ISO/TC 68 - Financial services

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

This document specifies a common interface by which financial-transaction-card-originated messages can be interchanged between acquirers and card issuers. It specifies message structure and format, including normalized data types. Message, field, value definitions and supporting information are provided by the ISO 8583 maintenance agency (MA). Contact and web page information for the ISO 8583 MA can be found at: https://www.iso.org/maintenance_agencies.html. The method by which messages are transported or settlement takes place is not within the scope of this document. NOTE With the proliferation of technology available to financial institutions to offer services to customers, a range of tokens now exist for identifying account relationships (e.g. financial transaction cards). In order to maintain clarity, this document will continue to use card terminology that applies to tokens and cards, unless the element is specific to tokens or cards, in which case it will be identified as such. However, the actual token numeric issued by a financial institution can be different from the associated card numeric.

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

This document defines code values used to enable the classification of merchants into specific categories based on the type of business, trade or services supplied. Values are specified only for those merchant categories that are generally expected to originate retail financial transactions. It is not within the scope of this document to mandate the use of merchant category codes in any given situation.

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

This document examines semantic enrichment to support the maintenance of the ISO 20022 conceptual model. It reports on existing and proposed practices to enrich a model: — in a repository, annotating repository concepts with metadata using semantic markup or constraints; — outside a repository, using references to repository concepts, such as the provenance of changes.

This document discusses the modes, related mainstream technologies, logical models, physical implementation models, data management (data storage and data security) and service quality control used in the reference data distribution in financial services. This document applies to the reference data distribution and transmission processes in financial services.

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

This document provides guidelines for customer identification in mobile financial services (MFS), including: — a general framework of customer identification for MFS; — the multi-dimensional overall identity assurance level (AL) of an MFS customer and its evaluation criteria; — security and privacy considerations. This document also contains annexes which demonstrate how to apply the ALs in practice, through (e)KYC use cases in different regions, for example. This document is applicable to various kinds of MFS providers, including but not limited to commercial banks and third-party payment service providers. This document is applicable to identifying natural persons. Identifying legal entities, known as (e)KYB, is out of the scope of this document.

This document provides best practices for writing a banking products or services (BPoS) handbook. It is applicable to any providers of banking products or services (BPoSP) that issue and operate BPoS. NOTE 1 A BPoS handbook is edited by either product managers or personnel in charge of key elements mentioned in this document, based on their role and responsibility within the BPoSP. NOTE 2 Whether ISO 21586 has been formally introduced, this document is useful as existing BPoS contain the key elements listed in ISO 21586.

This document reports on a study to map messages defined using FIX Orchestra into the ISO 20022 model.

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

This document specifies the elements and structure of a universal identifier code, the business identifier code (BIC), for financial and non-financial institutions, for which such an international identifier is required to facilitate automated processing of information for financial services. The BIC is used for addressing messages, routing business transactions and identifying business parties. This document applies to organizations and excludes individual persons.

This document provides the normative specification of the FIX tagvalue encoding, which is one of the possible syntaxes for FIX messages.

This document provides the normative specification of the FIX session layer standard and its session profiles.

This document provides a set of mandatory and optional conformity tests applicable to all versions of the FIX session layer standard.

This document specifies an unambiguous scheme to list official organizational roles by jurisdiction in a standard way. It is not the purpose of this document to compare or align official organizational roles across different countries or jurisdictions, so as not to limit the usage or relevance of this document. To understand the powers associated with each official organizational role, users of this document can consult applicable regulation or legislation, documents of the legal entity in which the official organizational role exists and procedures specific to each organizational entity.

This document specifies the elements of an unambiguous scheme to identify over-the-counter (OTC) derivative products that are reportable to trade repositories, in particular: — the structure and format of the unique product identifier (UPI) code; — the minimum data elements of the UPI reference data library, together with their allowable values. At a minimum, the UPI code is applicable to OTC derivative instruments falling under the following categories of the classification of financial instruments (see ISO 10962): — swaps (S); — forwards (J); — non-listed and complex listed options (H); — others (miscellaneous) (M).

This document specifies a machine-readable, unambiguous natural person identifier (NPI) and the relevant reference data to uniquely identify the natural person relevant to any financial transaction rather than the personal identifying information.

This document defines the assignment and generation of a random, unique, fixed-length identifier for digital tokens in response to a request for registration that conforms to specified application guidelines (see also ISO 24165-2).

