ISO 18960:2025

International
Standard
ISO 18960
First edition
Security controls and
2025-08
implementation for third party
payment service providers —
Guidance and requirements
Contrôles de sécurité et mise en œuvre pour les prestataires de
services de paiement tiers — Recommandations et exigences
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Security governance controls . 3
5.1 Service security policies .3
5.1.1 Establishment of information security policy .3
5.1.2 PII protection policy .3
5.1.3 User permission .4
5.1.4 User complaint handling policy.4
5.2 Roles and responsibilities .4
5.2.1 TPPSP security management organization .4
5.2.2 Guide for users about security considerations .5
5.3 Risk management .5
5.3.1 Establishing risk management process .5
5.3.2 Performing risk assessment and treatment.5
5.4 Documentation .6
5.4.1 Documented information .6
5.4.2 Management of documented information .6
5.5 Monitoring, review and improvement .6
5.5.1 Preservation of logs on incident responses and monitoring.6
5.5.2 Regular security review .7
5.5.3 Continual improvement.7
6 Cross-functional controls . 7
6.1 Asset management .7
6.2 Access management .8
6.2.1 Access management of administrators .8
6.2.2 Access management of administrator programs .8
6.2.3 Designation and access management of terminals .8
6.3 Supplier security .9
6.3.1 Selection and management of suppliers .9
6.3.2 Identification and management of the use of cloud services .9
6.4 Data security .10
6.5 TPP service continuity . .10
7 Function specific controls .11
7.1 Vulnerability management .11
7.1.1 Preparation of incident response procedures.11
7.1.2 Education and training for incident response .11
7.1.3 Documentation of vulnerability management policy . 12
7.2 Human security . 12
7.2.1 Establishment and implementation of information security education plans . 12
7.2.2 Completion of information security education . 12
7.2.3 Confidentiality and non-disclosure agreement . 12
7.2.4 Segregation of duties . 13
7.2.5 Removal or adjustment of access rights at termination and change of
employment . 13
7.3 Physical security . 13
7.3.1 Designation of secure area and entry control . 13
7.3.2 Management of check-in and check-out of secure area .14
7.3.3 Management of working environment security .14

iii
7.4 Server security . 15
7.4.1 Prevention of malware infection and information leakage . 15
7.4.2 Removal of unnecessary functions . 15
7.4.3 Important service operation on dedicated server .16
7.4.4 Public web server security .16
7.4.5 Security patch management .16
7.4.6 Data sanitization .17
7.5 Network security . .17
7.5.1 Control on remote management through Internet .17
7.5.2 Demilitarized zone configuration .17
7.5.3 Use of private IP and network segregation.17
7.5.4 Wireless network security .18
7.5.5 Application of secure communication when communicating with external
organizations .18
7.6 TPP application security .19
7.6.1 Identification of security requirements during design stage .19
7.6.2 Web application security .19
7.6.3 Mobile application security .21
Annex A (informative) Relation between ISO 18960 and ISO 23195 .22
Bibliography .24

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial services, security.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
Introduction
Fintech-centric financial innovation is indeed happening worldwide, and the proliferation of third-party
payment (TPP) service providers (TPPSPs) is a significant aspect of this trend. TPPSPs offer innovative
and convenient payment solutions, transforming traditional payment methods and reshaping the financial
landscape. Furthermore, through TPP service, the TPP has facilitated the provision of various financial
services across borders between member countries and thus reduced barriers to entry.
Since most of the information used by TPPSP includes the customer's personally identifiable information
(PII), the security issue of the TPPSP becomes even more important. In addition, small and medium-sized
TPPSPs can face greater risks due to their limited capacity for system implementation. Thus, payment
service providers that provide TPP services with customer information have a responsibility to review the
security measures and practices of the TPPSPs.
In accordance with the characteristic requirements, each TPPSP should establish and operate specific
security controls on its own.
While ISO 23195 covers security objectives for TPPSP systems, this document covers organization-wide
security controls for TPPSP which operate the systems based on the relevant control measures. The control
measures include policies, human resources, the physical environment, application development, system
operation, audit and continual improvement. The security controls for TPPSP covered in this document help
to achieve the security objectives in ISO 23195.
On the other hand, ISO/IEC 27002 is designed for organizations of all types and sizes as a reference for
determining and implementing controls for an information security management system based on
ISO/IEC 27001. This document covers consolidated controls that are specific for TPPSP and that reflect the
business characteristics of financial service, including privacy issues.
This document introduces security controls for TPPSP. The controls for TPPSP are categorized into
governance security controls, cross-functional controls and function-specific controls.
Firstly, governance controls deal with overarching policies that guide an organization's approach to security.
Specific elements of these controls are service security policies, roles and responsibilities, risk management,
documentation, monitoring, review and improvement.
Secondly, this document introduces cross-functional controls that are necessary throughout the
organization. This includes asset management, access management, supplier security, data security and TPP
service continuity.
Lastly, function-specific controls that are tailored to specific areas of an organization's operations are
explained. This includes vulnerability management, human security, physical security and system security
such as server, network and application security.
Additionally, Annex A provides a mapping table which shows how the controls outlined in this document
align with the security objectives provided in ISO 23195.

