BS ISO 23195 pdf free download

BS ISO 23195-2021 pdf free download.Security objectives of information systems of third-party payment services.
4.2.2.2 TPP business configuration data
The configuration data specifies the rules for TPP transactions, as set out by a TPP scheme. Those rules are laid down by both TPPSP and ASPSP, along with TPP-AIS (if the mode is chosen). Configuration data may be present in:
a) the TPPSP credential carriers;
b) the ASPSP credential carriers if the ASPSP credential needs to be used in the TPP transaction;
c) the TPP payment terminals;
d) the TPPSP gatekeepers;
e) the TPP-BIS;
1) the ASPSP gatekeepers;
g) the ASPSP accounting system;
h) the TPP-AIS (if this mode is chosen).
NOTE Rules for TPP transactions are enforced by both the implementation of application-level software in the different logical components as per Figure 1 and the associated business configuration data depicted here.
EXAMPLE In a TPP business, the maximum daily transfer balance limit Is a type of business configuration data.
4.2.2.3 TPP business cumulative data
Cumulative data in the TPP business are the data that are accumulated during the TPP business operation. Typically, cumulative data are divided into several types as follows:
a) Customer information: this kind of data comprises the payment service user’s P11.
EXAMPLE 1 The name of the payer or payee, the certificate type and number and the phone number are all TPP-related customer’s P11.
b) Accounting information: this kind of data comprises account numbers issued by ASPSP and account numbers issued by TPPSP.
EXAMPLE 2 Payment accounts are issued by an ASPSP and are enrolled in the TPP-BIS.
EXAMPLE 3 The TPP-BIS and TPP-AIS records, including the details of all the payment processing
information for a particular payment service user.
c) Credential information: this kind of data comprises an identifier of accounts issued by TPPSP, authenticating modes and values, and so on. If one payment service user owns more than one account in TPP-BIS and each account can be identified independently, the number of identifiers can be equal to the number of accounts. Otherwise, one payment service user can only have one identifier. If an identifier can be authenticated by one mode, there is only one authenticating value. Otherwise, there are several authenticating values for an identifier.
d) Customized service information: if customized services can be provided to payment service users, this kind of data has the potential to comprise parameters for specific services, such as the layout of the app interface, the default account when more than one account has been owned in a TPPSP, and so on.
The cumulative data of the TPP business does not include authenticating data issued by the ASPSP to the payment service user.
4.2.2.4 TPP transaction in put data
TPP transaction input data include data entered manually by a human using a man-machine interface during a TPP transaction. The human may have a distinct role in a payment transaction, such as:
a) the payer;
b) the cashier of a merchant;
c) the payee other than the cashier of a merchant.
The type of transaction can determine how many roles may be input, the data and the order of input. EXAMPLE 1 When a payer buys some goods in a supermarket, the following payment procedure is possible:
— The cashier counts up the whole price of the goods.
— The payer opens a TPP app issued by a TPPSP which is authenticated by using their fingerprint.
— The payer then chooses parameters such as the payment account to be used and shows the relevant QR code to the cashier.
— The cashier scans the QR code with a scanner.
— The payer confirms the amount they need to be charged by inputting the payment password to complete the transaction.
In this transaction, the payer’s fingerprint, the QR code required by the cashier and final payment password entered by the payer are all input data.
EXAMPLE 2 When a payer wants to repay an owed sum of money to a payee via TPP, the following repaying procedure is possible:
— The payer opens an app issued by a TPPSP on their mobile phone and log in using a credential consisting ofa
username and password.
— The payer inputs:
— the identity of the payee, which has been linked to one of the payee’s accounts in the TPPSP;
— the payment account that they want to repay;
— the amount to be repaid;
— the desired time for funds to be transferred, and so on.
— After the payer completes the transaction, there are two situations for the payee based on the product
requirements of TPPSP:
— the amount of money credits the payee’s account directly.BS ISO 23195 pdf download.