This document defines the data elements included in the registry record and used to establish the 1:1 relationship between a digital token and the identifier assigned according to the method in ISO 24165-1.

This document defines the Data Point Methodology for the creation of Data Point Models in the context of European supervisory reporting. Data Point Models are published by a European supervisory authority. To reflect the defined structures in a machine-readable form, they can be accompanied by an XBRL taxonomy. It is also possible to extend the described methodology to other environments.

This document provides guidelines for data point modelling for supervising experts. The main body consists of four sections. The interrogative form helps in choosing which section may best answer your question and lead you to a good understanding of the subject matter. After this first introductory section and the section containing terms and definitions, the main part starts to provide basic knowledge about different types of data models and data modelling approaches. The first and the second sections provide an overview of data models in general, in contrast to the third section that highlights the necessity of data modelling for supervisory data. This third section draws on the objectives and background information of the preceding sections. Furthermore, a paragraph classifies the Data Point Model introduced by the Eurofiling Initiative and elaborated by EIOPA and EBA, where many new terms related to DPM are introduced. Another paragraph explains the areas of application for the DPM. The third section concludes with a paragraph introducing a subset of the technical constrains that need to be considered in the creation process of the DPM. The fourth section gives step-by-step instructions on how to create a DPM. The paper concludes with remarks on the progress achieved so far, and provides an outlook on the software that is being developed at the moment to support you during the creation process.

This document aims to provide an introduction to the topic of creating a conceptual model for storing multidimensional data which is received as XBRL instances that follow the rules defined by European taxonomies published by the European Banking Authority (EBA) or by the European Insurance and Occupational Pensions Authority (EIOPA).

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

This document defines and describes the structure for the codes for an internationally valid system to classify financial instruments. The classification system applies to financial instruments negotiated internationally as well as to domestic instruments. The term “financial instruments” refers not only to classical securities and derivatives but also covers the innovative financial products that have emerged in different markets (a trend that is expected to continue in the future). This document is intended for use in any application in the trading and administration of financial instruments in the international securities business. Insofar as the trading and administration of securities do not affect other countries, the application of this document remains at the discretion of the responsible national bodies, such as stock exchanges, banks, brokers, regulatory bodies and other institutions active in the securities field. In principle, the CFI code reflects characteristics that are defined when a financial instrument is issued and that remain unchanged during its entire lifetime. However, a few events that can lead to a new CFI code for the same instrument are anticipated, such as the changing of voting rights or ownership restrictions by a stockholders' meeting.

This document provides a uniform structure for the identification of financial instruments as well as referential instruments (see Annex A) using a unique identification code and associated minimum descriptive data (see Annex B).

This document describes the Registration Authority (RA) responsible for the registry of IBAN formats that conform with ISO 13616-1, the procedures for registering IBAN formats that conform with the ISO 13616 series and the structure of the registry.

This document specifies the elements of an international bank account number (IBAN) used to facilitate the processing of data internationally in data interchange, in financial environments as well as within and between other industries. The IBAN is designed for automated processing but can also be used conveniently in other media interchange when appropriate (e.g. paper document exchange). This document does not specify internal procedures, file organization techniques, storage media or languages to be used in its implementation, nor is it designed to facilitate the routing of messages within a network. It is applicable to the textual data which might be conveyed through a system (network).

This document specifies how to describe the characteristics of banking products or services (BPoS) from a customer's perspective. Characteristics of a BPoS can be observed from different facets, called key elements, which are divided into three groups: required, optional or voluntary elements. This document elaborates on the purpose, content and description approach for the required and optional key elements. Six levels of conformity are described in this document which are intended to allow a customer to assess the coverage of key elements in a BPoS. The logical and physical formats to express key elements are also defined. This document excludes requirements of a BPoS itself and specific value ranges of any key element are out of the scope. This document guides the provider of BPoS in describing their products or services with the intent to help customers understand or compare specific BPoS. It is not applicable to describing securities or insurance-related products or services. BPoS can be issued by banks and other institutions.

This document specifies a standardised way of embedding the legal entity identifier (LEI) code, as represented in ISO 17442-1, in digital certificates, represented by the International Telecommunications Union (ITU) Recommendation X.509 and its ISO equivalent standard, ISO/IEC 9594-8. This document specifies the structure of a public key certificate conforming with ISO/IEC 9594-8 in which the LEI is embedded.

