Security aspects for digital currencies

Titre manque

General Information

Status
Not Published
Current Stage
6000 - International Standard under publication
Completion Date
16-Aug-2023
Ref Project

Buy Standard

Draft
REDLINE ISO/PRF TS 23526 - Security aspects for digital currencies Released:20. 07. 2023
English language
14 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/PRF TS 23526 - Security aspects for digital currencies Released:20. 07. 2023
English language
14 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

ISO/PRF TS 23526
ISO/TC 68/SC 02/WG 17 2
Secretariat: BSI
Date: YYYY-MM-DD2023-07-19
Security Aspectsaspects for Digital Currenciesdigital currencies
FDIS stage

© ISO 2023 – All rights reserved

---------------------- Page: 1 ----------------------
© ISO/TS 23526 2023

Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.



© ISO #### – All rights reserved

---------------------- Page: 2 ----------------------
ISO/PRF TS 23526:(E)
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,
including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can
be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland

iv © ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/PRF TS 23526:(E)
Contents
Foreword . vii
Introduction . viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Considerations on security framework for digital . 2
4.1 General . 2
4.2 Security considerations for processing digital currencies . 3
4.3 Variations of security frameworks . 3
4.3.1 Non-fiat digital currency (digital asset) security framework . 3
4.3.2 Creating a national digital currency with an anonymity security framework . 4
4.3.3 Secure digital cash as digital currency with consumer identity security framework . 4
4.4 Overview of security frameworks . 4
4.4.1 General . 4
4.4.2 Standards as a basis for security frameworks . 4
5 The emergence of currency in digital formats . 5
5.1 Digital cash representing money as a basis for financial usage with security. 5
5.2 Cryptocurrencies as a digital entity for financial usage . 6
5.3 Cryptocurrencies and the digital currency market challenges . 6
5.4 Cryptocurrencies and financial market formats . 7
5.5 Cryptocurrencies and banking regulation – stablecoin example . 8
5.6 Security criteria representing security aspects . 8
5.6.1 Security objects . 8
5.6.2 Key management . 9
5.6.3 Hiding and steganography techniques . 9
5.6.4 Digital representation . 9
5.6.5 Digital model . 9
5.6.6 Security countermeasures . 9
5.6.7 Legal and regulatory requirements . 9
5.6.8 Trust . 10
5.6.9 Chaining security processes . 10
5.6.10 Security framework implementation. 10
5.6.11 Platform independence . 10
5.6.12 Existing good practices . 10
5.6.13 Digital interfaces . 10
6 Critical areas for security to establish trust, acceptance and risk . 10
6.1 Digital wallets . 10
6.2 Specific security considerations . 12
6.3 Digital currency financial security framework considerations . 12
© ISO 2023 – All rights reserved v

---------------------- Page: 4 ----------------------
ISO/PRF TS 23526:(E)
7 Fraud and threat considerations . 12
Bibliography . 14

vi © ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/PRF TS 23526:(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC68TC 68, Financial Servicesservices,
Subcommittee SC 2, Information Security, Working group WG 17, Security aspects of digital
currenciesFinancial Services, security.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved vii

---------------------- Page: 6 ----------------------
ISO/PRF TS 23526:(E)
Introduction
TheThere is a need for the international financial community should recogniseto recognize certain
security measures and criteria to promote public trust in digital currencies. From a security and
assurance perspective, protecting an ecosystem surrounding any type of digital currency ultimately
protects and informs any future issuance goal of a fiat digital currency. Security aspects as they relate to
cross-border transactions are to be compiled as well.
A look at the security horizon for the financial services digital currencies surfacesreveals a need to adjust
and to add new capabilities that include, including a broadening of the business needs for banking and
financial actions with security representing national and international uses. The financial landscape has
expanded into the digital realm that has caused, causing a re-examination of what has beentraditional
security technologies that have years of use, while the digital applications are constantly changing.
Adding an additionalanother digital dimension for secure payments and secure transactions with a digital
currency pushes the security paradigms and addingadds a mix of threats that become real for every level
of the financial ecosystem.
A security framework and assurance shouldneeds to recognize existing international financial
ecosystems and their security components. A security framework is needed that international financial
markets can select and adapt to their own needs.
To buildBuilding a digital currency model can require a security framework that is not identified in this
document. An example of a security framework that and is not included in this document isyet to be
determined.

