Page 20 - FIGI: Digital Financial Services security audit guideline
P. 20
(continued)
Impacted Group Risk and vulner- Control Security audit question Applicable policy
DFS Entity ability or procedure
Third- Network - Inadequate col- C99: Merchants and DFS providers should Are there procedures in place to monitor soft- Operations security
Party, DFS Security laboration with the require the following from their solution ware updates and are the updates installed in - Technical vulnera-
Provider solution provider on provider: a securely? bility management
the security of mobile
devices purchased - The solution provider should regularly
(SD: Availability and update their payment application and
indicate to the merchant when updates are
Confidentiality)
available and are safe to install.
- The solution provider should have restric-
tions on their payment application so
that it only functions on a device running
approved firmware.
- The solution provider should supply
documentation that details any update
procedures the merchant needs to follow.
- The DFS solution provider should com-
municate with the DFS provider and
make them aware of newly discovered
vulnerabilities in their payment-accep-
tance solution. Additionally, the solution
provider should guide merchants when
new vulnerabilities are discovered, as well
as provide tested patches for any of these
vulnerabilities.
Third- Fraud - Open undetected C100: The merchant should work with its Do the audit logs provided sufficiently track Operations security
Party, DFS detection system application solution provider to ensure that any audit all changes on the DFS system or MNO sys- - Technical vulnera-
Provider weaknesses (SD: Data or logging capability is enabled. The solu- tems that affect DFS services? bility management
Confidentiality) tion provider should ensure that logging
capabilities exist with enough granularity
to detect abnormal events.
The solution provider should guide the
merchant on the merchant's responsi-
bility to review the logs. Additionally,
regularly inspect system logs and reports
for abnormal activity. If abnormal activity
is suspected or discovered, discontinue
access to the mobile device and its pay-
ment application until the issue has been
resolved. Abnormal activities include, but
are not limited to, unauthorized access
attempts, escalated privileges, and unau-
thorized updates to software or firmware.
Third- Network - Network exposure C101: DFS Applications should be sub- Is there regular penetration testing of the DFS Operations security
Party, DFS Security to outside attacks jected to regular security penetration systems? - Technical vulnera-
Provider (SD: Availability) scans and penetration testing. In particular, bility management
applications should be designed to be
robust against phishing software.
MNO Availability - Network exposure C107: Perform regular vulnerability scans Are there regular vulnerability scans that are Operations security
to outside attacks and penetration tests on MNO infrastruc- performed on the DFS systems? - Technical vulnera-
(SD: Availability) ture to check exposure to attacks that bility management
could affect system availability.
MNO Network - Network exposure C108: Install and regularly update the Are the DFS systems updated to the latest Operations security
Security to outside attacks latest anti-malware software (if available) versions to protect against new threats? - Protection from
(SD: Availability) and make this available to end-users. malware
Consider application wrapping, which
can be employed with an MDM (Mobile
Device Management) solution to prevent
and remove malicious software and
applications.
18 Digital Financial Services security audit guideline