This document specifies the minimum elements of an unambiguous legal entity identifier (LEI) scheme to identify the legal entities relevant to any financial transaction. It is applicable to "legal entities", which include, but are not limited to, unique parties that are legally or financially responsible for the performance of financial transactions or have the legal right in their jurisdiction to enter independently into legal contracts, regardless of whether they are incorporated or constituted in some other way (e.g. trust, partnership, contractual). It includes governmental organizations, supranationals and individuals when acting in a business capacity[1], but excludes natural persons. It also includes international branches as defined in 3.5. The LEI is designed for automated processing. It can also be conveniently used in other media interchange when appropriate (e.g. paper document exchange). NOTE Examples of eligible legal entities include, without limitation: — all financial intermediaries; — banks and finance companies; — international branches; — all entities that issue equity, debt or other securities for other capital structures; — all entities listed on an exchange; — all entities that trade financial instruments or are otherwise parties to financial transactions, including business entities, pension funds and investment vehicles such as collective investment funds (at umbrella and sub-fund level) and other special purpose vehicles that have a legal form; — all entities under the purview of a financial regulator and their affiliates, subsidiaries and holding companies; — sole traders (as an example of individuals acting in a business capacity); — counterparties to financial transactions. [1] As stated by the LEI Regulatory Oversight Committee on 30 September 2015.

This document specifies the elements of an unambiguous scheme to identify a financial transaction uniquely whenever useful and agreed by the parties or community involved in the transaction. It does not specify the timing of assignment of who should be responsible for its generation, so as not to limit its usage or relevance, nor does it consider a need to establish a data record for the unique transaction identifier (UTI) itself.

This document defines the framework, function and protocols for an API ecosystem that will enable online synchronised interaction. Specifically, the document: — defines a logical and technical layered approach for developing APIs, including transformational rules. Specific logical models (such as ISO 20022 models) are not included, but they will be referenced in the context of specific scenarios for guidance purposes; — will primarily be thought about from a RESTful design point of view, but will consider alternative architectural styles (such as WebSocket and Webhook) where other blueprints or scenarios are offered; — defines for the API ecosystem design principles of an API, rules of a Web-service-based API, the data payload and version control; — sets out considerations relevant to security, identity and registration of an API ecosystem. Specific technical solutions will not be defined, but they will be referenced in the context of specific scenarios for guidance purposes; — defines architectural usage beyond query/response asynchronous messaging towards publish/subscribe to support advanced and existing business models. This document does not include: — a specific technical specification of an API implementation in financial services; — the development of JSON APIs based on the ISO 20022 specific message formats, such as PAIN, CAMT and PACS; — a technical specification that is defined or determined by specific legal frameworks.

This document describes a data element related to key management which can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. This document addresses the requirements for the use of the data element related to key management within ISO 8583-1, using the following two ISO 8583-1 data elements for DEA and TDEA: — security related control information (data element 53); — key management data (data element 96). The data element related to key management for DEA and TDEA is constructed from the concatenation of two ISO 8583-1 message elements, data element 53 — security related control information, and data element 96 — key management data. It conveys information about the associated transaction's cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and additional optional information. For AES implementations, the data elements are summarized in one field. This document is applicable to either symmetric or asymmetric cipher systems.

This document gives an overview of existing and currently used financial instrument identifiers. It shows which instrument identifiers, ticker symbols and proprietary codes are assigned via a standardized scheme to instruments of all asset classes. It focuses on providing an overview of the landscape and not on evaluating the schemes. Several aspects of the detailed trade cycle (a few examples being book building/primary, order entry management, execution management and trade confirmation matching) are excluded as their complexity would reduce the readability of the overview. Similarly, the level of complexity involved in properly representing the shifting perspectives of what is considered a financial instrument, based on a particular function being performed, is excluded.

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

ISO 20038:2017 defines a method for packaging cryptographic keys for transport. This method can also be used for the storage of keys under an AES key. The method uses the block cipher AES as the wrapping cipher algorithm. Other methods for wrapping keys are outside the scope of this document but can use the authenticated encryption algorithms specified in ISO/IEC 19772.

ISO 9564-1:2017 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2017 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2017 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

ISO/TR 21941:2017 reports the findings of research into the interface between third-party payment service providers (TPPs) and account servicing payment service providers (ASPSPs).

