BS ISO 23195-2021 pdf free download – Security objectives of information systems of third-party payment services.
4.2.2.2 TPP business configuration data
The configuration data specifies the rules for TPP transactions, as set out by a TPP scheme.Those rulesare laid down by both TPPSP and ASPSP,along with TPP-AIS (if the mode is chosen).Configuration datamay be present in:
a) the TPPSP credential carriers;
b)the ASPSP credential carriers if the ASPSP credential needs to be used in the TPP transaction;c)the TPP payment terminals;
d) the TPPSP gatekeepers;e)the TPP-BIS;
f) the ASPSP gatekeepers;
g)the ASPSP accounting system;h) the TPP-AIS (if this mode is chosen).
NOTE Rules for TPP transactions are enforced by both the implementation of application-level software inthe different logical components as per Figure 1 and the associated business configuration data depicted here.EXAMPLE ln a TPP business,the maximum daily transfer balance limit is a type of businessconfiguration data.
4.2.2.3 TPP business cumulative data
Cumulative data in the TPP business are the data that are accumulated during the TPP businessoperation.Typically, cumulative data are divided into several types as follows:
a)Customer information: this kind of data comprises the payment service user’s PII.
EXAMPLE 1
The name of the payer or payee, the certificate type and number and the phone number
are all TPP-related customer’s PII.
b)Accounting information: this kind of data comprises account numbers issued by ASPSP and account
numbers issued by TPPSP.
EXAMPLE2
Payment accounts are issued by an ASPSP and are enrolled in the TPP-BIS.
EXAMPLE3 The TPP-BlS and TPP-AlS records, including the details of all the payment processinginformation for a particular payment service user.
c)Credential information: this kind of data comprises an identifier of accounts issued by TPPSP,
authenticating modes and values,and so on. If one payment service user owns more than oneaccount in TPP-BlS and each account can be identified independently, the number of identifierscan be equal to the number of accounts. Otherwise, one payment service user can only have oneidentifier. If an identifier can be authenticated by one mode, there is only one authenticating value.Otherwise, there are several authenticating values for an identifier.
d) Customized service information: if customized services can be provided to payment service
users, this kind of data has the potential to comprise parameters for specific services, such as thelayout of the app interface, the default account when more than one account has been owned in aTPPSP, and so on.
The cumulative data of the TPP business does not include authenticating data issued by the ASPSP tothe payment service user.
4.2.2.4TPP transaction input data
TPP transaction input data include data entered manually by a human using a man-machine interfaceduring a TPP transaction. The human may have a distinct role in a payment transaction, such as:
a) the payer;
b) the cashier of a merchant;
c)the payee other than the cashier of a merchant.
The type of transaction can determine how many roles may be input, the data and the order of input.EXAMPLE1 When a payer buys some goods in a supermarket, the following payment procedure is possible:- The cashier counts up the whole price of the goods.
The payer opens a TPP app issued by a TPPSP which is authenticated by using their fingerprint.
The payer then chooses parameters such as the payment account to be used and shows the relevant QR codeto the cashier.
The cashier scans the QR code with a scanner.
The payer confirms the amount they need to be charged by inputting the payment password to complete thetransaction.
In this transaction, the payer’s fingerprint, the QR code required by the cashier and final payment passwordentered by the payer are all input data.
EXAMPLE 2 When a payer wants to repay an owed sum of money to a payee via TPP,the following repayingprocedure is possible:
The payer opens an app issued by a TPPSP on their mobile phone and log in using a credential consisting of ausername and password.BS ISO 23195 pdf download.