ISO/TS TECHNICAL SPECIFICATION 12812-2 First edition 2017-03 Core banking Mobile financial services Part 2: Security and data protection for mobile financial services Opérationsbancaires debase-Services financiersmobiles- Partie 2: Sécurite et protection des donnees pour les services financiers mobiles Reference number IS0/TS12812-2:2017(E) Intemational Organization for Standardization @IS02017 ZHEJIANG INSTOFSTANDARDIZATIONC15956617 ed without license from IHS IS0/TS12812-2:2017(E) COPYRIGHTPROTECTEDDOCUMENT IS02017,Published inSwitzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISOcopyrightoffice Ch. de Blandonnet 8. CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org Intematinaibr PrganizationfoStandardization Licensee-ZHEJIANG INST OF STANDARDIzoISQ0a7 -All rights reserved networking permited without license from IHS Notfor Resale, 2017/5/16 00:51:06 IS0/TS12812-2:2017(E) Contents Page Foreword .. Introduction.. ..i. 1 Scope.... 2 Normative references 3 Terms and definitions 4 Abbreviatedterms ..4 5 Summaryofthetechnicalnatureoftheclauses ..5 6 Securitymanagementconsiderations .7 6.1 General ..7 6.2 Three-layer model to manage security for mobile financial services. 6.2.1 Process layer. 9 6.2.2 Applicationlayer ..10 6.2.3 Infrastructurelayer .10 Securityprinciples and minimum requirements for mobilefinancial services .11 7.1 Security architecture aspects to be considered. .11 7.2 Mobile financial services hardening techniques overview. ..13 7.2.1 General. .13 7.2.2 Mobile device hardening techniques overview .13 7.2.3 Wireless networks hardeningtechniques overview ..13 7.2.4 Secure remote management ofmobile device components using OTA ..14 7.2.5 Mobile financial applications hardening techniques. ..14 7.2.6 Platform security services. ..15 7.2.7 Application level security services for mobile financial applications. .16 7.2.8 Application managementsecurityservices. ..17 7.3 Minimum set of security requirements for mobile financial services. ..17 7.3.1 General ..17 7.3.2 Remote MFS access requirements ..17 7.3.3 Transaction processing requirements .18 7.3.4 Protection of sensitive data .19 7.3.5 Mobiledevicerequirements. .20 7.3.6 Customereducation. .20 7.4 Minimum set of security requirements for mobile application management .21 7.4.1 Customer enrolment and provisioning requirements. 21 7.4.2 Key management 21 7.4.3 Mobilefinancial serviceproviderandtrusted servicemanagerexchanges 22 7.4.4 Application downloading 22 7.4.5 Application deactivation 22 7.5 Summary:Requirements forsecurity servicesfor mobile financial services 22 8 SecurityrequirementsforcryptographiccomponentsusedforMFs .23 8.1 Mobiledevicesecureenvironments 23 8.1.1 MobileDevicerequirementsforMFS .23 8.1.2 Software-based secure environment .24 8.1.3 Trusted execution environment (TEE) .24 8.1.4 Secureelementrequirements .26 8.1.5 Secureelement requirementsfordigital signatureservices. 28 8.2 Security requirements for cryptographic modules used for MFS 30 8.2.1 General ..30 8.2.2 Listofrequirementsforcryptographichardwaremodules 30 8.2.3 Requirementsforcryptographic softwaremodules ..31 9 Security evaluation and certification aspects ..31 9.1 General recommendation .31 ntemainal oganzation @S7 -All rights reserved iii 8e=ZHEJIANG INST OF STANDARDIZATION C1 5956617 vithoutlicense from IHS Not for Resale, 2017/5/16 00:51:06 No reproduction or networking permi