ISO 20275:2017 specifies the elements of an unambiguous scheme to identify the distinct entity legal forms in a jurisdiction. Its aim is to enable legal forms within jurisdictions to be codified and thus facilitate the classification of legal entities according to their legal form. It is not the purpose of the document to give the comparison or alignment of entity legal forms across different jurisdictions, so as not to limit its usage and relevance.

ISO/TS 12812-5:2017 focuses on mechanisms by which a person ("consumer", "payer" or "business") uses a mobile device to initiate a payment to a business entity ("merchant" or "payee"). Such a payment may use the traditional merchant point of interaction (POI) system, where the manner of settling the payment follows well-established merchant services paradigms. Additionally, there are other ways for a consumer to make a payment to a merchant, using the mobile device to initiate, authorize and process transactions outside of traditional payment networks using secure payment instruments. Accordingly, this document supports both "push" and "pull" payments (i.e. transactions that are pushed or transmitted from a mobile device into a POI or pulled or received into a mobile device or POI), which are initiated and/or confirmed by a consumer to purchase goods and or services, including proximate payments, remote secure server payments, as well as mobile payments that leverage other technologies [e.g. cloud computing, quick response ("QR") codes, biometrics, geo-location and other methods to authenticate and authorize the transaction]. One of the most important aspects of the MFS environment is mobile payments to businesses. There are many ways a consumer, or a business as a consumer, can make a payment to a merchant. ISO 12812 provides a comprehensive standard for using the mechanisms involved in mobilizing the transfer of funds regardless of who is involved in the process. This document is intended to be used by potential implementers of mobile retail payment solutions, while ISO 12812-4 is intended for potential implementers of solutions for mobile payments to persons. NOTE ISO 12812‑1:2017, 5.4 explains the differences in the use of these terms. As such, the ISO 12812 (all parts) seeks to support all possible technologies and is not designed to highlight or endorse specific technologies in the competitive marketplace. Although this document deals with mobile payments made by a consumer or a business acting as a consumer, which transactions are subject to a variety of consumer protection requirements, in terms of the relationship to the MFSP, the consumer (or business) is the customer of the MFSP. Nevertheless, this document will use the term "consumer."

ISO 12812-1:2017 defines the general framework of mobile financial services (payment and banking services involving a mobile device), with a focus on: a) a set of definitions commonly agreed by the international financial industry; b) the opportunities offered by mobile devices for the development of such services; c) the promotion of an environment that reduces or minimizes obstacles for mobile financial service providers who wish to provide a sustainable and reliable service to a wide range of customers (persons and businesses), while ensuring that customers' interests are protected; d) the different types of mobile financial services accessed through a mobile device including mobile proximate payments, mobile remote payments and mobile banking, which are detailed in other parts of ISO 12812; e) the mobile financial services supporting technologies; f) the stakeholders involved in the mobile payment ecosystems. ISO 12812-1:2017 includes the following informative annexes: - an overview of other standardization initiatives in mobile financial services (Annex A); - a description of possible mobile payment business models (Annex B); - a description of typical payment instruments which may be used (Annex C).

ISO/TS 12812-3:2017 specifies the interoperable lifecycle management of applications used in mobile financial services. As defined in ISO 12812‑1, an application is a set of software modules and/or data needed to provide functionality for a mobile financial service. This document deals with different types of applications which is the term used to cover authentication, banking and payment applications, as well as credentials. Clause 5 describes the basic principles required, or to be considered, for the application lifecycle management. Because several implementations are possible with impacts on the lifecycle, this document describes the different architectures for the location of the application and the impacts of the different scenarios regarding the issuance of the secure element when present (see Clause 6), the different roles for the management of the application lifecycle and the domains of responsibilities (see Clause 7). It also specifies functions and processes in the application lifecycle management (see Clause 8) and describes scenarios of service models and roles of actors (see Clause 9).

