ANSI X9.112-3:2018

The mobile environment cumulates numerous risk factors consisting of (a) unattended terminals, (b) card-not-present transactions, (c) untrustworthy platforms, and (d) persistent wireless connections. Further the mobile network operator (MNO) infrastructure may not provide sufficient security that can be relied upon to protect data in transmission. From a security perspective mobile commerce has all of the same vulnerabilities as the Internet and wireless environments combined; and from a business perspective it encompasses three disparate industries: the financial services, mobile telecommunications, and manufacturing mobile platforms. Areas within scope of this standard include, but are not limited to the following: 1. Mobile transactions include sending and receiving messages for payments, and banking  Key management transactions / protocol / scheme / procedures / process  Authentication transactions: logon, confirmation, persistency, risk based authorization  Transaction confirmations  Transaction recovery, session management  Transaction: one or more related messages 2. Mobile payments for person-to-person (P2P), person-to-business (P2B), and person-to-terminal (P2T) including credit/debit card, and electronic funds transfer (EFT) transactions.  New business relationship with financial institutions (FI)  Gift cards, pre-paid debit, payroll cards, virtual “software” card, electronic cash, micro-payments, electronic benefit and transfer (EBT), one-time-credit-card 3. Mobile banking includes payer management, payee management, bill management, portfolio management, credit/debit card management 4. Mobile technologies including mobile browsers, mobile applications (app), and mobile channels (e.g., cellular (e.g., 3G, 4G), wireless, NFC, RFID, Bluetooth, SMS (text), MMS (video). Requirements for mobile proximity (e.g. NFC, RFIC, Bluetooth) payments and mobile remote (e.g. cellular, WiFi, SMS) payments are the same despite the differences in communication channels. Areas not in scope of this standard include, but are not limited to, the following: 1. PIN Management and Security, which is addressed by other ANSI or ISO standards  X9.8 PIN Management and Security  ISO 9564 PIN Management and Security 2. Biometric Information Security is addressed by other ANSI or ISO standards  X9.84 Biometric Information Management and Security  ISO 19092 Financial services -- Biometrics -- Security framework 3. Key Management and Security is addressed by other ANSI or ISO standards  X9.24 Retail Financial Services Symmetric Key Management - Part 1: Using Symmetric Techniques - Part 2: Using Asymmetric Techniques  X9.79 Public Key Infrastructure (PKI) - Part 4: Asymmetric Key Management 4. Pre-existing business relationship with the FI is assumed to be in place.  Mobile marketing, e.g., advertisements, coupons, loyalty programs, and catalogs. 5. Voice communications, including Interactive Voice Response (IVR), Voice Response Units (VRU), Voice Extended Markup Language (VXML), and live agent services such as call centers or help desks. 6. Other technologies such as smart cards and electronic money are likewise out of scope. This standard is part of a multiple part wireless management and security standard addressing the use of mobile devices for financial services. X9.112 Wireless Management and Security - Part 1: General Requirements - Part 2: ATM and POS - Part 3: Mobile Banking and Payments Developers and manufacturers can use this standard to design and implement security controls for mobile devices, mobile applications, mobile networks, and mobile financial services. Financial institutions and mobile service providers can use this standard to deploy security controls for mobile applications and mobile financial services. Auditors and other security professionals can use this standard as the evaluation criteria for performing a security assessment of mobile financial services.