iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/TS 9546:2024

(Main)

Guidelines for security framework of information systems of third-party payment services

Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

Lignes directrices relatives au cadre de sécurité des systèmes d'information des prestataires de services de paiement

General Information

Status
Published
Publication Date
18-Dec-2024
ICS
03.060 - Finances. Banking. Monetary systems. Insurance
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
6060 - International Standard published
Start Date
19-Dec-2024
Due Date
19-Dec-2024
Completion Date
19-Dec-2024
Ref Project

Buy Standard

ISO/TS 9546:2024 - Guidelines for security framework of information systems of third-party payment services Released:12/19/2024ISO/TS 9546:2024 - Guidelines for security framework of information systems of third-party payment services Released:12/19/2024
PreviousNext
Technical specification
ISO/TS 9546:2024 - Guidelines for security framework of information systems of third-party payment services Released:12/19/2024
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


Technical
Specification
ISO/TS 9546
First edition
Guidelines for security framework
2024-12
of information systems of third-
party payment services
Lignes directrices relatives au cadre de sécurité des systèmes
d'information des prestataires de services de paiement
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 TPP logical structural models . 4
5.1 General introduction .4
5.2 TPP logical structural model without the TPP-AIS .4
5.3 TPP logical structural model with the TPP-AIS .5
6 TPP security functional recommendations . 6
6.1 General security functional recommendations.6
6.1.1 General .6
6.1.2 Identification and authentication .6
6.1.3 Authorization .7
6.1.4 Audit logging .8
6.1.5 Asset protection .8
6.2 Security functional recommendations for TPPSP credentials carrier (C2) .8
6.2.1 Encryption .8
6.2.2 User authentication .9
6.2.3 Access control .9
6.3 Security functional recommendations for payment terminal (C3) .9
6.3.1 Encryption .9
6.3.2 User authentication .9
6.3.3 Logical security .9
6.3.4 Transaction security .9
6.3.5 Payment-sensitive information protection .10
6.4 Security functional recommendations for TPPSP gatekeepers (C5) .10
6.4.1 Access control .10
6.4.2 Transaction security .10
6.4.3 Audit logging .10
6.5 Security functional recommendations for TPP-BIS (C6).10
6.5.1 User authentication .10
6.5.2 Transaction security .11
6.5.3 Payment-sensitive information protection .11
6.5.4 Risk control .11
6.6 Security functional recommendations for TPP-AIS (C15) .11
6.6.1 Encryption .11
6.6.2 Identity verification .11
6.6.3 Transaction security .11
7 TPP security framework.11
7.1 Security framework overview .11
7.2 Process layer. 12
7.2.1 Overview . 12
7.2.2 Identification and authentication . 12
7.2.3 Authorization . 13
7.2.4 Audit logging . 13
7.2.5 Asset protection . 13
7.3 Application layer .14
7.3.1 Overview .14
7.3.2 Security measures for TPPSP credentials carrier (C2) .14
7.3.3 Security measures for TPP payment terminal (C3) .14

iii
7.3.4 Security measures for TPPSP gatekeeper (C5) . 15
7.3.5 Security measures for TPP-BIS (C6) . 15
7.3.6 Security measures for TPP-AIS (C15) .16
7.4 Infrastructure layer .16
8 Guidelines for implementation of the security framework .16
8.1 Overview of and steps for the guidelines .16
8.2 Real-world practices of the security framework .17
8.2.1 Overview .17
8.2.2 Practices of payment application (C3) .17
8.2.3 Practices of TPPSP gatekeeper (C5) and TPP-BIS (C6) .18
8.2.4 Practices of TPP-AIS (C15) .19
Annex A (informative) Examples of TPP implementation .20
Bibliography .24

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. A
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Standard
    40 pages
    English language
    sale 15% off
ISO
ISO/TR 14742:2010(Main)
Financial services — Recommendations on cryptographic algorithms and their use

ISO/TR 14742:2010 provides a list of recommended cryptographic algorithms for use within applicable financial services standards prepared by ISO/TC 68. It also provides strategic guidance on key lengths and associated parameters and usage dates. The focus is on algorithms rather than protocols, and protocols are in general not included in ISO/TR 14742:2010. ISO/TR 14742:2010 deals primarily with recommendations regarding algorithms and key lengths. The categories of algorithms covered in ISO/TR 14742:2010 are: block ciphers; stream ciphers; hash functions; message authentication codes (MACs); asymmetric algorithms; digital signature schemes giving message recovery, digital signatures with appendix, asymmetric ciphers; authentication mechanisms; key establishment and agreement mechanisms; key transport mechanisms. ISO/TR 14742:2010 does not define any cryptographic algorithms; however, the standards to which ISO/TR 14742:2010 refers may contain necessary implementation information as well as more detailed guidance regarding choice of security parameters, security analysis, and other implementation considerations.

  • Technical report
    31 pages
    English language
    sale 15% off
ISO
ISO/IEC 27562:2024(Main)
Information technology — Security techniques — Privacy guidelines for fintech services

This document provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks. This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder. This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO/TR 22126-3:2023(Main)
Financial services — Semantic technology — Part 3: Semantic enrichment of the ISO 20022 conceptual model

This document examines semantic enrichment to support the maintenance of the ISO 20022 conceptual model. It reports on existing and proposed practices to enrich a model: — in a repository, annotating repository concepts with metadata using semantic markup or constraints; — outside a repository, using references to repository concepts, such as the provenance of changes.

  • Technical report
    12 pages
    English language
    sale 15% off