ISO 12812-2:2017 describes and specifies a framework for the management of the security of MFS. It includes - a generic model for the design of the security policy, - a minimum set of security requirements, - recommended cryptographic protocols and mechanisms for mobile device authentication, financial message secure exchange and external authentication, including the following: point-to-point aspects to consider for MFS; end-to-end aspects to consider; security certification aspects; generation of mobile digital signatures; - interoperability issues for the secure certification of MFS, - recommendations for the protection of sensitive data, - guidelines for the implementation of national laws and regulations (e.g. anti-money laundering and combating the funding of terrorism (AML/CFT), and - security management considerations. In order to avoid the duplication of standardization work already performed by other organizations, this document will reference other International Standards as required. In this respect, users of this document are directed to materials developed and published by ISO/TC 68/SC 2 and ISO/IEC JTC 1/SC 27.

ISO/TS 12812-4:2017 provides comprehensive requirements and recommendations, as well as specific use cases for implementation of interoperable mobile payments-to-persons. The emphasis is placed on the principles governing the operational functioning of mobile payments-to-persons systems and processes, as well as the presentation of the underlying technical, organizational, business, legal and policy issues, leveraging legacy infrastructures of existing payment instruments (see ISO 12812‑1:2017, Annex C). ISO/TS 12812-4:2017 includes the following items: a) requirements applicable to mobile payments-to-persons; b) recommendations regarding mechanisms involved in the operation of interoperable mobile payments-to-persons; c) a description of the different use cases for mobile payments-to-persons; d) a generic interoperability model for the provision of different mobile payments-to-persons; e) recommendations for the technical implementation of the generic architectures for the mobile payments-to-persons program; f) recommendations for mobile remittances; g) use cases with the corresponding transaction flows; h) discussion of the financial inclusion of unbanked and underbanked persons (Annex A); i) some legal aspects to consider for mobile payments-to-persons (Annex B). ISO/TS 12812-4:2017 is structured as follows: - Clause 6 sets forth the requirements that a mobile payments-to-persons program must comply with. - Clauses 7, 8 and 9 provide the different levels of implementation for the interoperability of mobile payments-to-persons. - Clause 7 describes the interoperability principles for mobiles payments-to-persons. - Clause 8 describes: a three-layer high-level architecture for mobile payments-to-persons programs; payments instruments sustained by these programs; processing details for a series of significant use cases of mobile payments-to-persons using these payment instruments. - Clause 9 provides a step-by-step data flow description for different mobile payments-to-persons implementations: bank-centric, non-bank centric and card-centric. They can be mapped into the processing use cases of Clause 8, where abstraction is made in the nature of the payment service providers.

ISO 13491-1:2016 specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609, and ISO 11568. ISO 13491-1:2016 has two primary purposes: - to state the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle; ? to provide guidance for methodologies to verify compliance with those requirements. This information is contained in Annex A. ISO 13491-2 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564-1, ISO 9564-2, ISO 16609, ISO 11568-1, ISO 11568-2, ISO 11568-3, ISO 11568-4, ISO 11568-5, and ISO 11568-6 in the financial services environment. Annex A provides an informative illustration of the concepts of security levels described in this part of ISO 13491 as being applicable to SCDs. ISO 13491-1:2016 does not address issues arising from the denial of service of an SCD. Specific requirements for the security characteristics and management of specific types of SCD functionality used in the retail financial services environment are contained in ISO 13491‑2.

ISO 9564-4:2016 provides requirements for the use of personal identification numbers (PIN) in eCommerce. The PINs in scope are the same cardholder PINs used as a means of cardholder verification in card-based financial transactions; notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, and vending machines. It is applicable to financial card-originated transactions requiring verification of the PIN and to those organizations responsible for implementing techniques for the management of the PIN in eCommerce. The provisions of this part of ISO 9564 are not intended to cover - passwords, passcodes, pass phrases and other shared secrets used for customer authentication in online banking, telephone banking, digital wallets, mobile payment, etc., - management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems, which are covered in ISO 9564‑1, - card proxies such as mobile phones or key fobs, - approved algorithms for PIN encipherment, which are covered in ISO 9564‑2, - the protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer, - privacy of non-PIN transaction data, - protection of transaction messages against alteration or substitution, e.g. an online authorization response, - protection against replay of the transaction, - functionality of devices used for PIN entry which is related to issuer functions other than PIN entry, - specific key management techniques, and - access to, and storage of, card data other than the PIN by applications such as wallets.

ISO 18774:2015 defines and describes rules for an internationally valid system for building short names of any kind of financial instrument within a defined structure. This International Standard is intended for use in any application in the trading and administration of securities globally. The FISN has been developed after taking into account the need of human-readability as well as interoperability with existing standards and systems.