vi
International Standard ISO 18960:2025(en)
Security controls and implementation for third party
payment service providers — Guidance and requirements
1 Scope
This document gives requirements and guidance on security controls and implementation for third-party
payment service providers (TPPSPs). This document deals with the overall security controls of TPPSPs from
developing and testing to installing, operating and auditing the system. These security controls consist of:
— security governance controls;
— cross-functional controls;
— function-specific controls.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 23195:2021, Security objectives of information systems of third-party payment services
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
governing body
person or group of people who are accountable for the performance and conformance of the third-party
payment service providers
Note 1 to entry: Governing body can include external regulatory representatives.
3.2
sensitive information
information that needs to be protected from unavailability, unauthorized access, modification or public
disclosure because of potential adverse effects on an individual, organization, national security or public safety
Note 1 to entry: While “important information” refers to comprehensive information that requires security, “sensitive
information” refers to information that can cause damage if exposed and emphasizes the importance of confidentiality.
[SOURCE: ISO/IEC 27002:2022, 3.1.33, modified — Note 1 to entry has been added.]

3.3
topic-specific policy
intention and direction on a specific subject or topic, as formally expressed by the appropriate level of
management
[SOURCE: ISO/IEC 27002:2022, 3.1.35, modified — The Notes to entry have been removed.]
3.4
personally identifiable information
information that (a) can be used to establish a link between the information and the natural person to whom
such information relates, or (b) is or might be directly or indirectly linked to a natural person
[SOURCE: ISO/IEC 29100:2024, 3.7, modified — The Notes to entry have been removed.]
4 Abbreviated terms
ACL access control list
CEO chief executive officer
CISO chief information security officer
DB database
DBMS database management system
DMZ demilitarized zone
FTP file transfer protocol
HTTP hypertext transfer protocol
HTTPS hypertext transfer protocol secure
IDC internet data center
IDS intrusion detection system
IP internet protocol
IPS intrusion prevention system
MAC message authentication code
OS operating system
PC personal computer
PII personally identifiable information
PMS patch management system
RTO recovery time objective
SFTP secure shell file transfer protocol
SSID service set identifier
TLS transport layer security
TPP third party payment
TPPSP third party payment service provider
URL uniform resource locator
USB universal serial bus
VPN virtual private network
WAP wireless access point
5 Security governance controls
5.1 Service security policies
5.1.1 Establishment of information security policy
TPPSPs should implement and regularly review a formal documented security policy for the financial
services they operate. Information security policies shall be established, documented and announced. These
policies should only be implemented after the governing body of the TPPSP has granted approval and prior
to offering the financial service to the market. Top-level information security policies shall be established
and approved by the top management so they can serve as the basis of all information security activities
conducted by TPPSP.
These policies shall include at least the following:
— the intention and direction of the top management for information security policy;
— the purpose, scope and responsibilities of the TPPSP’s information security, including the information
security risk management function;
— the grounds for information security activities performed by TPPSP.
The TPPSP shall manage the list of relevant laws and regulations that affect it and the financial services
operated. Also, the TPPSP should consider the references of the appropriate technical standards to
implement the security policy.
The documents on information security policies and topic-specific policies should be disclosed, for example
through educational sessions, emails and notice boards, to appropriate employees, allowing them to view
the documents at any given time.
NOTE For general requirements of information security policy, see ISO/IEC 27001.
5.1.2 PII protection policy
The TPPSP should assess the specific risks for the customer PII data prior to offering their services to the
market. Based on this risk assessment, the TPPSP should establish a documented specific PII security policy.
This policy should include the measures and procedures to effectively manage the risks identified for the
authenticity, integrity and confidentiality of PII data. This policy should also include safeguards protecting
against intrusions and PII misuse and should include provisions to ensure that these risks are properly
monitored during the operation of the services.
This security policy should be sufficiently transparent for the customer and easy to read and understand,
so the customer can give informed consent on the processing of their PII. TPPSPs should be open with
customers about the sources used to collect PII data (e.g. merchants), what PII data are collected, why they
are collected and how they are processed.
PII protection policies shall be open to the public to increase user awareness. PII shall only be processed for
users who have given consent. When a service has membership or collects PII, a PII protection policy shall be
established and disclosed at a site that users can easily access, e.g. the web page or homepage of the service.

