ISO/TS 23526

ISO/PRF TS 23526
ISO/TC 68/SC 02/WG 17 2
Secretariat: BSI
Date: YYYY-MM-DD2023-07-19
Security Aspectsaspects for Digital Currenciesdigital currencies
FDIS stage

© ISO 2023 – All rights reserved

---------------------- Page: 1 ----------------------
© ISO/TS 23526 2023

Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.



© ISO #### – All rights reserved

---------------------- Page: 2 ----------------------
ISO/PRF TS 23526:(E)
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,
including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can
be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.orgwww.iso.org
Published in Switzerland

iv © ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/PRF TS 23526:(E)
Contents
Foreword . vii
Introduction . viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Considerations on security framework for digital . 2
4.1 General . 2
4.2 Security considerations for processing digital currencies . 3
4.3 Variations of security frameworks . 3
4.3.1 Non-fiat digital currency (digital asset) security framework . 3
4.3.2 Creating a national digital currency with an anonymity security framework . 4
4.3.3 Secure digital cash as digital currency with consumer identity security framework . 4
4.4 Overview of security frameworks . 4
4.4.1 General . 4
4.4.2 Standards as a basis for security frameworks . 4
5 The emergence of currency in digital formats . 5
5.1 Digital cash representing money as a basis for financial usage with security. 5
5.2 Cryptocurrencies as a digital entity for financial usage . 6
5.3 Cryptocurrencies and the digital currency market challenges . 6
5.4 Cryptocurrencies and financial market formats . 7
5.5 Cryptocurrencies and banking regulation – stablecoin example . 8
5.6 Security criteria representing security aspects . 8
5.6.1 Security objects . 8
5.6.2 Key management . 9
5.6.3 Hiding and steganography techniques . 9
5.6.4 Digital representation . 9
5.6.5 Digital model . 9
5.6.6 Security countermeasures . 9
5.6.7 Legal and regulatory requirements . 9
5.6.8 Trust . 10
5.6.9 Chaining security processes . 10
5.6.10 Security framework implementation. 10
5.6.11 Platform independence . 10
5.6.12 Existing good practices . 10
5.6.13 Digital interfaces . 10
6 Critical areas for security to establish trust, acceptance and risk . 10
6.1 Digital wallets . 10
6.2 Specific security considerations . 12
6.3 Digital currency financial security framework considerations . 12
© ISO 2023 – All rights reserved v

---------------------- Page: 4 ----------------------
ISO/PRF TS 23526:(E)
7 Fraud and threat considerations . 12
Bibliography . 14

vi © ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/PRF TS 23526:(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC68TC 68, Financial Servicesservices,
Subcommittee SC 2, Information Security, Working group WG 17, Security aspects of digital
currenciesFinancial Services, security.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved vii

---------------------- Page: 6 ----------------------
ISO/PRF TS 23526:(E)
Introduction
TheThere is a need for the international financial community should recogniseto recognize certain
security measures and criteria to promote public trust in digital currencies. From a security and
assurance perspective, protecting an ecosystem surrounding any type of digital currency ultimately
protects and informs any future issuance goal of a fiat digital currency. Security aspects as they relate to
cross-border transactions are to be compiled as well.
A look at the security horizon for the financial services digital currencies surfacesreveals a need to adjust
and to add new capabilities that include, including a broadening of the business needs for banking and
financial actions with security representing national and international uses. The financial landscape has
expanded into the digital realm that has caused, causing a re-examination of what has beentraditional
security technologies that have years of use, while the digital applications are constantly changing.
Adding an additionalanother digital dimension for secure payments and secure transactions with a digital
currency pushes the security paradigms and addingadds a mix of threats that become real for every level
of the financial ecosystem.
A security framework and assurance shouldneeds to recognize existing international financial
ecosystems and their security components. A security framework is needed that international financial
markets can select and adapt to their own needs.
To buildBuilding a digital currency model can require a security framework that is not identified in this
document. An example of a security framework that and is not included in this document isyet to be
determined.

