Page 22 - Digital Financial Services security assurance framework
P. 22
Digital payment applications communication Based on the stakeholders within the DFS eco-
between the device/application and the payment system, we consider merchants, acquirers, payment
provider is mainly reliant on internet channel through service providers, and issuers to be third-party
Wi-Fi, 3G and 4G networks, and/or a payment can providers (we show these individual entities in the
be effected to a merchant Point Of Sale device using expanded figure of the DFS ecosystem in Annex 1).
Magnetic Secure Transmission, scanning a Quick While we list the general threats that these entities
Response code or Near Field Communication (NFC). face here, the specific mitigations for addressing
The use of these channels presents other threats the threats that they face are out of scope for this
and elements (POS, Acquirers, Payment Network document. We recommend consulting the PCI-DSS
Providers, Card issuers, Mobile Payment providers). and the Cyber Resilience Oversight Expectations for
Based on these components, we identify the follow- Financial Market Infrastructures report to read more
3
ing threats to DFS ecosystem based on mobile appli- about mitigations.
cations and wallets (i.e. Android, iOS).
6 DFS SECURITY ASSURANCE FRAMEWORK
The DFS security assurance framework follows simi- b) Assessment of threats and vulnerabilities to the
lar principles from the ISO/IEC 27000 family - Infor- underlying infrastructure, DFS applications, ser-
mation Security Management Systems, Payment vices, network operations and third-party pro-
Card Industry Data Security Standard (PCI-DSS) viders involved in the ecosystem for DFS delivery
v3.2, Payment Applications Data Security Standards (Section 8).
(PA-DSS), National Institute of Standards and Tech- c) Mitigation strategies based on the outcome of (b)
nology Special Publication 800-53, Revision 4. Tech- above (Section 8).
nical guidelines from the Centre for Internet Securi-
ty (CIS controls Version 7), the Open Web Security This framework identifies
Application Project (OWASP) commonly referred
to as OWASP Top 10 and used these as benchmarks i. The various security threats to DFS assets in each
to identify controls that are particular to the digital of the security dimensions
financial services ecosystem. ii. The related vulnerabilities that can be exploited
This framework consists of the following compo- by these threats.
nents: iii. Security control measures that can be implement-
ed by DFS stakeholders against the threats and
a) A security risk assessment based on ISO/IEC vulnerabilities are proposed. The security control
27005 –Security techniques -Information security measure can fall in one or more of the eight Secu-
risk management (Section 7). rity Dimensions in ITU-T Recommendation X.805
7 RISK ASSESSMENT METHODOLOGY
In order to ensure a security model that is sustain- Monitoring and review in the DFS environment
able and continuously improves DFS security, this may take different forms depending on the stake-
framework uses the Deming cycle, a four-step qual- holder for example the regulator reviewing the secu-
ity model divided into four phases: Plan, Do, Check rity controls set by the DFS provider to assure secu-
and Act (PDCA). In the PDCA based implementation rity for the DFS users or internal and external reviews
methodology, activities and outcomes that have to of the DFS environment by auditors. Thus, the mon-
be achieved in each of the four phases are identified. itoring phase also deals with escalating ad reporting
In the DFS ecosystem, multiple stakeholders are of the risks to the relevant stakeholders.
involved and the PDCA is designed with activities Communicating with management during all
that assure overall end to end security of the DFS phases of the risk management process ensures
ecosystem, the diagram below shows the DFS secu- understanding and ownership of the roles and
rity framework model based on PDCA. responsibilities which is key for establishing the
20 Digital Financial Services Security Assurance Framework