viii © ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/PRF TS 23526:(E)
Security Aspectsaspects for Digital Currenciesdigital currencies
1 Scope
This document specifies an acceptable security framework for the issuance and management of digital
currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references.
This document is intended to proposeproposes a framework approach based on standards for mitigating
vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design
and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
central bank digital currency
CBDC
central bank digital money
digital representation of cash, issued by the central bank and a claim on the central bank
3.2
crypto asset
digital asset (3.4) implemented using cryptographic techniques
[SOURCE: ISO 22739:2020(en),, 3.13]
3.3
cryptocurrency
crypto-asset (3.2) designed to work as a medium of value exchange
[SOURCE: ISO 22739:2020(en),, 3.14], modified — Note 1 to entry removed.]
3.4
digital asset
asset that exists only in digital form or which is the digital representation of another asset
[SOURCE: ISO 22739:2020(en),, 3.20]
3.5
digital currency
digital representation of monetary value
© ISO 2023 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/PRF TS 23526:(E)
3.6
distributed ledger
ledger that is shared across a set of DLTdistributed ledger technology nodes and synchronized between
the DLTdistributed ledger technology nodes using a consensus mechanism
[SOURCE: ISO 22739:2020(en),, 3.60]22, modified — Note 1 to entry removed.]
3.7
distributed ledger technology
DLT
technology that enables the operation and use of distributed ledgers
[SOURCE: ISO 22739:2020(en),, 3.23]
3.8
fiat digital currency
digital currency model representing a debt of a central bank that can be redeemed with fiat money and
mutually exclusive to non-fiat digital currency
3.9
non-fiat digital currency
digital currency model governed by a business contractual relationship between the user and the issuer
of the digital currency, whose value is not guaranteed by a central bank and is mutually exclusive to fiat
digital currency
3.10
identity-security
identity capabilities which can be used for associating an action or an individual to an event which
performs some security access protection
3.11
envelope security
secure encapsulated access control capability with cryptography and additional security features
3.12
security framework
framework which defines policies and procedures for establishing and maintaining security
4 Considerations on security framework for digital
4.1 General
An international standard regarding This document establishes the foundation for a security and its
aspects for a digital currency should be aligned with an effort to have a common reference model
framework for multiple independent digital currency representations.
Coupled to the security criteria, there is a need for a standard security model for the management of
digital currencies which can take advantage, in anticipation of the future development of an International
Standard.
A standard security, ideally, model is required to manage digital currencies that can utilize global security
practices and ofadapt to local regulations. The security model can be designed as a series of interacting
modules implementing security controls under the responsibility of entities playing a pre-
definedpredefined role. This security model could be extended to encompass and to protect existing
financial applications using digital currencies, either fiat or non-fiat. As a framework, the security model
2 © ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/PRF TS 23526:(E)
offers interoperability of information exchange as well as support for multiple currency objects, each
supporting their own security process.
The international financial community has undertaken many existing infrastructure investments in
which the introduction of security has historically been a major burden and easily deferred. However,
international financial organisations have experienced a growth in digital threats to payments, to
transactions, and to other forms of financial exchanges.
Security frameworks with their security technologies and components are anticipated. AThe security
framework is needed thatcan be customizable by international financial markets can select and adapt to
meet their own needs and not treat the subjectindividual requirements, instead of treating security
aspects as a one design for -size-fits-all frameworkssolution. The goal is to establish an international
trusted financial infrastructure based on a collection of national financial architectures to include all
stakeholder members.
4.2 Security considerations for processing digital currencies
Security considerations for processing digital currencies include:
— Thethe need to agree on the security objectives for digital currency systems;
— Thethe roles required to manage a digital currency system;
— Thethe provision of controlled access to repositories of digital currencies, such as wallets;
— Thethe conflicts between confidentiality, and anonymity for users of digital currencies, and the desire
of regulators to control transactions;
— Thethe integrity or assurance of non-alteration of digital currency units;
— Thethe nature of the personal security credentials or attributes (e.g. cryptographic keys,
authentication elements, and certificates) used to generate evidence of a particular operation
