Page 19 - FIGI: Digital Financial Services security audit guideline
P. 19
(continued)
Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
DFS Network - Inadequate DFS C87: To improve security, use a trusted Does the DFS provider have a mechanism in Cryptography
Provider Security user access control tamper-resistant device like a Hardware place to securely store cryptographic keys? - Cryptographic
and monitoring. (SD: Security Module (HSM) to Securely manage controls
Access Control) the process and store cryptographic keys
to protect user PINs, transactions, tokens,
money vouchers.
DFS Access - Inadequate DFS C88: Set user roles to define access rights Does the DFS provider use Role Based Access Access control
Provider control user access control based on the principle of least privilege. Controls? Policy - User access
and monitoring. (SD: management
Access Control)
DFS Access - Inadequate DFS C89: After termination of a user, agent, Are login credentials of terminated DFS Access control
Provider control user access control merchant, payment service providers or administrators, agents and users deactivated? Policy - User access
and monitoring. (SD: third parties disable/deactivate respective Are dormant DFS accounts deactivated? management
Access Control) accounts
DFS Access - Inadequate DFS C90: Set account dormancy period and Has the DFS provider set a dormancy period Access control
Provider control user access control disable dormant accounts at dormancy after which inactive admin accounts are deac- Policy - User access
and monitoring. (SD: maturity. tivated? Are all inactive dormant internal staff management
Access Control) and API accounts deactivated?
DFS Fraud - Inadequate DFS C91: Set schedules for logons and session Does the DFS provider implement Role Based Access control
Provider detection user access control limitations based on DFS roles. (session Access Controls? Policy - User access
and monitoring. (SD: limitations can include the maximum management
Access Control) number of reversals per day based on the
role)
DFS Fraud - Inadequate DFS C92: Limit control, monitor, and period- Is there a mechanism in place to review Access control
Provider detection user access control ically review privileged access to DFS administrative privileges? Policy - User access
and monitoring. (SD: systems, including user addition, modifica- management
Access Control) tion, and deletion.
DFS Privacy and - Inadequate DFS C93: Monitor the use of APIs, and encrypt Is there a monitoring mechanism in place to Communica-
Provider confidenti- user access control all data shared with third parties, put in track data sharing through APIs? tions security
ality and monitoring. (SD: place data management procedures and Are there controls in place to prevent data - Network security
Access Control) controls like signed non-disclosure agree- leakage? management
ments with payment service providers to
avoid information/data leakage.
DFS Network - Inadequate moni- C94: Protect wireless transmissions per Are encryption keys were changed from Communica-
Provider Security toring of the wireless PCI DSS Requirements. Controls should default at installation? Are default SNMP tions security
network (SD: Data include, but are not limited to, the strings changed? - Network security
Confidentiality) following: management
- Ensure vendor default encryption keys,
passwords, and SNMP community strings
are changed.
- Facilitate the use of industry best prac-
tices to implement strong encryption for
authentication and transmission.
- Ensure that clear-text account data is
not stored on a server connected to the
Internet.
Third-party Privacy and - Failure perform data C95: DFS Providers/Merchants should Are there security guidelines followed when Operations security
confidenti- destruction/erasing consistently dispose of old devices. When disposing of DFS related data? - Protection from
ality before disposing of the solution provider provides guidance, malware
devices (SD: Privacy) the merchant should follow it. Some items
to consider include:
- Remove all tags and business identifiers.
- Where possible, develop a contract
with an authorized vendor who can help
securely dispose of electronic materials
and components.
- Do not dispose of devices in trash con-
tainers or dumpsters associated with your
business.
Digital Financial Services security audit guideline 17
