ANSI - X9.134 PART 2
Security and Data Protection for Mobile Financial Services
|Publication Date:||9 February 2021|
The mobile payments environment is subject to numerous risk factors, including those associated with: (a) unattended terminals; (b) card-not-present transactions; (c) untrustworthy platforms; and (d) persistent wireless connections. The existing wireless network infrastructure alone is not sufficient to protect and secure mobile financial transactions. From a security perspective, mobile commerce is challenged by the same vulnerabilities as the Internet and wireless communication environments combined; and from a business perspective it encompasses three disparate industries: providers of mobile financial services (MFSPs), mobile telecommunications, and mobile platform manufacturers and developers.
MFSs encompass a variety of different types of services enabled via a mobile device, such as digital or online payment, remote payment (m-commerce enabled websites), person-to-person payments, proximate payments to businesses (customer and mobile device present), and mobile banking.
Areas within scope of this part of X9.134 include, but are not limited to the following:
▪ Mobile payment transactions include sending and receiving messages for payments and banking, as well as other related messages, including:
- Key management transactions/protoco
- Authentication transactions (e.g., login, confirmation, persistency, risk-based authentication);
- Transaction confirmations; and
- Transaction recovery, session management.
▪ Mobile technologies including mobile browsers, mobile apps, and mobile channels (e.g., 3G/4G/5G, wireless, NFC, RFID, Bluetooth, SMS, and MMS (video).
NOTE: Requirements for mobile proximity (e.g., NFC, RFID, Bluetooth) payments and mobile remote (e.g., cellular, Wi-Fi, SMS) payments are the same despite the differences in communication channels.
Developers and manufacturers are expected to use this standard to design and implement security controls for mobile devices, MFSs, mobile financial apps, and mobile networks. Financial institutions (FIs) and other MFSPs should use this standard to deploy security controls for MFSs. Auditors and other security professionals will be able to use this standard as evaluation criteria for performing a security assessment of a particular MFS.
This document describes and specifies a framework for the management of the security of an MFS, including:
- A generic model for the design of a security policy;
- A minimum set of security requirements;
- Recommended cryptographic protocols and mechanisms for mobile device authentication, financial message secure exchange, and external authentication, including:
1. Point-to-point considerations;
2. End-to-end considerations; and
3. Generation of mobile electronic signatures.
- Recommendations for the protection of personal information;
- Requirements and recommendations for authentication; and
- Security management considerations.
This standard will reference other standards as required to avoid the duplication of standardization efforts performed by other organizations. Users of this standard are directed to consider related standards identified in the Normative References.
The document is structured as follows: Clause 5 categorizes the technical content of the other clauses in this document as: descriptive, recommendations, or requirements. Clause 6 establishes a framework for security management for the MFSP.
Clause 7 covers the principles of security management, addressing all different aspects of MFS security including risk management and authentication.
Clause 7 also describes the minimum set of security requirements for an MFS, beginning with challenges and technologies for a secure MFS design.
Clause 8 sets forth requirements for those components specifically designed to create a secure environment in the mobile device as well as cryptographic modules used for MFS transaction processing.
Informative Annex A focuses on risk analysis including principles to establish a security management program for MFS.
Informative Annex B lists mobile financial system implementation of Know Your Customer (KYC) requirements.
Informative Annex C elaborates on vulnerabilities and threats for different communication channels used for MFS.