involving digital currencies;
— Riskrisk impact assessment of different alternatives to process digital currencies;
— Functionalfunctional engineering considerations: Availabilityavailability of infrastructures and of
appropriate personal devices to load and pay with digital currencies in a convenient way, including
transaction speed and the portability of digital currency unit aspects.
4.3 Variations of security frameworks
4.3.1 Non-fiat digital currenciescurrency (digital assetsasset) security framework
The internationalInternational financial services have expanded athe role for aof virtual
currencycurrencies to account for the multiple definitions and models that have surfaced forof what can
be considered as non-fiat digital currencies with awithin the context asof digital assets. Cryptography has
been a major enabler for security among the non-fiat digital currencies:.
EarlyBitcoin emerged early in the formation of a virtual currency emerged Bitcoin currencies with a
commercial generation of its currency aspect. ( (i.e. a commercial monetary infrastructure as a potential
cryptocurrency).
Other digital currency models evolved that relate to a digital form of a national currency with an emphasis
ofon cryptography. The notion of a stablecoin designation emerged as a bridging mechanism for
cryptocurrency digital currency model with a stated Stablecoins were created to bridge the gap between
cryptocurrencies and national monetary designation that wascurrencies without itstheir own security
protection. Stablecoins with a 1:1 ration of a tokenthat were pegged to a national currency ratio without
itstheir own security criteria was volatilemeasures were unstable in currency exchanges. A missing
© ISO 2023 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/PRF TS 23526:(E)
element can be included with a stablecoin to enhanceTo improve the security profile for a national
currency so thatof stablecoins and address the risk and liability for a stablecoin can be addressed.
Including security functionality as a stablecoin can be viewed as a digital representation of digital cash.
Security assets are available for a Central Authority to considernational currencies, security features
outlined herein are required. Once security considerations are addressed, stablecoins can evolve into a
digital version of physical cash, with security measures provided by a central authority.
International banks are examining and developing their own digital currency methodologies, which can
include cryptocurrencies with security and stablecoins. A collective body of banks and financial
institutions are included in central bank digital currency (CBDC) efforts.
4.3.2 Creating a national digital currency with an anonymity security framework
Before the digital format was available, physical money based on ISO 4217 as a national designation was
the primary means of financial exchange. The Central Authority as a Central Bank minted the money and
included various analogue security technologies and techniques with the intent of preventing fraud. The
advent of the digital format has shifted the focus to alternative usages, which in turn has created new
security paradigms. The securitySecurity can be atdirected towards the now digital representation of
currency or a focus of security fortowards a digital use case which includes the digitalthat involves
currency representation of currency. Digital currency can be seen as digital cash with security properties
resulting in anonymity, either for one counterparty to a transaction (for example,e.g. the consumer) or
for both counterparties to a transaction. The degree of anonymity associated with digital currency, and
which counterparties have anonymity, can have legal and liability implications wherein security can
haveplay a role.
4.3.3 Secure digital cash as digital currency with consumer identity security framework
Identity security can be extended beyond the digital currency boundary to include a consumer or
equivalent that would be a party to a payment or a transaction. Digital currency can be a digital cash that
includes inherent security features and that a separate layer of identity security is included, perhaps for
the digital application associated with a financial payment, or to link the transaction and the consumer.
Security frameworks with their security technologies and components are anticipated: The goal is to
establish a globalThe security framework can serve as the basis for an international trusted financial
infrastructure based on a collection of securely integrated national financial architectures that includes
all stakeholder membersstakeholders.
4.4 Overview forof security frameworks
4.4.1 General
A security framework should include the current security best practices of technologies and
advancements within standards to address:
— the business model leveraging digital currencies for commercial banks;
— agreed consensus for a security and assurance architecture to cross international borders with digital
currencies, and;
— a security paradigm which can deliver security for a whole dimension of the IT/Securitysecurity
international digital currency architectures.
4.4.14.4.2 Standards as a basis for security frameworks
The realm of digital currencies and their security aspects is contained in banking security standards
which are identified in ISO standards. Other standards bodies exist which could be used by central
