BS ISO 23195. Security objectives of information systems of third-party payment services
|Standard number:||20/30382311 DC|
|Status:||Draft for Comment|
- 35.240.40 IT applications in banking
- 03.060 Finances. Banking. Monetary systems. Insurance
This standard defines terms used in the context of discussing payments by using a third-party payment (TPP), establishes a logical structural model in which assets to be protected are clarified, specifies security objectives where the logical structure model is the basis of analysis and the information security objectives are derived by analysing the interaction on the assets affected by threats, organizational security policies and assumptions. These security objectives are set out to counter the threats resulting from the TPP intermediation compared with simpler payment models where the payer and the beneficiary (payee) directly interact with their respective account servicing banks.
NOTE In the standard, some security objectives required by an information system designed to provide TPP payment services are deemed assumptions according to the methodology specified in ISO/IEC 15408 because those matters are able to be considered as the precondition of the application system. At the same time, some security objectives for the communication channels to be created between the entities participating in a TPP-intermediated transaction (e.g., to be established between the TPP-BIS and bank accounting systems) are deemed assumptions according to the methodology specified in ISO/IEC 15408 because the bank accounting systems are out of the TOE.