ISO-12812 For Mobile Financial Services

ISO-12812Abstract – Though this is now few month old story but still worth to explore and talk about as majority of the experts are still unaware in full details. In the year 1996 the latest mobile phones of the time allowed us to make calls on the move, play simple games (Snake & ladder kind) and text-messages to our family and friends. Today, we can use them to access the Internet, make video calls, take photos, Video recording, help us to navigate to destination on a map, pay for services and goods, send money to each other, allow us for banking and the list is virtually endless with many other applications. The discussion for our post focus around Mobile Money, Mobile Payments i.e person to person, person to business etc. In todays time we use too much of mobile devices rather then any traditional or old method for performing financial services  (i.e. payments and banking) thus this is giving steady rise in the number of customers using the Internet, GSM, Mobile Data for these services. The key is to recognise that sedimental items storage on the consumers mind and blocking the oxidational kind of transparency will no longer be the case. Now consumer would now or will have atleast all the information available before getting into the kind of trap or convenience business as consumer without much complaints. Mechanisms and dispute resolution will help them to slow down. Though clarity of its applicability is still unclear i.e only to core banking or fintech and MNO as well are covered.

Innovation Hub

Introduction – ISO-12812, putting focus on the industry where its much needed i.e. some sort of controls and regulation frame works from the international or global prospectives. Promoting and ensuring consumers protection mechanism; ISO-12812 standards about mobile money, mobile payments  mobile banking, and mobile financial services are now out though very basic and may be at draft stage only. Facilitate and promote interoperability between the different components or functions building mobile financial services. Important aspects of governance, transparency and accountability, e-governance- applications, models, successes, limitations, and potential; citizens charters, transparency & accountability and institutional and other measures are now getting together in paper to be applied on this giant industry with no rules (I hope I am not over stating this). Payment market gradually getting evolve day by day thus mobile financial services are being developed and implemented on various bases throughout the different regions of the world and also among the various providers of such services. Promoting consumer protection mechanisms including; fair contract terms, rules on transparency of charges, clarification of liability etc.

Main Story – The opportunities offered by mobile devices for the development of such services so called Mobile Financial Services are actually represented in todays time. To my best of knowledge it should be called as Financial Services on Mobile Device, reason being services which are offered on mobile devices are not just limited mobile devices. Enabling the consumer to choose from different providers of devices, interfaces or mobile financial services including the possibility to contract with several mobile financial service providers for services on the same device or different services from different service providers or ability to migrate service from one device to another one (portability). When any organisation decided to implement the ISO 12812, the first international standard for Mobile Financial Services as it expands its Financial Services business and platforms. The company has to embarked on a project to gain the ISO 12812 Certifications. This in turns give confidence, peace of mind and international recognition. The Standard is divided into 5 parts covering as below.

  • ISO 12812-1 General Framework and Common Terminology – This defines the general framework of mobile financial services (payment and banking services involving a mobile device).
  • ISO 12812-2 Security and Data Protection – A Security Framework including an analysis of vulnerabilities, threats and countermeasures for the operation of MFSs.
  • ISO 12812-3 Application Management – ISO/TS 12812-3:2017 specifies the interoperable lifecycle management of applications used in mobile financial services. As defined in ISO 12812-1, an application is a set of software modules and/or data needed to provide functionality for a mobile financial service.



  • ISO 12812-4 Mobile Payments to Persons (P2P) – This document provides comprehensive requirements and practices involved in mobilizing the transfer of funds as well as specific use cases for implementation of interoperable mobile payments to persons. Great debate over titles- what is a person?
  • ISO 12812-5 Mobile Payments to Business – It focuses on mechanisms by which a person (“consumer”, “payer” or “business”) uses a mobile device to initiate a payment to a business entity (“merchant” or “payee”). Such a payment may use the traditional merchant point of interaction (POI) system, where the manner of settling the payment follows well-established merchant services paradigms.