viii © ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/PRF TS 23526:(E)
Security Aspectsaspects for Digital Currenciesdigital currencies
1 Scope
This document specifies an acceptable security framework for the issuance and management of digital
currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references.
This document is intended to proposeproposes a framework approach based on standards for mitigating
vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design
and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
central bank digital currency
CBDC
central bank digital money
digital representation of cash, issued by the central bank and a claim on the central bank
3.2
crypto asset
digital asset (3.4) implemented using cryptographic techniques
[SOURCE: ISO 22739:2020(en),, 3.13]
3.3
cryptocurrency
crypto-asset (3.2) designed to work as a medium of value exchange
[SOURCE: ISO 22739:2020(en),, 3.14], modified — Note 1 to entry removed.]
3.4
digital asset
asset that exists only in digital form or which is the digital representation of another asset
[SOURCE: ISO 22739:2020(en),, 3.20]
3.5
digital currency
digital representation of monetary value
© ISO 2023 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/PRF TS 23526:(E)
3.6
distributed ledger
ledger that is shared across a set of DLTdistributed ledger technology nodes and synchronized between
the DLTdistributed ledger technology nodes using a consensus mechanism
[SOURCE: ISO 22739:2020(en),, 3.60]22, modified — Note 1 to entry removed.]
3.7
distributed ledger technology
DLT
technology that enables the operation and use of distributed ledgers
[SOURCE: ISO 22739:2020(en),, 3.23]
3.8
fiat digital currency
digital currency model representing a debt of a central bank that can be redeemed with fiat money and
mutually exclusive to non-fiat digital currency
3.9
non-fiat digital currency
digital currency model governed by a business contractual relationship between the user and the issuer
of the digital currency, whose value is not guaranteed by a central bank and is mutually exclusive to fiat
digital currency
3.10
identity-security
identity capabilities which can be used for associating an action or an individual to an event which
performs some security access protection
3.11
envelope security
secure encapsulated access control capability with cryptography and additional security features
3.12
security framework
framework which defines policies and procedures for establishing and maintaining security
4 Considerations on security framework for digital
4.1 General
An international standard regarding This document establishes the foundation for a security and its
aspects for a digital currency should be aligned with an effort to have a common reference model
framework for multiple independent digital currency representations.
Coupled to the security criteria, there is a need for a standard security model for the management of
digital currencies which can take advantage, in anticipation of the future development of an International
Standard.
A standard security, ideally, model is required to manage digital currencies that can utilize global security
practices and ofadapt to local regulations. The security model can be designed as a series of interacting
modules implementing security controls under the responsibility of entities playing a pre-
definedpredefined role. This security model could be extended to encompass and to protect existing
financial applications using digital currencies, either fiat or non-fiat. As a framework, the security model
2 © ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/PRF TS 23526:(E)
offers interoperability of information exchange as well as support for multiple currency objects, each
supporting their own security process.
The international financial community has undertaken many existing infrastructure investments in
which the introduction of security has historically been a major burden and easily deferred. However,
international financial organisations have experienced a growth in digital threats to payments, to
transactions, and to other forms of financial exchanges.
Security frameworks with their security technologies and components are anticipated. AThe security
framework is needed thatcan be customizable by international financial markets can select and adapt to
meet their own needs and not treat the subjectindividual requirements, instead of treating security
aspects as a one design for -size-fits-all frameworkssolution. The goal is to establish an international
trusted financial infrastructure based on a collection of national financial architectures to include all
stakeholder members.
4.2 Security considerations for processing digital currencies
Security considerations for processing digital currencies include:
— Thethe need to agree on the security objectives for digital currency systems;
— Thethe roles required to manage a digital currency system;
— Thethe provision of controlled access to repositories of digital currencies, such as wallets;
— Thethe conflicts between confidentiality, and anonymity for users of digital currencies, and the desire
of regulators to control transactions;
— Thethe integrity or assurance of non-alteration of digital currency units;
— Thethe nature of the personal security credentials or attributes (e.g. cryptographic keys,
authentication elements, and certificates) used to generate evidence of a particular operation