PII protection policies should include the PII to be collected, purpose of use and collection methods, periods
of retention and utilization, right to refuse and disadvantages of refusal.
Required and optional information should be classified appropriately so that a minimum amount of PII is
collected and consented to achieve the purpose of the service.
5.1.3 User permission
When using PII to access account information and request financial transaction, the user should be notified
in advance by TPPSP.
When the financial institution needs access to the user’s PII and credit information to make electronic
financial transaction orders, it should provide sufficient information to the user and obtain their permission.
The information to be notified to the user includes:
— purpose of access to the user’s information and electronic financial transaction order;
— list and types of financial electronic transaction orders and user’s PII that can be accessed by the
institution;
— valid period of the permission and its withdrawal method.
The duration of access to user’s PII should be appropriately defined to mitigate the risk of data misuse. The
TPPSP should only access the PII needed for providing the service and not use any PII for other purposes
than those for which user permission has been granted by the user.
The TPPSP shall provide effective means to enable users to verify that the data withdrawn by the TPPSP
correspond effectively to the information requested for which their consent was granted. Information can
be shown on websites posting available contact for information request.
5.1.4 User complaint handling policy
Policies to respond to various user inquiries including consultations, inquiries, complaints and incident
reporting should be prepared and open to the public on homepages and via other media (email, etc.) for easy
access. User complaint handling policies should include contacts, response procedures, scope and procedure
of compensation for damages, incident reporting procedures.
Matters related to grievances about users’ personal information should be handled by the TPPSP’s policies.
The TPPSP should cooperate with related financial institutions to handle user complaints, if necessary.
5.2 Roles and responsibilities
5.2.1 TPPSP security management organization
The chief executive officer (CEO) shall designate a chief information security officer (CISO) for the overall
management of information protection tasks. A working group with expertise can be constituted to support
the TPPSP’s information protection activities.
The following documents should be managed:
— documents on the appointment of the CISO [a letter of appointment with the CEO’s approval (or signature)];
— documents about the structure and role of the information security organization;
— document that can demonstrate the information security expertise of the information security personnel,
e.g. diplomas, licenses and work experiences.

