1、Core banking Mobile financial services Part 3: Financial application lifecycle management PD ISO/TS 12812-3:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National foreword This Published Document is the UK implementation of ISO/TS 12812- 3:2017. The UK partic
2、ipation in its preparation was entrusted to Technical Committee IST/12, Financial services. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsibl
3、e for its correct application. The British Standards Institution 2017. Published by BSI Standards Limited 2017 ISBN 978 0 580 82719 8 ICS 03.060 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standard
4、s Policy and Strategy Committee on 30 April 2017. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/TS 12812-3:2017 ISO 2017 Core banking Mobile financial services Part 3: Financial application lifecycle management Oprations bancaires de base Services financ
5、iers mobiles Partie 3: Gestion du cycle de vie des applications financires TECHNICAL SPECIFICATION ISO/TS 12812-3 Reference number ISO/TS 12812-3:2017(E) First edition 2017-03 ISO/TS 12812-3:2017(E)ii ISO 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2017, Published in Switzerland All ri
6、ghts reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from
7、either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/TS 12812-3:2017(E)Foreword iv Introduction v 1 Scope .
8、 1 2 Normative references 1 3 Terms and definitions . 1 4 Abbreviated terms 2 5 Basic principles for application lifecycle management . 2 5.1 General . 2 5.2 Portability of MFSs 2 5.3 Entities involved in the application lifecycle management 3 5.4 Security and privacy . 3 5.5 Risk assessment . 3 5.6
9、 Support of multiple applications and multiple MFSPs . 3 5.7 User Interface and branding 3 5.8 Customer relationship management . 3 5.9 Common APIs . 4 5.10 Terms of service . 4 6 Location of the application 4 6.1 General . 4 6.2 Different types of secure environments 4 6.3 Scenarios for mobile prox
10、imate payments . 4 6.4 Scenarios for mobile remote payments . 5 6.4.1 General 5 6.4.2 Payment credentials . 5 6.4.3 Application 5 6.5 Scenarios for mobile banking . 5 7 Service management roles . 5 7.1 General . 5 7.2 MFSP domain roles 6 7.3 SE provider domain roles 7 8 Application lifecycle: functi
11、ons and processes . 7 8.1 General . 7 8.2 Functions 7 8.3 Processes 8 9 Scenarios for service models . 9 9.1 General . 9 9.2 Scenario 1: UICC . 9 9.3 Scenario 2: Embedded secure element 9 9.4 Scenario 3: Secure micro SD card 10 9.4.1 General.10 9.4.2 Secure micro SD card provided by the MFSP .10 9.4
12、.3 Secure micro SD card provided by a third party .10 9.4.4 Secure micro SD card for contactless payment 10 9.5 Scenario 4: Trusted execution environment 10 9.6 Scenario 5: Mobile application located in the mobile device host 11 9.7 Scenario 6: Mobile application on a secured server 11 Bibliography
13、.12 ISO 2017 All rights reserved iii Contents Page PD ISO/TS 12812-3:2017 ISO/TS 12812-3:2017(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally car
14、ried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
15、 ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the differ
16、ent approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives). Attention is drawn to the possibility that some of the elements of this document
17、may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/
18、patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information
19、 about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: w w w . i s o .org/ iso/ foreword .html. This document was prepared by Technical Committee ISO/TC 68, Financial Services, Subcommittee SC 7, Core Banking. A list of
20、all the parts in the ISO 12812 series can be found on the ISO website.iv ISO 2017 All rights reserved PD ISO/TS 12812-3:2017 ISO/TS 12812-3:2017(E) Introduction The use of mobile devices to conduct financial services (i.e. payments and banking) is occurring following the steady rise of the number of
21、 customers using the Internet for these services. As an evolving market, mobile financial services are being developed and implemented on various bases throughout the different regions of the world and also among the various providers of such services. In these conditions, the purpose of the ISO 128
22、12 series is to facilitate and promote interoperability, security and quality of mobile financial services while making sure that stakeholders in the services can benefit from the evolution, and service providers remain as commercially free and competitive as possible to design their own implementat
23、ions in pursuing their own business strategies. This document addresses the interoperability only at the technical layer by considering the impact of new components and/or interfaces induced by the introduction of a mobile device in financial services. The intentions of the ISO 12812 series are: a)
24、to advance interoperability of mobile financial services globally by defining requirements based on a common terminology and basic principles for the design and operation of mobile financial services; b) to define technical components and their interfaces, as well as roles that may be performed by d
25、ifferent actors in addition to mobile financial service providers (e.g. mobile network operators, trusted service managers). These components and their interfaces, as well as roles, are defined according to identified use cases. Future use cases may be considered during the maintenance of the ISO 12
26、812 series; c) to identify existing standards on which mobile financial services should be based, as well as possible gaps. Standardization effort in this area is beneficial for a sound development of the mobile financial services market because it will: facilitate and promote interoperability betwe
27、en the different components or functions building mobile financial services; build a safe environment so that consumers and merchants can trust the service and allow the mobile financial service providers to manage their risks; promote consumer protection mechanisms including fair contract terms, ru
28、les on transparency of charges, clarification of liability, complaints mechanisms and dispute resolution; enable the consumer to choose from different providers of devices or mobile financial services including the possibility to contract with several mobile financial service providers for services
