iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 18960:2025

(Main)

Security controls and implementation for third party payment service providers — Guidance and requirements

Security controls and implementation for third party payment service providers — Guidance and requirements

This document gives requirements and guidance on security controls and implementation for third-party payment service providers (TPPSPs). This document deals with the overall security controls of TPPSPs from developing and testing to installing, operating and auditing the system. These security controls consist of: — security governance controls; — cross-functional controls; — function-specific controls.

Contrôles de sécurité et mise en œuvre pour les prestataires de services de paiement tiers — Recommandations et exigences

General Information

Status
Published
Publication Date
20-Aug-2025
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
6060 - International Standard published
Start Date
21-Aug-2025
Due Date
14-Nov-2025
Completion Date
21-Aug-2025
Ref Project

Buy Standard

ISO 18960:2025 - Security controls and implementation for third party payment service providers — Guidance and requirements Released:21. 08. 2025ISO 18960:2025 - Security controls and implementation for third party payment service providers — Guidance and requirements Released:21. 08. 2025
PreviousNext
Standard
ISO 18960:2025 - Security controls and implementation for third party payment service providers — Guidance and requirements Released:21. 08. 2025
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025
PreviousNext
Draft
ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025REDLINE ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025
PreviousNext
Draft
REDLINE ISO/FDIS 18960 - Security controls and implementation for third party payment service providers - Guidance and requirements Released:5. 05. 2025
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO 18960
First edition
Security controls and
2025-08
implementation for third party
payment service providers —
Guidance and requirements
Contrôles de sécurité et mise en œuvre pour les prestataires de
services de paiement tiers — Recommandations et exigences
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Security governance controls . 3
5.1 Service security policies .3
5.1.1 Establishment of information security policy .3
5.1.2 PII protection policy .3
5.1.3 User permission .4
5.1.4 User complaint handling policy.4
5.2 Roles and responsibilities .4
5.2.1 TPPSP security management organization .4
5.2.2 Guide for users about security considerations .5
5.3 Risk management .5
5.3.1 Establishing risk management process .5
5.3.2 Performing risk assessment and treatment.5
5.4 Documentation .6
5.4.1 Documented information .6
5.4.2 Management of documented information .6
5.5 Monitoring, review and improvement .6
5.5.1 Preservation of logs on incident responses and monitoring.6
5.5.2 Regular security review .7
5.5.3 Continual improvement.7
6 Cross-functional controls . 7
6.1 Asset management .7
6.2 Access management .8
6.2.1 Access management of administrators .8
6.2.2 Access management of administrator programs .8
6.2.3 Designation and access management of terminals .8
6.3 Supplier security .9
6.3.1 Selection and management of suppliers .9
6.3.2 Identification and management of the use of cloud services .9
6.4 Data security .10
6.5 TPP service continuity . .10
7 Function specific controls .11
7.1 Vulnerability management .11
7.1.1 Preparation of incident response procedures.11
7.1.2 Education and training for incident response .11
7.1.3 Documentation of vulnerability management policy . 12
7.2 Human security . 12
7.2.1 Establishment and implementation of information security education plans . 12
7.2.2 Completion of information security education . 12
7.2.3 Confidentiality and non-disclosure agreement . 12
7.2.4 Segregation of duties . 13
7.2.5 Removal or adjustment of access rights at termination and change of
employment . 13
7.3 Physical security . 13
7.3.1 Designation of secure area and entry control . 13
7.3.2 Management of check-in and check-out of secure area .14
7.3.3 Management of working environment security .14

iii
7.4 Server security . 15
7.4.1 Prevention of malware infection and information leakage . 15
7.4.2 Removal of unnecessary functions . 15
7.4.3 Important service operation on dedicated server .16
7.4.4 Public web server security .16
7.4.5 Security patch management .16
7.4.6 Data sanitization .17
7.5 Network security . .17
7.5.1 Control on remote management through Internet .17
7.5.2 Demilitarized zone configuration .17
7.5.3 Use of private IP and network segregation.17
7.5.4 Wireless network security .18
7.5.5 Application of secure communication when communicating with external
organizations .18
7.6 TPP application security .19
7.6.1 Identification of security requirements during design stage .19
7.6.2 Web application security .19
7.6.3 Mobile application security .21
Annex A (informative) Relation between ISO 18960 and ISO 23195 .22
Bibliography .24

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedur
...