involving digital currencies;
— Riskrisk impact assessment of different alternatives to process digital currencies;
— Functionalfunctional engineering considerations: Availabilityavailability of infrastructures and of
appropriate personal devices to load and pay with digital currencies in a convenient way, including
transaction speed and the portability of digital currency unit aspects.
4.3 Variations of security frameworks
4.3.1 Non-fiat digital currenciescurrency (digital assetsasset) security framework
The internationalInternational financial services have expanded athe role for aof virtual
currencycurrencies to account for the multiple definitions and models that have surfaced forof what can
be considered as non-fiat digital currencies with awithin the context asof digital assets. Cryptography has
been a major enabler for security among the non-fiat digital currencies:.
EarlyBitcoin emerged early in the formation of a virtual currency emerged Bitcoin currencies with a
commercial generation of its currency aspect. ( (i.e. a commercial monetary infrastructure as a potential
cryptocurrency).
Other digital currency models evolved that relate to a digital form of a national currency with an emphasis
ofon cryptography. The notion of a stablecoin designation emerged as a bridging mechanism for
cryptocurrency digital currency model with a stated Stablecoins were created to bridge the gap between
cryptocurrencies and national monetary designation that wascurrencies without itstheir own security
protection. Stablecoins with a 1:1 ration of a tokenthat were pegged to a national currency ratio without
itstheir own security criteria was volatilemeasures were unstable in currency exchanges. A missing
© ISO 2023 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/PRF TS 23526:(E)
element can be included with a stablecoin to enhanceTo improve the security profile for a national
currency so thatof stablecoins and address the risk and liability for a stablecoin can be addressed.
Including security functionality as a stablecoin can be viewed as a digital representation of digital cash.
Security assets are available for a Central Authority to considernational currencies, security features
outlined herein are required. Once security considerations are addressed, stablecoins can evolve into a
digital version of physical cash, with security measures provided by a central authority.
International banks are examining and developing their own digital currency methodologies, which can
include cryptocurrencies with security and stablecoins. A collective body of banks and financial
institutions are included in central bank digital currency (CBDC) efforts.
4.3.2 Creating a national digital currency with an anonymity security framework
Before the digital format was available, physical money based on ISO 4217 as a national designation was
the primary means of financial exchange. The Central Authority as a Central Bank minted the money and
included various analogue security technologies and techniques with the intent of preventing fraud. The
advent of the digital format has shifted the focus to alternative usages, which in turn has created new
security paradigms. The securitySecurity can be atdirected towards the now digital representation of
currency or a focus of security fortowards a digital use case which includes the digitalthat involves
currency representation of currency. Digital currency can be seen as digital cash with security properties
resulting in anonymity, either for one counterparty to a transaction (for example,e.g. the consumer) or
for both counterparties to a transaction. The degree of anonymity associated with digital currency, and
which counterparties have anonymity, can have legal and liability implications wherein security can
haveplay a role.
4.3.3 Secure digital cash as digital currency with consumer identity security framework
Identity security can be extended beyond the digital currency boundary to include a consumer or
equivalent that would be a party to a payment or a transaction. Digital currency can be a digital cash that
includes inherent security features and that a separate layer of identity security is included, perhaps for
the digital application associated with a financial payment, or to link the transaction and the consumer.
Security frameworks with their security technologies and components are anticipated: The goal is to
establish a globalThe security framework can serve as the basis for an international trusted financial
infrastructure based on a collection of securely integrated national financial architectures that includes
all stakeholder membersstakeholders.
4.4 Overview forof security frameworks
4.4.1 General
A security framework should include the current security best practices of technologies and
advancements within standards to address:
— the business model leveraging digital currencies for commercial banks;
— agreed consensus for a security and assurance architecture to cross international borders with digital
currencies, and;
— a security paradigm which can deliver security for a whole dimension of the IT/Securitysecurity
international digital currency architectures.
4.4.14.4.2 Standards as a basis for security frameworks
The realm of digital currencies and their security aspects is contained in banking security standards
which are identified in ISO standards. Other standards bodies exist which could be used by central
