1、 International Telecommunication Union ITU-T Y.2741TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Architecture of secure mobile financial transactions in n
2、ext generation networks Recommendation ITU-T Y.2741 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.39
3、9 Interfaces and protocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capab
4、ilities and resource management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWOR
5、KS Frameworks and functional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.
6、2300Y.2399 Network management Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Smart ubiquitous networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 Future networks Y.3000Y.3099 For further details, please refer
7、 to the list of ITU-T Recommendations. Rec. ITU-T Y.2741 (01/2011) i Recommendation ITU-T Y.2741 Architecture of secure mobile financial transactions in next generation networks Summary Recommendation ITU-T Y.2741 specifies the general architecture of a security solution for mobile commerce and mobi
8、le banking in the context of NGN. It describes the key participants, their roles, and the operational scenarios of the mobile commerce and mobile banking systems. It also provides examples of the implementation models of mobile commerce and mobile banking systems. History Edition Recommendation Appr
9、oval Study Group 1.0 ITU-T Y.2741 2011-01-28 13 Keywords Mobile banking, mobile commerce, mobile payments, remote payments, safety and security. ii Rec. ITU-T Y.2741 (01/2011) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommun
10、ications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunic
11、ations on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedur
12、e laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecomm
13、unication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these
14、 mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU d
15、raws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members
16、 or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not repre
17、sent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2741 (01/20
18、11) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Roles, risks, participants, and scenarios of mobile payments in NGN . 2 6.1 Roles within the mobile com
19、merce and mobile banking systems 2 6.2 Risks in the MPS and MPS security levels 3 6.3 Participants and the system architecture of mobile commerce and mobile banking . 3 6.4 The mobile payment system usage scenarios . 5 7 Transition from the token payment systems . 16 Appendix I Enrol a payment instr
20、ument in the system . 17 Appendix II Mobile banking and mobile commerce systems implementation models 19 II.1 The implementation of the system without the use of the client application 20 II.2 The implementation of the system with the use of the client application 20 Bibliography. 22 Rec. ITU-T Y.27
21、41 (01/2011) 1 Recommendation ITU-T Y.2741 Architecture of secure mobile financial transactions in next generation networks 1 Scope This Recommendation defines the security architecture pertaining to remote mobile financial transactions for NGN. The scope excludes all other financial transactions, a
22、s well as transactions that use monetary or non-monetary tokens for transfer of value. By organizing a wide range of services with a flexible management and personalization functions, NGN can provide convenient access to mobile payment system (MPS) services. 2 References The following ITU-T Recommen
23、dations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are there
24、fore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand
25、-alone document, the status of a Recommendation. ITU-T Y.2740 Recommendation ITU-T Y.2740 (2011), Security requirements for mobile remote financial transactions in next generation networks. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following term defined elsewhere: 3.1.1
26、 next generation network (NGN) b-ITU-T Y.2001: A packet-based network able to provide telecommunication services to users and able to make use of multiple broadband, QoS-enabled transport technologies and in which service-related functions are independent from underlying transport-related technologi
27、es. It enables unfettered access for users to networks and to competing service providers and/or services of their choice. It supports generalized mobility which will allow consistent and ubiquitous provision of services to users. 3.2 Terms defined in this Recommendation This Recommendation defines
28、the following terms: 3.2.1 application: A special mobile banking or mobile commerce application uploaded to the clients (users) mobile device. 3.2.2 bank account: An electronic funds account held by a private individual or a corporate entity in a bank or other financial institution authorized by the
29、 countrys national monetary authority (e.g., central bank) that can be used for payment for goods and services. 3.2.3 client: A private individual or a corporate entity that has signed a contractual agreement on the use of telecommunication services and the system of mobile commerce. 3.2.4 financial
30、 transaction: An event or a condition covered under the terms of the contract between a buyer and a seller to exchange an asset for payment. 2 Rec. ITU-T Y.2741 (01/2011) 3.2.5 intersystem environment: A set of rules or a system that enables the establishment of the interaction of various mobile ban
31、k and mobile commerce systems. 3.2.6 mobile device: An electronic device used for telecommunications over wireless NGN network. 3.2.7 mobile financial transaction: A financial transaction initiated and/or authorized using a mobile device. 3.2.8 mobile payment system (MPS): Mobile banking and/or mobi