 A set of definitions commonly agreed by the international financial industry players. We try to put up a picture for an overview of standardization initiatives in mobile financial services. New ISO measure is very particular about building a safe environment so that consumers and merchants can trust the service and allow the MFS providers to manage their risks. International standards body ISO has rolled out a new set of specifications for mobile banking aimed at promoting financial inclusion. At the same time, it is important that stakeholders in the services can benefit from the evolution and service providers remain commercially free and competitive in order to pursue their own business strategies. ISO 12812 (all parts) addresses the interoperability only at the technical layer by considering the impact of new components and/or interfaces induced by the introduction of a mobile device in financial services. New ISO standard 12812, recently appeared in 2017. This standard has 5 parts and part-1 defines the general framework of mobile financial services. Idea is to facilitate and promote interoperability, security and quality of mobile financial services. Payment and banking services (Not necessarily from brick & mortar banks as can comes from BaaS – Banking as a Services provider or BaaP – Banking as a Platform provider ) involving a mobile device.

Signatures must be non-forgeable because of this, it is important to de-couple the identification (non-identity based unique ID) of each participant in the Architecture from the Identity data (sensitive/private data about the participant) which describes information about a participant taking part in the system. Messages must not be altered in transit, but may be included as part of encapsulating messages created by intermediaries. There was ISO 20022 – Data Dictionary for most financial services asset classes. No challenge was it lacks big time in security mechanism as there was no built in security mechanisms in this. ISO 12812 – Part 2 directly references data at rest, data in transit, HMAC, encryption, tamper resistant key material storage, keys to encrypt keys, channel security for general protection and encryption of sensitive information within the messages themselves, keys that encrypt other keys. The weakness of each component vary, and attackers will always strike vulnerabilities with the highest expected payoff which is the sad but reality of the matter and reason why we need all these standards, policies, procedures and frames works.

If we look at todays payment, electronic payment or in todays modern time its now called as digital payments and ask question to our self. What is the payment and the simple answer (may be bit technical though) would be “Its an information in bits and bytes travel on information technology networks and consists of many small attributes i.e currency, amount, a and b party info etc pass through several components like computers, communication channels, software, and users—each subject to attack and requiring defense. Developers / Engineers cant protect all the components all the time so we must work on protecting the underlying data. This requires a data protection framework that spans the UI to the very data storage. A proper framework will allow the web/internet to be used as the payment pipes. Without such a data protection framework it will be impossible to safely use the web/internet because of the uncertainty of security of each network node a transaction goes through. In order to put security framework to recognize the global nature of technology which yet avoid guidance based on country of origin, which would impede international commerce. National cybersecurity concerns can be addressed in alignment with an international standard which drive and tailor  risk vs security.

Only part 1 is formally an international standard, as parts 2 thru 5 could not gain sufficient support to be accepted as full standards, but instead were pushed through to publication as Technical Specifications which is a classification that addresses work still under technical development, or where it is believed that there will be a future, but not immediate, possibility of agreement on an International Standard. More and more to do on intellectual property, technical locks, liability policy; CP in cash transfers & remittances; Keep up the good work. Due to the nature of payments and preventing of fundamental challenges.

Sign-tConclusion – Not yet finished but probably yes in both cases its required deal and need of the time.  Well I would say that wouldn’t be in case Payment schemes define identifier syntax and semantics (e.g., primary account numbers (PANs) for credit cards, or bitcoin account identifiers). We expect to support scheme-specific identifiers. But where global identifiers are required and are not scheme specific. ISO-12812 standard is a welcome move and long way to go to put some breakers and nut & bolts. it is important that every actor/system be uniquely identifiable to other actors and systems participating in the payments process. While each actor must be identifiable, a number of use cases that need to be addressed include low value or less-sensitive payments which do not require the knowledge of a participant’s identity as a part of the transaction. It must be possible to provide read-only access to transaction information to third parties (with user consent).  Patrice Hertzog, chair of  ISO technical subcommittee that developed the series, says that with more people having mobile phones than bank accounts in the world, developing this technology will bring secure financial services to a wider audience. Some expert says to refer to the suite of 12812 publications as standards, or even “technical standards” is inaccurate.

#Any information extracted from any site/blog/post – remains their proprietary and all credit accordingly remains with them. Idea here is to simplify and cascade the information further


====================== About the Author =================================

Read about Author  at : About Me   

Thank you all, for spending your time reading this post. Please share your feedback / comments / critics / agreements or disagreement.  Remark for more details about posts, subjects and relevance please read the disclaimer.

FacebookPage                Twitter                          ContactMe                          LinkedinPage    ==========================================================================

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s