5.2.2 Guide for users about security considerations
Security-related considerations during service use are guided and reflected in development. The
considerations should be guided to users so they can understand and be aware of security risks during their
service use; the considerations should also be reflected in service development to lower the risks.
Security matters of users are as follows:
— matters on risks of password leak and management (prohibition of using simple and easy-to-guess
passwords, etc.);
— account lock or suspension upon exceeding the maximum authentication attempts (locks and suspensions
are implemented through safe procedures);
— automatic log-out after no use;
— connection in safe locations and devices (connection forbidden in rooted or jailbroken devices, connection
recommended in safe devices and networks that are not public);
— lock settings on user device (mobile device, etc.) connected to the service.
5.3 Risk management
5.3.1 Establishing risk management process
The TPPSP shall establish its risk management process for security. The risk context shall determine the
TPPSP's needs and issues for and relevant to its security and PII protection. The TPPSP shall also define risk
criteria for performing risk assessment and treatment.
Risk assessment and treatment methods shall be defined based on the established risk context.
The communication process shall also be defined. It shall be determined when, with whom and how to
communicate and what to consult on.
NOTE For general guidelines of risk management, see ISO 31000. For information security risk management, see
ISO/IEC 27005.
5.3.2 Performing risk assessment and treatment
The TPPSP shall identify and analyse risks to determine the levels of risks, evaluate them to determine
whether they can be accepted without modification or whether they meet the defined risk acceptance
criteria.
If there are risks that cannot be accepted, the treatment of those risks shall be planned appropriately and
implemented on time. The controls in this document can be used for risk treatments.
The risk assessment shall be carried out within the pre-defined period. Depending on the risk policy of
the TPPSP, the risk assessment shall be carried out either regularly or when necessary if new threats are
identified.
NOTE Risk mitigation measures typically fall into four categories:
a) risk avoidance, by not performing an activity that can carry risks;
b) risk reduction or risk optimization, by reducing the severity or the likelihood of the loss;
c) risk sharing or risk transfer, by sharing with another party the burden of a loss (or possible gain) or the costs of
reducing risk;
d) risk acceptance, which involves accepting the loss (or possible gain) from a risk when it occurs.
The entire course of action shall be communicated and consulted appropriately and be monitored and
reviewed for improvement.
5.4 Documentation
5.4.1 Documented information
The TPPSP shall maintain its information security policy, topic-specific security policies, information
security risk management process and results of related activities as documented information.
Information that should be documented includes:
— the risk context;
— the defined risk criteria;
— the analysed risks and its levels;
— the selected controls and implementation plan;
— the result of implementation;
— monitoring reports;
— review of process and implemented controls;
— management’s approvals.
5.4.2 Management of documented information
The documented information shall be maintained with appropriate identification in appropriate format and
media. Access to it shall be controlled according to its confidentiality, integrity and availability requirements.
The documented information shall be subject to regular review and management’s approval for suitability
and adequacy.
5.5 Monitoring, review and improvement
5.5.1 Preservation of logs on incident responses and monitoring
Logs shall be preserved for a certain period and regularly examined. Legal requirements should be
considered in setting the preservation period and examination cycles. To ensure the precision of the logs
and their legal effectiveness, the time of the information system shall be synchronized to the approved time
sources.
The necessary logs for incident analysis can include:
— user event log: user’s id, log-in time, internet protocol (IP), performed action, authentication success/
failure logs, account and privilege registration/modification/deletion, etc.;
— system event log: logs generated due to the operation system’s components (system start, shut down,
state, error, etc.);
— information protection system’s rule set change logs;
— information protection system’s detection and prevention event logs;
— important information access logs, such as user’s PII and electronic financial transaction information.
It is recommended to detect the incident and take response measures in real time if the level of importance
or risk is identified to be high. The internal network should be monitored to detect if any new channels are
being created between the systems.
NOTE For additional information on information security incident management, see the ISO/IEC 27035 series.

5.5.2 Regular security review
The CISO shall prepare information security checklists and review the TPPSP’s information security based on
the checklist on a regular basis with an appropriate cycle, e.g. once a year or once a quarter. The results of the
review should be approved by the top management, such as the CISO or the CEO, and be reported to the CEO.
5.5.3 Continual improvement
The TPPSP shall continually improve its security based on the results of monitoring and reviews. The
management shall use the reviews to find out any opportunities for improvement. Lessons learned from an
incident can be used to improve the TPPSP’s security posture as well.
The improvements include:
— actions to eliminate the cause of non-conformity;
— revision of policies to respond to changes in security;
— the risk treatment plan and the result of implementation.
6 Cross-functional controls
6.1 Asset management
Information assets related to TPP service shall be identified and their lists shall be managed, and security
levels should be assigned to them. Inventory of the information assets should be constantly monitored.
Items on the information asset list can include:
— information asset classification, information asset name, asset number and purpose; examples of
associated assets are servers, network equipment, information protection system, applications, database
(DB) management system (DBMS), terminal device, software, etc.;
— owner of each information asset, managing departments, security clearances.
The TPPSP should establish a topic-specific policy on information asset classification and communicate it
to all relevant interested parties. The TPPSP should consider requirements for confidentiality, integrity and
availability in the classification scheme. Classifications and associated protective controls for information
and related assets should take account of business needs and legal requirements. Assets other than
information can also be classified in line with classification of information, which is stored in, processed by
or otherwise handled or protected by the asset.
For example, the TPPSP can classify assets by each category of confidentiality, integrity and availability
according to the score range (e.g. one to three points) for each information asset and then weighting other
factors to calculate the total points, giving security levels according to the scheme.
Appropriate handling measures shall be defined for information assets with high security levels and
access control shall be implemented accordingly. It is recommended that staff mark security levels for easy
identification. Network diagrams should be prepared and kept up to date for rapid response in emergencies.
NOTE 1 A network diagram is a diagram that shows how different devices or components are connected in a
network.
NOTE 2 For general requirements of asset management, see ISO 55001.