authorities to complement ISO standards where the additional security capabilities are sought.
4 © ISO 2023 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/PRF TS 23526:(E)
5 The emergence of currency in digital formats
5.1 Digital cash representing money as a basis for financial usagesusage with security
Digital cash (also cited as central bank digital money) can be viewed as an emulation of a current physical
national currency, such as the dollar, euro, dollars, euros or yuan, or other national currency with their
security (and, optionally, identity-security references) present with usage. Legal aspects and rules
associated with financial practices can be the basis for putting digital cash ininto practice. Like a reserve
currency, digital cash can have an integrity-security envelope for itself that can index a digital relationship
with identity-security to extend the digital cash into digital applications and to add digital asset value.
Technologies are available to offer security for different environments from a currency-only environment
to currency with differing digital application environments that can include the individual. A national
body establishes direction for defining digital cash as currency and to establish security technologies with
digital platforms. The result of a digital cash architecture and its associated security is to create trust
acceptance in practice.
Before the digital format was available, physical money was the primary means of financial exchange. The
central authority as a central bank minted the money and included various analogue security
technologies and techniques with the intent of preventing fraud. The advent of the digital format has
shifted the focus to alternative usages, which in turn has created new decisions for the use of security
paradigms. The extent of security technologies can have a limited role to focus, focusing on privacy and
security, or have a broader role, with a fiat digital representation of currency. With either representation,
security can be included without the consumer, or an equivalent being identified. Security can be the
focus of an internal anti-fraud role within a digital form of money. In the case of a digital representation
of money, security is to focusfocuses on the digital currency entity and not any application using the
digital currency. Digital currency can be seen as digital cash with a potential level of containment-security
protection, while maintaining anonymity. The anonymity associated with digital currency can have legal
liability boundaries. Minting of this digital currency and its distribution is outside the scope of this
document.
User-linked digital cash as digital currency with identity can be extended beyond the digital currency
boundary to include a consumer or equivalent that would be a party to a payment or a transaction. Digital
currency can be a digital cash that includes inherent security that a separate layer of security is included
for the digital application associated with a financial payment or a financial transaction.
Existing security tools and techniques can be applied to digital cash without consumer identity. Other
security technologies and techniques with their standards from the Bibliography can be used. There is a
collection of security technologies and security techniques that are based on cryptography.
The following documents describe existing standards and security technologies that are relevant to
digital currencies:
— the ISO 13491 series;
— ISO/TR 13569;
— ISO/TR 14742;
— the ISO/IEC 15408 series;
— ISO 16609;
— ISO/IEC 17799;
— ISO/IEC 18028;
— the ISO/IEC 18033 series;
© ISO 2023 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/PRF TS 23526:(E)
— ISO/IEC 18045;
— ISO 19092;
— the ISO/IEC 19989 series;
— ISO 20038;
— ISO/TR 24374.
5.2 Cryptocurrencies as a digital entity for financial usagesusage
For several years, private cryptocurrencies have been emerging in both national and international
financial markets. They are the result of central bank authorities that are exploring the feasibility for a
digital currency role in their financial ecosystem. The history of the subject has been constantly evolving.
It needs to be recognized that the subject of digital currency can be complex, with various definitions and
with differing security directions from international central authorities and commercial bodies.
AThe choice forof including a cryptocurrency needs to considerrequires consideration of the value of
security to the policy and to the legal boundaries that exist. A security profile will needneeds a
relationship to a financial business model which is trusted and accepted by the international community.
The following overview is an introduction to the role(s) for cryptocurrency, with an intent to present an
international input with security for a fiat digital currency or a private digital currency solution with its
security. To begin, technology is influencing direction for advancing a digital currency solution. Within
the international financial markets, there are established financial ecosystems. In parallel, there are new
or near-nearly new financial entities which are advancing. Existing financial entities have established
policies, technologies, and ecosystems that represent an economic capability and investment. Changes to
their economic capability with new security paradigms, as woul
...

