E.g., input validation, amounts, special characters in   4�4�7   Do the DFS customers get alerts when DFS
            amounts, currency checks etc.                      transactions are performed on their accounts?
            4�2�14  Is there additional authorisation and authen-  4�4�8   Do  trace  logs  and  event  data  records
            tication for high value transactions and changes on   capture/store sensitive user data? (e.g., are customer
            DFS user accounts? For example, what additional    PINs stored in EDRs)
            checks are done when increasing transaction limits?  4�4�9   Does the app store transactions for later
            4�2�15  Does the DFS system have capability to     transmission?
            detect out-of-pattern transactions based on custom-  4�4�10  Does the DFS provider implement Role
            er profile?  Are the DFS provider performing checks   Based Access Controls?
            based on user transactions profile? E.g., agent shops   4�4�11   Is there a mechanism in place to review
            performing late transactions, DFS users perfuming   administrative privileges?
            transactions in two different locations?           4�4�12  Is there more than one person required to
                                                               complete a critical DFS tasks?
            4�3  Availability
            4�3�1   Are there policies in place to assure manage-  4�5  Network Security
            ment during system downtime?                       4�5�1   Are all devices used to connect to DFS
            4�3�2   Are there end to end tests been performed   systems scanned for threats and checked for the
            after changes or upgrades to the DFS systems? End   latest software patches?
            to end tests may include capacity tests, security   4�5�2   Are code changes tested and approved
            tests, QoS tests, user acceptance tests etc.       before moving it into production? For example, user
            4�3�3   Are there regular vulnerability scans that are   and internal acceptance certificates that show that
            performed on the DFS systems?                      the code was tested.
            4�3�4   Are there systems in place to ensure service   4�5�3   Are encryption keys were changed from
            availability? Example (service redundancy) Are there   default  at  installation?  Are  default  SNMP  strings
            reports and utilities to measure system response   changed?
            time and down time?                                4�5�4   Are the clocks within the DFS ecosystem
            4�3�5   Are there systems to measure quality of    synchronized?
            service and quality of experience? Do the QoS and   4�5�5   Are the DFS systems patched against known
            QoE conform to the standards for DFS?              vulnerabilities?
            4�3�6   Does the DFS provider have regular sched-  4�5�6   Are the DFS systems updated to the latest
            uled backups? Are the backups encrypted and stored   versions to protect against new threats?
            on an offsite location?                            4�5�7   Are the encryption algorithms and keys used
                                                               are strong enough to protect customer PINs and
            4�4  Fraud Detection                               data?
            4�4�1   Are DFS logs stored securely in a tamper   4�5�8   Are the firewall rules adequately configured?
            proof module? E.g., SIEM                           e.g. port whitelisting, packet filtering
            4�4�2   Are there mechanisms in place to detect    4�5�9   Are there adequate protections against
            data modification and tampering on the database?   network attacks like firewalls and traffic filters with
            4�4�3   Are  there  mechanisms  to  detect  SMS  and   proper configurations?
            call spoofing? E.g., CLI analysis?                 4�5�10  Are there logical boundaries that limit
            4�4�4   Are there sufficient controls to review and   access to the DFS systems from all other systems?
            approve for critical changes on accounts? e.g., is   (For example, are other unauthorized internal users
            there maker-checker and approval process before    logically and/physically limited on the network from
            changes are made?                                  accessing DFS processing systems)
            4�4�5   Are there sufficient mechanisms to monitor   4�5�11   Are there operational controls to detect
            transactions processed through payment APIs? Does   threats associated with APIs? Are there controls in
            the DFS provider have nondisclosure agreements     place to detect rouge/malicious APIs?
            pertaining to customer sensitive data with third   4�5�12  Are  there  pending  transactions,  duplicate
            parties? Are there strong cryptographic algorithms   transactions in the DFS system? Has the transaction
            used when transferring data with third parties?    been fully executed?
            4�4�6   Do the audit logs provided sufficiently track   4�5�13  Are there procedures in place to moni-
            all changes on the DFS system or MNO systems that   tor software updates and are the updates installed
            affect DFS services?                               securely?



                                                                      Digital Financial Services security audit guideline  21