32、le commerce systems. 3.2.9 monetary token: Electronic or physical artifact used for payment that is represented and measured in the countrys national currency units, that however is not stored in, or directly linked to a bank account. An example of an electronic monetary token is electronic cash sto
33、red in a stand-alone electronic wallet that is not mirrored by a bank account. Examples of physical monetary tokens include coins, banknotes, travellers checks, etc. 3.2.10 non-monetary token: Electronic or physical artifact used for payment but not represented in national currency units. Examples o
34、f electronic non-monetary tokens are unused minutes or SMS messages held in NGN subscriber accounts that the NGN operators allow to be transferred from one subscriber account to another. 3.2.11 payment ID: A required request parameter that explicitly identifies the payment recipient. Merchant ID and
35、 mobile payment system (MPS) ID (a unique identifier of a mobile payment system) must be present in the implementation of the intersystem environment. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: DB DataBase ID Identification IS Information System M
36、PS Mobile Payment System NGN Next Generation Network 5 Conventions None. 6 Roles, risks, participants, and scenarios of mobile payments in NGN 6.1 Roles within the mobile commerce and mobile banking systems The basic roles of the MPS participants and their responsibilities are: The client is a mobil
37、e subscriber who possesses a payment instrument for the payment operations. The client application is the special software uploaded to the clients mobile device (phone, SIM card, communicator, etc.) and designed for conducting secure mobile payment operations. The payment instrument is a financial i
38、nstrument used to perform payment for goods and services. Rec. ITU-T Y.2741 (01/2011) 3 The NGN operator provides the mobile communication network for remote interaction of the client with the MPS, data routing and transfer. The client application distributor is a participant that makes applications
39、 available to the clients. The security provider is a participant that provides security of the data transfer over communications channels. The MPS operator (service provider, payment gateway) is a participant that ensures interaction within the MPS and provides payment services to the end user. The
40、 issuer is a financial institution that issues payment instruments. The client authentication provider validates the client operation. The acquirer is a financial institution that maintains merchant relationships and receives all financial transactions from the merchant. The payment system is an org
41、anization that ensures interbank payment transactions. 6.2 Risks in the MPS and MPS security levels This clause describes the basic information security risks that may arise when conducting (i.e., performing) remote mobile payments. These risks include, but are not limited to: The risk of compromise
42、d confidentiality unauthorized third party access to confidential information. The risk of compromised integrity information distortion during the process of its transfer or processing. The risk of forging of electronic documents a document is generated by an unauthorized party. The risk of repudiat
43、ion the denial of authorship of an electronic document. The risk of information destruction, either intentional or by negligence. Transactional risk the failure to finish a transaction (e.g., due to unstable mobile communication). Depending on the implemented risk-based security mechanisms, there ar
44、e systems with four security levels ITU-T Y.2740. 6.3 Participants and the system architecture of mobile commerce and mobile banking The MPS architecture should be compliant with the already existing system of interrelations between financial, legal and commercial organizations and enable system par
45、ticipants to make mobile payment transactions with the necessary degree of security based on the estimated risk level. The proposed architecture should support schemes and specifications already used by the system participants for performing payment transactions. 4 Rec. ITU-T Y.2741 (01/2011) ITU-T
46、Y.2741(11)_F01ClientNGN operatorMerchantIssuer AcquirerMPS operator- Security provider;- Clientauthenticationprovider; - Service providerFigure 1 Participants and the system architecture of the mobile commerce and the mobile banking Table 1 Mobile payments system participants Participant Description
47、, concern (goal, objective, interest) Role Client Private individual or corporate entity that has signed a contractual agreement on the use of telecommunication services and the system of mobile commerce. Possesses a mobile device and a payment instrument. Principal concern: increase the number of s
48、ervices, get the possibility to perform secure remote financial transactions, expand the scope of payment instruments. Client NGN operator An institution that provides the client with digital communication services. Principal concern: increase the number of clients, extend the range of the available
49、 services, increase traffic. NGN operator MPS operator An institution that ensures secure remote interaction of the financial structures, the client and the NGN operator within the mobile payment system. Principal concern: create an extensive network of mobile commerce, increase the number of participants as well as the number of remote transactions, ensure maximum operations security. Security provider, service provider, client authentication provider Issuer Financial and legal