TECHNICAL ISO/TS
SPECIFICATION 23526
First edition
Security aspects for digital currencies
PROOF/ÉPREUVE
Reference number
ISO/TS 23526:2023(E)
© ISO 2023

---------------------- Page: 1 ----------------------
ISO/TS 23526:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
PROOF/ÉPREUVE © ISO 2023 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 23526:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Considerations on security framework for digital . 2
4.1 General . 2
4.2 Security considerations for processing digital currencies . 3
4.3 Variations of security frameworks . 3
4.3.1 Non-fiat digital currency (digital asset) security framework . 3
4.3.2 Creating a national digital currency with an anonymity security framework . 3
4.3.3 Secure digital cash as digital currency with consumer identity security
framework . 4
4.4 Overview of security frameworks . 4
4.4.1 General . 4
4.4.2 Standards as a basis for security frameworks . 4
5 The emergence of currency in digital formats . 4
5.1 Digital cash representing money as a basis for financial usage with security . 4
5.2 Cryptocurrencies as a digital entity for financial usage . 5
5.3 Cryptocurrencies and the digital currency market challenges . 6
5.4 Cryptocurrencies and financial market formats . 6
5.5 Cryptocurrencies and banking regulation – stablecoin example . 7
5.6 Security criteria representing security aspects. 8
5.6.1 Security objects . 8
5.6.2 Key management . 8
5.6.3 Hiding and steganography techniques . 8
5.6.4 Digital representation . 8
5.6.5 Digital model . 8
5.6.6 Security countermeasures . 9
5.6.7 Legal and regulatory requirements . 9
5.6.8 Trust . 9
5.6.9 Chaining security processes . 9
5.6.10 Security framework implementation . 9
5.6.11 Platform independence . 9
5.6.12 Existing good practices . 9
5.6.13 Digital interfaces . 9
6 Critical areas for security to establish trust, acceptance and risk .10
6.1 Digital wallets . 10
6.2 Specific security considerations . 11
6.3 Digital currency financial security framework considerations . 11
7 Fraud and threat considerations .11
Bibliography .13
iii
© ISO 2023 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 3 ----------------------
ISO/TS 23526:2023(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial Services, security.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
PROOF/ÉPREUVE © ISO 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 23526:2023(E)
Introduction
There is a need for the international financial community to recognize certain security measures
and criteria to promote public trust in digital currencies. From a security and assurance perspective,
protecting an ecosystem surrounding any type of digital currency ultimately protects and informs
any future issuance goal of a fiat digital currency. Security aspects as they relate to cross-border
transactions are to be compiled as well.
A look at the security horizon for digital currencies reveals a need to adjust and to add new capabilities,
including a broadening of the business needs for banking and financial actions with security
representing national and international uses. The financial landscape has expanded into the digital
realm, causing a re-examination of traditional security technologies, while digital applications are
constantly changing. Adding another digital dimension for secure payments and secure transactions
with a digital currency pushes the security paradigms and adds a mix of threats that become real for
every level of the financial ecosystem.
A security framework and assurance needs to recognize existing international financial ecosystems
and their security components. A security framework is needed that international financial markets
can select and adapt to their own needs.
Building a digital currency model can require a security framework that is not identified in this
document and is yet to be determined.
v
© ISO 2023 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 5 ----------------------
TECHNICAL SPECIFICATION ISO/TS 23526:2023(E)
Security aspects for digital currencies
1 Scope
This document specifies an acceptable security framework for the issuance and management of digital
currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references.
This document proposes a framework approach based on standards for mitigating vulnerabilities for
digital currency systems. The objective is that security aspects are integrated by design and not added
afterwards as an extra processing layer that needs to accommodate legacy infrastructures.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
central bank digital currency
CBDC
central bank digital money
digital representation of cash, issued by the central bank and a claim on the central bank
3.2
crypto asset
digital asset (3.4) implemented using cryptographic techniques
[SOURCE: ISO 22739:2020, 3.13]
3.3
cryptocurrency
crypto-asset (3.2) designed to work as a medium of value exchange
[SOURCE: ISO 22739:2020, 3.14, modified — Note 1 to entry removed.]
3.4
digital asset
asset that exists only in digital form or which is the digital representation of another asset
[SOURCE: ISO 22739:2020, 3.20]
3.5
digital currency
digital representation of monetary value
1
© ISO 2023 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 6 ----------------------
ISO/TS 23526:2023(E)
3.6
distributed ledger
ledger that is shared across a set of distributed ledger technology nodes and synchronized between the
distributed ledger technology nodes using a consensus mechanism
[SOURCE: ISO 22739:2020, 3.22, modified — Note 1 to entry removed.]
3.7
distributed ledger technology
DLT
technology that enables the operation and use of distributed ledgers
[SOURCE: ISO 22739:2020, 3.23]
3.8
fiat digital currency
digital currency model representing a debt of a central bank that can be redeemed with fiat money and
mutually exclusive to non-fiat digital currency
3.9
non-fiat digital currency
digital currency model governed by a business contractual relationship between the user and the issuer
of the digital currency, whose value is not guaranteed by a central bank and is mutually exclusive to fiat
digital currency
3.10
identity-security