FINAL DRAFT
International
Standard
ISO/FDIS 18960
ISO/TC 68/SC 2
Security controls and
Secretariat: BSI
implementation for third party
Voting begins on:
payment service providers -
2025-05-19
Guidance and requirements
Voting terminates on:
2025-07-14
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/FDIS 18960:2025(en) © ISO 2025

FINAL DRAFT
ISO/FDIS 18960:2025(en)
International
Standard
ISO/FDIS 18960
ISO/TC 68/SC 2
Security controls and
Secretariat: BSI
implementation for third party
Voting begins on:
payment service providers -
Guidance and requirements
Voting terminates on:
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/FDIS 18960:2025(en) © ISO 2025

ii
ISO/FDIS 18960:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Security governance controls . 3
5.1 Service security policies .3
5.1.1 Establishment of information security policy .3
5.1.2 PII protection policy .3
5.1.3 User permission .4
5.1.4 User complaint handling policy.4
5.2 Roles and responsibilities .4
5.2.1 TPPSP security management organization .4
5.2.2 Guide for users about security considerations .4
5.3 Risk management .5
5.3.1 Establishing risk management process .5
5.3.2 Performing risk assessment and treatment.5
5.4 Documentation .6
5.4.1 Documented information .6
5.4.2 Management of documented information .6
5.5 Monitoring, review and improvement .6
5.5.1 Preservation of logs on incident responses and monitoring.6
5.5.2 Regular security review .7
5.5.3 Continual improvement.7
6 Cross-functional controls . 7
6.1 Asset management .7
6.2 Access management .8
6.2.1 Access management of administrators .8
6.2.2 Access management of administrator programs .8
6.2.3 Designation and access management of terminals .8
6.3 Supplier security .9
6.3.1 Selection and management of suppliers .9
6.3.2 Identification and management of the use of cloud services .9
6.4 Data security .10
6.5 TPP service continuity . .10
7 Function specific controls .11
7.1 Vulnerability management .11
7.1.1 Preparation of incident response procedures.11
7.1.2 Education and training for incident response .11
7.1.3 Documentation of vulnerability management policy . 12
7.2 Human security . 12
7.2.1 Establishment and implementation of information security education plans . 12
7.2.2 Completion of information security education . 12
7.2.3 Confidentiality and non-disclosure agreement . 12
7.2.4 Segregation of duties . 13
7.2.5 Removal or adjustment of access rights at termination and change of
employment . 13
7.3 Physical security . 13
7.3.1 Designation of secure area and entry control . 13
7.3.2 Management of check-in and check-out of secure area .14
7.3.3 Management of working environment security .14

iii
ISO/FDIS 18960:2025(en)
7.4 Server security . 15
7.4.1 Prevention of malware infection and information leakage . 15
7.4.2 Removal of unnecessary functions . 15
7.4.3 Important service operation on dedicated server .16
7.4.4 Public web server security .16
7.4.5 Security patch management .16
7.4.6 Data sanitization .17
7.5 Network security . .17
7.5.1 Control on remote management through Internet .17
7.5.2 Demilitarized zone configuration .17
7.5.3 Use of private IP and network segregation.17
7.5.4 Wireless network security .18
7.5.5 Application of secure communication when communicating with external
organizations .18
7.6 TPP application security .19
7.6.1 Identification of security requirements during design stage .19
7.6.2 Web application security .19
7.6.3 Mobile application security .
...