authorities to complement ISO standards where the additional security capabilities are sought.
4 © ISO 2023 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/PRF TS 23526:(E)
5 The emergence of currency in digital formats
5.1 Digital cash representing money as a basis for financial usagesusage with security
Digital cash (also cited as central bank digital money) can be viewed as an emulation of a current physical
national currency, such as the dollar, euro, dollars, euros or yuan, or other national currency with their
security (and, optionally, identity-security references) present with usage. Legal aspects and rules
associated with financial practices can be the basis for putting digital cash ininto practice. Like a reserve
currency, digital cash can have an integrity-security envelope for itself that can index a digital relationship
with identity-security to extend the digital cash into digital applications and to add digital asset value.
Technologies are available to offer security for different environments from a currency-only environment
to currency with differing digital application environments that can include the individual. A national
body establishes direction for defining digital cash as currency and to establish security technologies with
digital platforms. The result of a digital cash architecture and its associated security is to create trust
acceptance in practice.
Before the digital format was available, physical money was the primary means of financial exchange. The
central authority as a central bank minted the money and included various analogue security
technologies and techniques with the intent of preventing fraud. The advent of the digital format has
shifted the focus to alternative usages, which in turn has created new decisions for the use of security
paradigms. The extent of security technologies can have a limited role to focus, focusing on privacy and
security, or have a broader role, with a fiat digital representation of currency. With either representation,
security can be included without the consumer, or an equivalent being identified. Security can be the
focus of an internal anti-fraud role within a digital form of money. In the case of a digital representation
of money, security is to focusfocuses on the digital currency entity and not any application using the
digital currency. Digital currency can be seen as digital cash with a potential level of containment-security
protection, while maintaining anonymity. The anonymity associated with digital currency can have legal
liability boundaries. Minting of this digital currency and its distribution is outside the scope of this
document.
User-linked digital cash as digital currency with identity can be extended beyond the digital currency
boundary to include a consumer or equivalent that would be a party to a payment or a transaction. Digital
currency can be a digital cash that includes inherent security that a separate layer of security is included
for the digital application associated with a financial payment or a financial transaction.
Existing security tools and techniques can be applied to digital cash without consumer identity. Other
security technologies and techniques with their standards from the Bibliography can be used. There is a
collection of security technologies and security techniques that are based on cryptography.
The following documents describe existing standards and security technologies that are relevant to
digital currencies:
— the ISO 13491 series;
— ISO/TR 13569;
— ISO/TR 14742;
— the ISO/IEC 15408 series;
— ISO 16609;
— ISO/IEC 17799;
— ISO/IEC 18028;
— the ISO/IEC 18033 series;
© ISO 2023 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/PRF TS 23526:(E)
— ISO/IEC 18045;
— ISO 19092;
— the ISO/IEC 19989 series;
— ISO 20038;
— ISO/TR 24374.
5.2 Cryptocurrencies as a digital entity for financial usagesusage
For several years, private cryptocurrencies have been emerging in both national and international
financial markets. They are the result of central bank authorities that are exploring the feasibility for a
digital currency role in their financial ecosystem. The history of the subject has been constantly evolving.
It needs to be recognized that the subject of digital currency can be complex, with various definitions and
with differing security directions from international central authorities and commercial bodies.
AThe choice forof including a cryptocurrency needs to considerrequires consideration of the value of
security to the policy and to the legal boundaries that exist. A security profile will needneeds a
relationship to a financial business model which is trusted and accepted by the international community.
The following overview is an introduction to the role(s) for cryptocurrency, with an intent to present an
international input with security for a fiat digital currency or a private digital currency solution with its
security. To begin, technology is influencing direction for advancing a digital currency solution. Within
the international financial markets, there are established financial ecosystems. In parallel, there are new
or near-nearly new financial entities which are advancing. Existing financial entities have established
policies, technologies, and ecosystems that represent an economic capability and investment. Changes to
their economic capability with new security paradigms, as woul
...