Recognizing that TPP providers are continually seeking to reduce the risks of payment fraud, the International Standard Organisation (ISO) has developed a standard that will act as a solid complement to the existing measures of Third Party Payment (TPP).
This is coming because as payment trends move away from cash and towards online financial transactions, TPP providers such as PayPal are projected to grow.
But, their convenient way to pay, is bringing with it greater security risks. A new standard for the information systems that provide TPP services is out to facilitate a safe development of the technology.
Meanwhile, ISO has also introduced a standard for whistleblowing. This is predicated on the logic that good governance in any organisation involves demonstrating accountability and fostering a “speak up” culture.
The new standard is coming to address the importance of having a secure and effective way that employees can report concerns about wrongdoing.
ISO 37002, Whistleblowing management systems – Guidelines, provides guidance for implementing, managing, evaluating, maintaining and improving a robust and effective management system for whistleblowing. It is non-sector-specific and can be used by organizations of all sizes, including SMEs, as well as those with international operations.
Following the three principles of trust, impartiality and protection, the standard covers the identification and reporting of such concerns and how they are assessed and addressed. Its use will not only minimize or prevent potential losses but also ensure compliance with organizational policies and legal and social obligations.
Convener of the ISO working group that developed the standard, Prof. Wim Vandekerckhove, said implementation of ISO 37002 will help to build trust between an organization and its stakeholders, providing a strong layer of protection against corruption.
“Good governance and transparency require that staff can feel confident reporting any concerns of wrongdoing without fear of repercussions”, he said, adding, “therefore, it is crucial to manage this process effectively. This new standard helps to do that by providing guidance on what a robust and effective whistleblowing management system looks like and how to operate it in the best possible way.”
ISO 37002 was developed by ISO technical committee ISO/TC 309, Governance of organisations, whose secretariat is held by BSI, ISO’s member for the UK.
However, TPP provider is a service that gives merchants the ability to accept online payments without requiring a merchant account. When it comes to their security, the fact that there is an intermediary increases the risk of fraud in the processing of the payment.
ISO 23195, Security objectives of information systems of third-party payment services, provides an internationally agreed list of terms and definitions, two logical structural models and a list of security objectives.
To ensure maximum relevancy, the logical structural models, assets, threats and security objectives in this document are based on real-world practices.
ISO 23195 was developed by ISO subcommittee SC 2, Financial services, security, of technical committee ISO/TC 68, Financial services. The secretariat for ISO/TC 68/SC 2 is held by BSI, ISO’s member for the UK.
This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified.
Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organisational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP).
This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document.
This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.