29、on the same device; enable the consumer to transfer a mobile financial service from one device to another one (portability); promote a consistent consumer experience among various mobile financial services and mobile financial service providers with easy-to-use interfaces. To achieve these objective
30、s, each part of the ISO 12812 series will specify the necessary technical mechanisms and, when relevant, refer to existing relevant standards as appropriate. The ISO 12812 series provides a framework flexible enough to accommodate new mobile device technologies, as well as to allow various business
31、models. At the same time, it enables compliance with applicable regulations including data privacy, protection of personally-identifiable data, consumer protection, anti-money laundering and prevention of financial crime. It is not the intention of the ISO 12812 series to duplicate or to seek to rep
32、lace any existing standard in the area of mobile financial services (e.g. communication protocols, mobile devices). It is also not the intention of the ISO 12812 series to drive technology to any specific application or to restrict ISO 2017 All rights reserved v PD ISO/TS 12812-3:2017 ISO/TS 12812-3
33、:2017(E) the development of future technologies or solutions. Messages and data elements to be exchanged at the interfaces between the different components or actors of the system are already specified (e.g. ISO 20022, ISO 8583 (all parts). The ISO 12812 series recognizes the need for unbanked or un
34、der-banked consumers to access mobile financial services. It also recognizes that these services may be provided by diverse types of institutions in accordance with the applicable regulation(s).vi ISO 2017 All rights reserved PD ISO/TS 12812-3:2017 TECHNICAL SPECIFICATION ISO/TS 12812-3:2017(E) Core
35、 banking Mobile financial services Part 3: Financial application lifecycle management 1 Scope This document specifies the interoperable lifecycle management of applications used in mobile financial services. As defined in ISO 12812-1, an application is a set of software modules and/or data needed to
36、 provide functionality for a mobile financial service. This document deals with different types of applications which is the term used to cover authentication, banking and payment applications, as well as credentials. Clause 5 describes the basic principles required, or to be considered, for the app
37、lication lifecycle management. Because several implementations are possible with impacts on the lifecycle, this document describes the different architectures for the location of the application and the impacts of the different scenarios regarding the issuance of the secure element when present (see
38、 Clause 6), the different roles for the management of the application lifecycle and the domains of responsibilities (see Clause 7). It also specifies functions and processes in the application lifecycle management (see Clause 8) and describes scenarios of service models and roles of actors (see Clau
39、se 9). 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (in
40、cluding any amendments) applies. ISO 128121, Core banking Mobile financial services Part 1: General framework ISO/TS 128122, Core banking Mobile financial services Part 2: Security and data protection for mobile financial services ISO/TS 128124, Core banking Mobile financial services Part 4: Mobile
41、payments-to-person ISO/TS 128125, Core banking Mobile financial services Part 1: Mobile payments to business 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO 12812-1 and ISO/TS 12812-2 and the following apply. ISO and IEC maintain terminological datab
42、ases for use in standardization at the following addresses: IEC Electropedia: available at h t t p :/ www .electropedia .org/ ISO Online browsing platform: available at h t t p :/ www .iso .org/ obp 3.1 service management roles set of roles that enable the lifecycle management of the application ISO
43、 2017 All rights reserved 1 PD ISO/TS 12812-3:2017 ISO/TS 12812-3:2017(E) 4 Abbreviated terms API Application Program Interface IBAN International Bank Account Number MFS Mobile Financial Service MFSP Mobile Financial Service Provider MNO Mobile Network Operator MSISDN Mobile Station International S
44、ubscriber Directory Number (the mobile phone number) NFC Near Field Communication OTA Over The Air PAN Primary Account Number SD Card Secure Digital Card SE Secure Element SLA Service Level Agreement SMS Short Message Service STK SIM Tool Kit TEE Trusted Execution Environment TSM Trusted Service Man
45、ager UICC Universal Integrated Circuit Card USSD Unstructured Supplementary Services Data 5 Basic principles for application lifecycle management 5.1 General In order to facilitate a consistent customer experience and to enable interoperability, this clause establishes requirements that apply to and
46、 principles that should be considered by the different entities involved in the application lifecycle management. 5.2 Portability of MFSs The customer shall be able to change the mobile device (provided that the mobile device is compliant with the MFS and enabled to support the application user inte
47、rface). This requirement implies that an MFSP shall document its compatibility requirements for a mobile device and permit a customer to change the mobile device. This requirement also means that a customer shall be able to download a new application user interface. When the application is hosted by
48、 the UICC, the customer shall be able to switch from one MNO to another while keeping the possibility to use the same application (provided that the relevant arrangements between actors have been set up). This requirement implies that an MFSP shall permit the customer to select any MNO that support
49、the required functionalities for the MFS.2 ISO 2017 All rights reserved PD ISO/TS 12812-3:2017 ISO/TS 12812-3:2017(E) The principle of portability applies also to the other types of secure environments, when the application is hosted by these secure environments. Additional requirements regarding portability are provided in ISO/TS 12812-4 and ISO/TS 12812-5. 5.3 Entities involved in the application lifecycle management The entities involved in the application lifecycle management shall comply with