iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 5201:2024

(Main)

Financial services — Code-scanning payment security

Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

Titre manque

General Information

Status
Published
Publication Date
18-Apr-2024
ICS
03.060 - Finances. Banking. Monetary systems. Insurance
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
6060 - International Standard published
Start Date
19-Apr-2024
Due Date
04-May-2024
Completion Date
19-Apr-2024
Ref Project

Buy Standard

ISO 5201:2024 - Financial services — Code-scanning payment security Released:19. 04. 2024ISO 5201:2024 - Financial services — Code-scanning payment security Released:19. 04. 2024
PreviousNext
Standard
ISO 5201:2024 - Financial services — Code-scanning payment security Released:19. 04. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
PreviousNext
Draft
ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024REDLINE ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
PreviousNext
Draft
REDLINE ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

International
Standard
ISO 5201
First edition
Financial services — Code-scanning
2024-04
payment security
Reference number
ISO 5201:2024(en) © ISO 2024

---------------------- Page: 1 ----------------------
ISO 5201:2024(en)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

© ISO 2024 – All rights reserved
ii

---------------------- Page: 2 ----------------------
ISO 5201:2024(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Overview of code-scanning payment . 4
5.1 Basic framework of code-scanning payment .4
5.2 Mandatory steps and implementation modes of code-scanning payment.6
5.2.1 Mandatory steps .6
5.2.2 Payer-presented mode .6
5.2.3 Payee-presented mode .6
6 Security target objectives and assumptions . 7
7 Risk assessment of code-scanning payment . 7
7.1 General .7
7.2 Common risks to both modes as defined in Clause 5 .7
7.2.1 Com_Risk_1: unauthorized user .7
7.2.2 Com_Risk_2: illegitimate code content .8
7.2.3 Com_Risk_3: tampered code image .8
7.2.4 Com_Risk_4: insecure message transmission . .8
7.2.5 Com_Risk_5: payer sensitive information leakage .
...

International
Standard
ISO 5201
First edition
Financial services — Code-scanning
payment security
PROOF/ÉPREUVE
Reference number
ISO 5201:2024(en) © ISO 2024

---------------------- Page: 1 ----------------------
ISO 5201:2024(en)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE
© ISO 2024 – All rights reserved
ii

---------------------- Page: 2 ----------------------
ISO 5201:2024(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Overview of code-scanning payment . 4
5.1 Basic framework of code-scanning payment .4
5.2 Mandatory steps and implementation modes of code-scanning payment.6
5.2.1 Mandatory steps .6
5.2.2 Payer-presented mode .6
5.2.3 Payee-presented mode .6
6 Security target objectives and assumptions . 7
7 Risk assessment of code-scanning payment . 7
7.1 General .7
7.2 Common risks to both modes as defined in Clause 5 .7
7.2.1 Com_ Risk_1: unauthorized user .7
7.2.2 Com_Risk_2: illegitimate code content .8
7.2.3 Com_Risk_3: tampered code image .8
7.2.4 Com_ Risk_4: insecure message transmission .8
7.2.5 Com_ Risk_5: payer sensitive information leakage .
...

ISO/DIS PRF 5201.2:2023(E)
Date: 2023-11-17
ISO/TC 68/SC 2/WG 19
Secretariat: BSI
Date: 2024-03-04
Financial services — Code-scanning payment security
PROOF

---------------------- Page: 1 ----------------------
ISO/PRF 5201:2024(en)
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
E-mail: copyright@iso.org
Website: www.iso.org
Field Code Changed
Published in Switzerland
© ISO 2024 – All rights reserved

ii

---------------------- Page: 2 ----------------------
ISO/PRF 5201:2024(en)
Contents
Foreword . vi
Introduction. vii
1 Scope .1
2 Normative references .1
3 Terms and definitions .2
4 Abbreviated terms .4
5 Overview of code-scanning payment .5
5.1 Basic framework of code-scanning payment .5
5.2 Mandatory steps and implementation modes of code-scanning payment .7
5.2.1 Mandatory steps .7
5.2.2 Payer-presented mode .8
5.2.3 Payee-presented mode .8
6 Security target objectives and assumptions .8
7 Risk assessment of code-scanning payment .9
7.1 General .9
7.2 Common risks to both modes as defined in Clause 5 .9
7.2.1 Com_ Risk_1: unauthorized user .9
7.2.2 Com_Risk_2: illegitimate code content .9
7.2.3 Com_Risk_3: tampered code image .9
7.2.4 Com_ Risk_4: insecure message transmission .9
7.2.5 Com_ Risk_5: payer sensitive information leakage . 10
7.2.6 Com_ Risk_6: payee sensitive information leakage .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
ISO
ISO/TR 14742:2010(Main)
Financial services — Recommendations on cryptographic algorithms and their use

ISO/TR 14742:2010 provides a list of recommended cryptographic algorithms for use within applicable financial services standards prepared by ISO/TC 68. It also provides strategic guidance on key lengths and associated parameters and usage dates. The focus is on algorithms rather than protocols, and protocols are in general not included in ISO/TR 14742:2010. ISO/TR 14742:2010 deals primarily with recommendations regarding algorithms and key lengths. The categories of algorithms covered in ISO/TR 14742:2010 are: block ciphers; stream ciphers; hash functions; message authentication codes (MACs); asymmetric algorithms; digital signature schemes giving message recovery, digital signatures with appendix, asymmetric ciphers; authentication mechanisms; key establishment and agreement mechanisms; key transport mechanisms. ISO/TR 14742:2010 does not define any cryptographic algorithms; however, the standards to which ISO/TR 14742:2010 refers may contain necessary implementation information as well as more detailed guidance regarding choice of security parameters, security analysis, and other implementation considerations.

  • Technical report
    31 pages
    English language
    sale 15% off
ISO
ISO/TS 9546(Main)
Guidelines for security framework of information systems of third-party payment services

The security framework addresses the implementation of security mechanisms to achieve the security objectives as defined in ISO 23195. The security framework is concerned with defining the means of providing protection for systems and objects within the TPP system environment, and for the interactions between such systems. This document describes a generic security framework that can apply to the provision of any TPP service, including: - the TPP logical structural model, - the definition of the security framework, - the design principles, responsibilities, and functional requirements to support the security mechanism, - guidelines for applying security framework defined in this document, for TPP services.

  • Draft
    24 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO/TR 22126-3:2023(Main)
Financial services — Semantic technology — Part 3: Semantic enrichment of the ISO 20022 conceptual model

This document examines semantic enrichment to support the maintenance of the ISO 20022 conceptual model. It reports on existing and proposed practices to enrich a model: — in a repository, annotating repository concepts with metadata using semantic markup or constraints; — outside a repository, using references to repository concepts, such as the provenance of changes.

  • Technical report
    12 pages
    English language
    sale 15% off
ISO
ISO/TR 22126-5:2022(Main)
Financial services — Semantic technology — Part 5: Mapping from FIX Orchestra to the common model

This document reports on a study to map messages defined using FIX Orchestra into the ISO 20022 model.

  • Technical report
    6 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off