not only a licensing document. It creates a practical need for technical proof: secure onboarding, access control, system inventory, network topology, logs and SIEM, firewall and intrusion-detection controls, encryption, hardening, backup and storage procedures, business continuity, local data hosting, and a commitment to conduct intrusion penetration testing by specialized and reliable companies.

For founders and operators, this means the question is no longer “do we have an app?” The real question is: can your infrastructure, evidence, policies, monitoring, and security controls survive a regulatory and technical review?

Primary source: This page references Banque du Liban Basic Circular No. 1 / Basic Decision No. 13790 and its official circular listing. Review the official BDL source before making legal or licensing decisions: BDL Basic Circulars and Decision No. 13790 PDF.

E-money and wallets

Wallet providers need technical evidence around onboarding, identity checks, account protection, transaction controls, logs, and data location.

Local and cross-border transfers

Money-transfer workflows need traceability, secure records, operational monitoring, and controls that can prove how transfers are protected.

Payment gateways and facilitators

Gateway platforms need strong application security, encryption, firewall/IDS posture, hardening, backup, continuity, and penetration testing evidence.

BDL 13790 technical readiness checklist

The strongest approach is to build a technical evidence pack before the pressure starts. Think Unlimited structures the work as a cybersecurity readiness layer: architecture review, control mapping, documentation, testing, remediation, and proof collection.

MFA and onboardingReview customer onboarding, operation verification, OTP or dynamic-code flows, session controls, and abuse-resistant access logic.
Access Control ListDocument who can access systems, dashboards, databases, logs, cloud panels, admin portals, and sensitive operations.
System inventoryCreate an inventory for devices, application systems, database systems, network systems, and security systems used by the platform.
Infrastructure topologyMap public endpoints, private services, databases, firewalls, reverse proxies, backups, monitoring, and third-party processors.
SIEM and logsPrepare log collection, log retention, review workflows, alerting, and monitoring evidence for security and regulatory review.
Firewall and IDS proceduresReview firewall exposure, intrusion-detection approach, proxy controls, public ports, admin access, and risky route protections.
EncryptionDocument encryption procedures for transport, storage, credentials, backups, API communication, and sensitive records.
HardeningHarden operating systems, services, applications, admin panels, databases, headers, secrets, SSH, backups, and deployment workflows.
Application self-protectionReview web app and API protection against injection, broken access control, weak sessions, abuse, automation, and account takeover.
Backup and storageDocument backup frequency, restoration proof, storage location, encryption, retention, and operational continuity expectations.
Business continuityBuild incident response, emergency access, disaster recovery, outage handling, and recovery-time evidence around the IT system.
Penetration testingPrepare a proper penetration-testing scope for web apps, APIs, admin portals, authentication, payment flows, and infrastructure exposure.
Local data hostingMap where customer and executed-operation data are stored and prepare evidence that the technical storage model aligns with Lebanon hosting requirements.

How Think Unlimited helps

  • Cybersecurity gap audit: identify missing controls before a formal review.
  • Web app and API penetration testing: test authentication, permissions, payment workflows, admin panels, and exposed endpoints.
  • Infrastructure hardening: review public ports, services, headers, SSL, WAF posture, SSH, secrets, backups, and monitoring.
  • Evidence pack preparation: organize topology, inventory, access-control, SIEM/logging, backup, hardening, and testing proof.
  • Remediation support: fix technical gaps with controlled, documented, non-destructive changes.

Important boundary

Think Unlimited supports cybersecurity architecture, technical readiness, penetration testing, hardening, monitoring, and evidence preparation. This page is not legal advice and does not replace legal counsel, regulatory counsel, or direct coordination with Banque du Liban and the Banking Control Commission of Lebanon.

The strongest implementation is a combined track: legal/regulatory counsel handles licensing interpretation, while Think Unlimited prepares the technical cybersecurity side with clear proof and remediation.

Related cybersecurity services in Lebanon

This BDL 13790 readiness page is part of the Think Unlimited cybersecurity Lebanon cluster. Use these related pages to understand the technical services behind a complete readiness plan.

Cybersecurity Lebanon AI Cybersecurity Lebanon Penetration Testing Lebanon Vulnerability Assessment Lebanon Managed Cybersecurity Lebanon AI Threat Detection Lebanon

Preparing a Lebanese payment, wallet, gateway, or fintech platform?

Build the technical proof before the pressure. Think Unlimited can review your web app, API, infrastructure, logging, access control, backup, hardening, and penetration-testing readiness.