BS ISO 23195:2021 pdf download.Security objectives of information systems of third-party
payment services
1 Scope This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.
For the purposes of this document, the following terms, definitions, and abbreviated terms apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at http://www.electropedia.org/
3.1 TPP business
3.1.1 payment transaction act of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer (3.1.9) and the payee (3.1.8) [SOURCE: ISO 12812-1:2017, 3.40]
3.1.2 payment account account held in the name of a payment service user (3.1.7) which is used for the execution of a payment transaction (3.1.1) Note 1 to entry: The original definition in ISO 21741 is “account held in the name of one or more payment service users which is used for the execution of payment transactions”. However, only cases in which one account is held by one payment service user are considered in this document. [SOURCE: ISO/TR 21941:2017, 3.1.7, modified — Note 1 to entry has been added.]
3.1.5
third-party payment service provider
TPPSP
payment service provider offering TPP (3.1.3) services where they are not the ASPSP (3.1.6) itself
Note 1 to entry: Comparison with the term “third-party payment service provider” defined in
ISO/TR 21941:2017, 3.1.11:
a) the abbreviated form of “third-party payment service provider” has been clarified as “TPPSP” instead of “TPP” because “TPP” is a business mode which has been defined in this document;
b) the abbreviated form ASPSP is utilized instead of “account servicing payment service provider”;
c) the term “payment initiation service” has been changed to “TPP” since the “TPP” contains “the payment initiation services”;
d) “account information service on accounts” has been removed because it is not linked to TPP closely.
[SOURCE: ISO/TR 21941:2017, 3.1.11, modified — Note 1 to entry has been added.]BS ISO 23195 pdf download.