BS ISO 23195:2021 pdf download.Security objectives of information systems of third-party payment services.
This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP).
This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document.
NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.
2 Normative references
There are no normative references in this document.
3 Terms, definitions, and abbreviated terms
For the purposes of this document, the following terms, definitions, and abbreviated terms apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at ht1.pJ/www.iso.orgJobp
— IEC Electropedia: available at http://www.electropedia.org/
3.1 TPP business
3.1.1 payment transaction
act of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer (11.9) and the payee (1L8)
[SOURCE: ISO 12812-1:2017, 3.40]
3.1.2 payment account
account held in the name of a payment service user (3J.2) which is used for the execution of a payment transaction (31..l)
Note Ito entry: The original definition in Iso 21741 is account held in the name of one or more payment service users which is used for the execution of payment transactions’. However, only cases In which one account Is held by one payment service user are considered in this document.
[SOURCE: ISO/TR 21941:2017, 3.1.7, modified — Note ito entry has been added.]
4 TPP logical structural model in an open ecosystem
4.1 Logical structural model
4.1.1 General
The reason for depicting the logical structural models in this clause is in order to identify the protected assets (according to the methodology defined in ISO/IEC 15408). However, the models included in this clause do not constitute a comprehensive landscape, i.e. characteristics that are not connected to information security are not included. Therefore, it is probably not sufficient to use these models to analyse other aspects, such as financial risks and business risks in the TPP context.
According to the methodology given in ISO/IEC 15408, the following steps should be taken when setting up TPP logical structural model:
a) identify assets to be protected;
b) identify any threats against the assets, organizational security policies affecting the assets and assumptions that may underpin those organizational security policies;
c) decide which security objectives apply (based on the comprehensive analysis of threats, organization security policies, and assumptions);
d) specify the security requirements that achieve these security objectives and are mainly chosen from ISO/IEC 15408-2 and ISO/IEC 15408-3:
e) design and implement the IT system based on those security requirements.
In order to perform this analysis, all components in a model are generally divided into two groups, namely those within the target of evaluation (TOE) and those outside the TOE. Only the assets within the TOE need to be considered for protection. Particularly, the communications between the TOE and its operational environment are protected by the implementation of security mechanisms according to the applicable organizational security policies.
EXAMPLE 1 The networks in both Figure 1 and Figure 2 are within the TOE. In fact, the network can be either a private network, such as a leased line, or an open network, such as the internet. No matter the type of network used, there is a requirement to transmit messages securely via the networks.
EXAMPLE 2 It is assumed that communications between all ASPSPs and the CASS are secure. This assumption is fundamental for achieving the security objectives by the TPPSP. However, the implementation of such secure communications is out of the scope of this document.
The components inside the double-line rectangle in Figure 1 constitute the TOE of a TPP information system as described in this document. Components outside the double-line rectangle are deemed as external entities.
There are five types of communication channels represented in Figure 1. each one represented by a different graphical link according to Table 1.BS ISO 23195 pdf free download.
BS ISO 23195:2021 pdf download
PS:Thank you for your support!
