Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

Titre manque

General Information

Status
Published
Publication Date
18-Apr-2024
Current Stage
6060 - International Standard published
Start Date
19-Apr-2024
Due Date
04-May-2024
Completion Date
19-Apr-2024
Ref Project

Buy Standard

Standard
ISO 5201:2024 - Financial services — Code-scanning payment security Released:19. 04. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
REDLINE ISO/PRF 5201 - Financial services — Code-scanning payment security Released:4. 03. 2024
English language
30 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

International
Standard
ISO 5201
First edition
Financial services — Code-scanning
2024-04
payment security
Reference number
ISO 5201:2024(en) © ISO 2024

---------------------- Page: 1 ----------------------
ISO 5201:2024(en)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

© ISO 2024 – All rights reserved
ii

---------------------- Page: 2 ----------------------
ISO 5201:2024(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Overview of code-scanning payment . 4
5.1 Basic framework of code-scanning payment .4
5.2 Mandatory steps and implementation modes of code-scanning payment.6
5.2.1 Mandatory steps .6
5.2.2 Payer-presented mode .6
5.2.3 Payee-presented mode .6
6 Security target objectives and assumptions . 7
7 Risk assessment of code-scanning payment . 7
7.1 General .7
7.2 Common risks to both modes as defined in Clause 5 .7
7.2.1 Com_Risk_1: unauthorized user .7
7.2.2 Com_Risk_2: illegitimate code content .8
7.2.3 Com_Risk_3: tampered code image .8
7.2.4 Com_Risk_4: insecure message transmission . .8
7.2.5 Com_Risk_5: payer sensitive information leakage .
...

International
Standard
ISO 5201
First edition
Financial services — Code-scanning
payment security
PROOF/ÉPREUVE
Reference number
ISO 5201:2024(en) © ISO 2024

---------------------- Page: 1 ----------------------
ISO 5201:2024(en)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE
© ISO 2024 – All rights reserved
ii

---------------------- Page: 2 ----------------------
ISO 5201:2024(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Overview of code-scanning payment . 4
5.1 Basic framework of code-scanning payment .4
5.2 Mandatory steps and implementation modes of code-scanning payment.6
5.2.1 Mandatory steps .6
5.2.2 Payer-presented mode .6
5.2.3 Payee-presented mode .6
6 Security target objectives and assumptions . 7
7 Risk assessment of code-scanning payment . 7
7.1 General .7
7.2 Common risks to both modes as defined in Clause 5 .7
7.2.1 Com_ Risk_1: unauthorized user .7
7.2.2 Com_Risk_2: illegitimate code content .8
7.2.3 Com_Risk_3: tampered code image .8
7.2.4 Com_ Risk_4: insecure message transmission .8
7.2.5 Com_ Risk_5: payer sensitive information leakage .
...

ISO/DIS PRF 5201.2:2023(E)
Date: 2023-11-17
ISO/TC 68/SC 2/WG 19
Secretariat: BSI
Date: 2024-03-04
Financial services — Code-scanning payment security
PROOF

---------------------- Page: 1 ----------------------
ISO/PRF 5201:2024(en)
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
E-mail: copyright@iso.org
Website: www.iso.org
Field Code Changed
Published in Switzerland
© ISO 2024 – All rights reserved

ii

---------------------- Page: 2 ----------------------
ISO/PRF 5201:2024(en)
Contents
Foreword . vi
Introduction. vii
1 Scope .1
2 Normative references .1
3 Terms and definitions .2
4 Abbreviated terms .4
5 Overview of code-scanning payment .5
5.1 Basic framework of code-scanning payment .5
5.2 Mandatory steps and implementation modes of code-scanning payment .7
5.2.1 Mandatory steps .7
5.2.2 Payer-presented mode .8
5.2.3 Payee-presented mode .8
6 Security target objectives and assumptions .8
7 Risk assessment of code-scanning payment .9
7.1 General .9
7.2 Common risks to both modes as defined in Clause 5 .9
7.2.1 Com_ Risk_1: unauthorized user .9
7.2.2 Com_Risk_2: illegitimate code content .9
7.2.3 Com_Risk_3: tampered code image .9
7.2.4 Com_ Risk_4: insecure message transmission .9
7.2.5 Com_ Risk_5: payer sensitive information leakage . 10
7.2.6 Com_ Risk_6: payee sensitive information leakage .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.