identity capabilities which can be used for associating an action or an individual to an event which
performs some security access protection
3.11
envelope security
secure encapsulated access control capability with cryptography and additional security features
3.12
security framework
framework which defines policies and procedures for establishing and maintaining security
4 Considerations on security framework for digital
4.1 General
This document establishes the foundation for a security framework for digital currencies, in anticipation
of the future development of an International Standard.
A standard security model is required to manage digital currencies that can utilize global security
practices and adapt to local regulations. The security model can be designed as a series of interacting
modules implementing security controls under the responsibility of entities playing a predefined role.
This security model could be extended to encompass and to protect existing financial applications using
digital currencies, either fiat or non-fiat. As a framework, the security model offers interoperability
of information exchange as well as support for multiple currency objects, each supporting their own
security process.
The international financial community has undertaken many existing infrastructure investments in
which the introduction of security has historically been a major burden and easily deferred. However,
international financial organisations have experienced a growth in digital threats to payments, to
transactions and to other forms of financial exchanges.
The security framework can be customizable by international financial markets to meet their individual
requirements, instead of treating security as a one-size-fits-all solution. The goal is to establish an
2
PROOF/ÉPREUVE © ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TS 23526:2023(E)
international trusted financial infrastructure based on a collection of national financial architectures
to include all stakeholder members.
4.2 Security considerations for processing digital currencies
Security considerations for processing digital currencies include:
— the need to agree on the security objectives for digital currency systems;
— the roles required to manage a digital currency system;
— the provision of controlled access to repositories of digital currencies, such as wallets;
— the conflicts between confidentiality and anonymity for users of digital currencies and the desire of
regulators to control transactions;
— the integrity or assurance of non-alteration of digital currency units;
— the nature of the personal security credentials or attributes (e.g. cryptographic keys, authentication
elements and certificates) used to generate evidence of a particular operation involving digital
currencies;
— risk impact assessment of different alternatives to process digital currencies;
— functional engineering considerations: availability of infrastructures and appropriate personal
devices to load and pay with digital currencies in a convenient way, including transaction speed and
the portability of digital currency unit aspects.
4.3 Variations of security frameworks
4.3.1 Non-fiat digital currency (digital asset) security framework
International financial services have expanded the role of virtual currencies to account for the multiple
definitions and models that have surfaced of what can be considered as non-fiat digital currencies
within the context of digital assets. Cryptography has been a major enabler for security among the non-
fiat digital currencies.
Bitcoin emerged early in the formation of virtual currencies with a commercial generation of its
currency aspect (i.e. a commercial monetary infrastructure as a potential cryptocurrency).
Other digital currency models evolved that relate to a digital form of a national currency with an
emphasis on cryptography. Stablecoins were created to bridge the gap between cryptocurrencies and
national currencies without their own security protection. Stablecoins that were pegged to a national
currency without their own security measures were unstable in currency exchanges. To improve the
security of stablecoins and address the risk and liability for national currencies, security features
outlined herein are required. Once security considerations are addressed, stablecoins can evolve into a
digital version of physical cash, with security measures provided by a central authority.
International banks are examining and developing their own digital currency methodologies, which
can include cryptocurrencies with security and stablecoins. A collective body of banks and financial
institutions are included in central bank digital currency (CBDC) efforts.
4.3.2 Creating a national digital currency with an anonymity security framework
Before the digital format was available, physical money based on ISO 4217 as a national designation was
the primary means of financial exchange. The Central Authority as a Central Bank minted the money
and included various analogue security technologies and techniques with the intent of preventing fraud.
The advent of the digital format has shifted the focus to alternative usages, which in turn has created
new security paradigms. Security can be directed towards the digital representation of currency or
towards a digital use case that involves currency representation. Digital currency can be seen as digital
3
© ISO 2023 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 8 ----------------------
ISO/TS 23526:2023(E)
cash with security properties resulting in anonymity, either for one counterparty to a transaction (e.g.
the consumer) or for both counterparties to a transaction. The degree of anonymity associated with
digital currency, and which counterparties have anonymity, can have legal and liability implications
wherein security can play a role.
4.3.3 Secure digital cash as digital currency with consumer identity security framework
Identity security can be extended beyond the digital currency boundary to include a consumer or
equivalent that would be a party to a payment or a transaction. Digital currency can be digital cash