Style Definition
ISO/FDIS 18960:2025 (en) .
Formatted: zzCover large
ISO/TC 68/SC 2
Formatted: Right: 42.55 pt, Bottom: 28.35 pt, Gutter:
0 pt, Section start: New page, Header distance from
Secretariat: BSI
edge: 36 pt, Footer distance from edge: 36 pt
ISO TC 68/SC 2/WG 16 Formatted
...
Date: 2025-02-1805-05
Formatted: Cover Title_A1
Security controls and implementation for third- party payment
service providers —- Guidance and requirements
FDIS stage
ISO /FDIS 18960:####(X:2025(en)
Formatted: Font: 11 pt, Bold
Formatted: HeaderCentered, Space After: 0 pt, Line
spacing: single
Formatted: Font: 11 pt, Bold
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, Formatted: Indent: Left: 0 pt, Right: 0 pt, Space
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO Before: 0 pt, No page break before, Adjust space
at the address below or ISO’s member body in the country of the requester. between Latin and Asian text, Adjust space between
Asian text and numbers
ISO copyright office
Formatted: Default Paragraph Font
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Formatted: French (Switzerland)
EmailE-mail: copyright@iso.org
Formatted: French (Switzerland)
Website: www.iso.orgwww.iso.org
Formatted: French (Switzerland)
Published in Switzerland
Formatted: German (Germany)
Formatted: German (Germany)
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Formatted: Font: 11 pt
Formatted: FooterPageRomanNumber, Space After: 0
pt, Line spacing: single
ii © ISO #### 2025 – All rights reserved
ii
ISO/DISFDIS 18960:20242025(en)
Formatted: Font: 11 pt, Bold
Formatted: HeaderCentered, Left, Space After: 0 pt,
Line spacing: single, Tab stops: Not at 487.55 pt
Contents
Formatted: Font: 11 pt, Bold
Formatted: Font: 11 pt, Bold
Foreword . vi
Introduction . vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Security governance controls . 3
5.1 Service security policies . 3
5.2 Roles and responsibilities . 5
5.3 Risk management . 6
5.4 Documentation . 6
5.5 Monitoring, review and improvement . 7
6 Cross-functional controls . 8
6.1 Asset management . 8
6.2 Access management . 8
6.3 Supplier security . 10
6.4 Data security . 11
6.5 TPP service continuity . 11
7 Function specific controls . 12
7.1 Vulnerability management . 12
7.2 Human security . 13
7.3 Physical security . 15
7.4 Server security . 16
7.5 Network security . 19
7.6 TPP application security . 21
Annex A (informative) Relation between ISO 18960 and ISO 23195 . 24
Bibliography . 26

Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Security governance controls . 2
5.1 Service security policies . 2
5.1.1 Establishment of information security policy . 2
Formatted: Font: 10 pt
5.1.2 PII protection policy . 2
5.1.3 User permission . 3 Formatted: FooterCentered, Left, Line spacing: single
5.1.4 User complaint handling policy . 3
Formatted: Font: 10 pt
5.2 Roles and responsibilities . 4
Formatted: Font: 11 pt
5.2.1 TPPSP security management organization . 4
5.2.2 Guide for users about security considerations . 4 Formatted: FooterPageRomanNumber, Left, Space
After: 0 pt, Line spacing: single
iii
ISO /FDIS 18960:####(X:2025(en)
Formatted: Font: 11 pt, Bold
Formatted: Font: 11 pt, Bold
Formatted: HeaderCentered, Space After: 0 pt, Line
5.3 Risk management . 4
spacing: single
5.3.1 Establishing risk management process . 4
Formatted: Font: 11 pt, Bold
5.3.2 Performing risk assessment and treatment . 4
5.4 Documentation . 5
5.4.1 Documented information . 5
5.4.2 Management of documented information . 5
5.5 Monitoring, review and improvement . 5
5.5.1 Preservation of logs on incident responses and monitoring . 5
5.5.2 Regular security review . 6
5.5.3 Continual improvement . 6
6 Cross-functional controls . 6
6.1 Asset management . 6
6.2 Access management . 7
6.2.1 Access management of administrators . 7
6.2.2 Access management of administrator programs . 7
6.2.3 Designation and access management of terminals. 7
6.3 Supplier security . 8
6.3.1 Selection and management of suppliers . 8
6.3.2 Identification and management of the use of cloud services . 8
6.4 Data security . 9
6.5 TPP service continuity . 9
7 Function specific controls . 9
7.1 Vulnerability management . 9
7.1.1 Preparation of incident response procedures . 9
7.1.2 Education and training for incident response . 10
7.2 Human security . 10
7.2.1 Establishment and implementation of information security education plans . 10
7.2.2 Completion of information security education . 10
7.2.3 Confidentiality and non-disclosure agreement . 11
7.2.4 Segregation of duties . 11
7.2.5 Removal or adjustment of access rights at termination and change of employment . 11
7.3 Physical security . 12
7.3.1 Designation of secure area and entry control . 12
7.3.2 Management of secure area’s check-in and check-out . 12
7.3.3 Management of working environment security . 13
7.4 Server security . 13
7.4.1 Prevention of malware infection and information leakage . 13
7.4.2 Removal of unnecessary functions . 14
7.4.3 Important service operation on dedicated server . 14
7.4.4 Public web server securi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 9564-2:2025(Main)
Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment

This document specifies approved algorithms for the encipherment of personal identification numbers (PINs).

  • Standard
    13 pages
    English language
    sale 15% off
  • Draft
    13 pages
    English language
    sale 15% off
  • Draft
    13 pages
    English language
    sale 15% off
ISO
ISO/TS 9546:2024(Main)
Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

  • Technical specification
    24 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2024(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off