that includes inherent security features and a separate layer of identity security, perhaps for the digital
application associated with a financial payment or to link the transaction and the consumer.
The security framework can serve as the basis for an international trusted financial infrastructure
based on a collection of securely integrated national financial architectures that includes all
stakeholders.
4.4 Overview of security frameworks
4.4.1 General
A security framework should include the current security best practices of technologies and
advancements within standards to address:
— the business model leveraging digital currencies for commercial banks;
— agreed consensus for a security and assurance architecture to cross international borders with
digital currencies;
— a security paradigm which can deliver security for a whole dimension of the IT/security international
digital currency architectures.
4.4.2 Standards as a basis for security frameworks
The realm of digital currencies and their security aspects is contained in banking security standards
which are identified in ISO standards. Other standards bodies exist which could be used by central
authorities to complement ISO standards where the additional security capabilities are sought.
5 The emergence of currency in digital formats
5.1 Digital cash representing money as a basis for financial usage with security
Digital cash (also cited as central bank digital money) can be viewed as an emulation of a current physical
national currency, such as dollars, euros or yuan, with their security (and, optionally, identity-security
references) present with usage. Legal aspects and rules associated with financial practices can be the
basis for putting digital cash into practice. Like a reserve currency, digital cash can have an integrity-
security envelope for itself that can index a digital relationship with identity-security to extend the
digital cash into digital applications and to add digital asset value. Technologies are available to offer
security for different environments from a currency-only environment to currency with differing
digital application environments that can include the individual. A national body establishes direction
for defining digital cash as currency and to establish security technologies with digital platforms. The
result of a digital cash architecture and its associated security is to create trust acceptance in practice.
Before the digital format was available, physical money was the primary means of financial exchange.
The central authority as a central bank minted the money and included various analogue security
technologies and techniques with the intent of preventing fraud. The advent of the digital format has
shifted the focus to alternative usages, which in turn has created new decisions for the use of security
paradigms. The extent of security technologies can have a limited role, focusing on privacy and security,
or a broader role, with a fiat digital representation of currency. With either representation, security can
4
PROOF/ÉPREUVE © ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TS 23526:2023(E)
be included without the consumer or an equivalent being identified. Security can be the focus of an
internal anti-fraud role within a digital form of money. In the case of digital representation of money,
security focuses on the digital currency entity and not any application using the digital currency.
Digital currency can be seen as digital cash with a potential level of containment-security protection,
while maintaining anonymity. The anonymity associated with digital currency can have legal liability
boundaries. Minting of this digital currency and its distribution is outside the scope of this document.
User-linked digital cash as digital currency with identity can be extended beyond the digital currency
boundary to include a consumer or equivalent that would be a party to a payment or a transaction.
Digital currency can be digital cash that includes inherent security that a separate layer of security is
included for the digital application associated with a financial payment or a financial transaction.
Existing security tools and techniques can be applied to digital cash without consumer identity.
The following documents describe existing standards and security technologies that are relevant to
digital currencies:
— the ISO 13491 series;
— ISO/TR 13569;
— ISO/TR 14742;
— the ISO/IEC 15408 series;
— ISO 16609;
— ISO/IEC 17799;
— ISO/IEC 18028;
— the ISO/IEC 18033 series;
— ISO/IEC 18045;
— ISO 19092;
— the ISO/IEC 19989 series;
— ISO 20038;
— ISO/TR 24374.
5.2 Cryptocurrencies as a digital entity for financial usage
For several years, private cryptocurrencies have been emerging in both national and international
financial markets. They are the result of central bank authorities exploring the feasibility for a digital
currency role in their financial ecosystem. The history of the subject has been constantly evolving.
It needs to be recognized that the subject of digital currency can be complex, with various definitions
and differing security directions from international central authorities and commercial bodies.
The choice of including a cryptocurrency requires consideration of the value of security to the policy
and the legal boundaries that exist. A security profile needs a relationship to a financial business
model which is trusted and accepted by the international community. The following overview is an
introduction to the role(s) for cryptocurrency, with an intent to present an international input with
security for a fiat digital currency or a private digital currency solution with its security. To begin,
technology is influencing direction for advancing a digital currency solution. Within the international
financial markets, there are established financial ecosystems. In parallel, there are new or nearly new
financial entities which are advancing. Existing financial entities have established policies, technologies
and ecosystems that represent an economic capability and investment. Changes to their economic
5
© ISO 2023 – All rights reserved PROOF/ÉPREUVE

---------------------- Page: 10 ----------------------
ISO/TS 23526:2023(E)
capability with new security paradigms, as would be associated with a cryptocurrency, will result in a
value of security to the overall national objective.
5.3 Cryptocurrencies and the digital currency market challenges
Technology innovation is transforming the context of financial services and products so that currencies
in a digital format are used or can be used.
Digital currency can be a representation of monetary value used for payment. The digital currency can
be identified as a fiat version representing a government or central authority submission. International
efforts, such as CBDC, are bringing forth various cryptocurrency choices that can be modelled
for a fiat digital currency solution. The international financial markets are also exhibiting private
cryptocurrency that includes their payment and transaction capabilities with their security paradigms.
This document recognizes that cryptocurrencies present significant challenges, such as:
— the presence of cryptocurrencies as non-fiat digital currencies;
— a mix of international financial central authorities surfacing with their national representations
through CBDC efforts;
— continuous, additional threat and fraud from digital ecosystem platforms;
— an advancement by a national body to shift the current monetary market position;
— the potential for a digital currency basket, in which multiple national bodies include currencies to
offer consumers an assortment of digital currency choices;
— a financial market that envisions technology innovations as an avenue for less costly transactions
with expanded business opportunities, while addressing these challenges;
— an established fiat financial architecture that sees the advantage of an additional digital
cryptocurrency application for supplemental economic gain.
5.4 Cryptocurrencies and financial market formats
Cryptocurrencies can include various financial market formats. A stablecoin can be considered a crypto
asset which seeks to stabilize a price with a "coin", a "token" or an "account", by linking value to that of
a pool of assets and/or with a national currency, which can serve as a means of payment and store of
value. It could be viewed as a different business case version of a payment vehicle that can have a fee
associated with the stablecoin reference beyond an application service fee. As an example, Bitcoin has
been present for a longer period and can represent a commercial value proposition associated with
only their coin and no linkage with any nati
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.