6.2 Access management
6.2.1 Access management of administrators
Access privilege to the information system shall be safely controlled. Access privilege to the information
system shall be limited to the designated person in charge. Encrypted connection should be applied upon
system access. Different password for each system shall be used. The password shall be difficult to infer. For
example, the use of host names and consecutive numbers should be forbidden. One account for each person
is recommended for accountability.
Multi-factor authentication is highly recommended when accessing important information systems.
Access management of administrators includes:
— access control policy including adequate password complexity rule;
— documents on designation of the administrator to each system;
— account list of each system;
— configuration that confirms non-encrypted connection to the system is not available;
— settings configured to grant access only to certain administrators.
6.2.2 Access management of administrator programs
Access shall be controlled for administrator programs that manage user’s personal and financial information
or electronic financial transactions.
Access to the administrator program (administrator’s web page, management console, cloud service
management console, etc.) shall be limited to authorized administrators. The access right to the administrator
program shall be periodically reviewed to enforce the least privilege principles. Access to such programs
should only be available through certain terminal devices, and the access logs shall be documented.
Access privileges to administrator programs shall be restricted and tightly controlled according to the need-
to-know and need-to-do principle.
Data masking should be used to protect sensitive information taking applicable legislation into consideration.
Automatic severance of connection should be applied after a certain period through session time-out
settings. Exceptions necessary for business operations should be approved by the person in charge.
Concurrent connection of an identical account should be restricted. Exceptions necessary for business
operations should be approved by the person in charge.
The access controls on administrator programs can include:
— access restricted in public networks;
— access restricted except for the permitted IP address;
— access restricted to concurrent connection of an identical account;
— application of multi-factor authentication methods.
6.2.3 Designation and access management of terminals
Terminals that are used to execute management functions shall be designated and access to the terminals
shall be controlled. Reinforced protection measures for the terminals should be applied.
Malware infection of terminals should be prevented through antivirus program installation and other
methods. The use of portable storage devices should be primarily prohibited. They should be used under

the approval of the person in charge. Additional control measures should be prepared, such as information
deletion after achieving their purpose.
Terminal protection measure includes:
— prohibition of taking terminals outside of TPPSP’s premises;
— access only by authorized persons in an environment that is isolated from the internet;
— prohibition of usage for other than the predefined purpose;
— prohibition of connection to groupware and emails;
— activation of system’s firewall and permission to only necessary ports;
— deactivation of unnecessary services, prohibition of installing programs irrelevant to tasks;
— initiation of daily malware inspection.
6.3 Supplier security
6.3.1 Selection and management of suppliers
Security requirements should be defined and reflected in the contracts when selecting suppliers.
When consigning tasks to an external party or allowing access to information assets, or when using external
services such as a cloud service for the tasks, security requirements should be identified and relevant content
should be clarified in the contract and agreement. If the security requirements are not fully reflected in the
contract and agreement, a valid reason should exist.
Supplier’s security requirements include:
— compliance with applicable laws and regulations;
— signing a contract and non-disclosure agreement for information security responsibility and
confidentiality;
— measures to prevent leakage of sensitive information;
— access control measures (restriction of access to information asset access, restriction of off-site removal
of assets, portable terminal security, etc.);
— information security education;
— restriction on re-consignment and change of personnel;
— check on conformity to the security requirements of the TPPSP;
— punishment and compensation for damages upon breach of security requirements of TPPSP.
The conformity to the security requirements stated in the contract should be regularly checked by the TPPSP.
NOTE For general requirements and guidance of security management systems for the supply chain, see
ISO 28001.
6.3.2 Identification and management of the use of cloud services
Risks arising from the use of cloud services shall be identified and countermeasures shall be established and
managed. A contract with a cloud service provider should include the procedures for handling information
security accidents, range of responsibilities, scale of compensation, etc. It is recommended to use certified
cloud services for security.
Cloud computing security risks include:
— misuse of cloud computing, malicious insiders, undisclosed risks, lack of understanding of cloud services,
insufficient management of privileges and access, advanced persistent threat attack;
— unsafe application programming interface, virtualization vulnerabilities, hijack of accounts, services
and traffic, loss or damage of data, distributed denial of service attack, server vulnerabilities.
6.4 Data security
Encryption policies shall be established and implemented for the protection of important information. Legal
requirements on encryption should be reflected to the policies’ provisions to store and transmit important
information. Publicly proven secure encryption algorithms should be used.
The key used for encryption should be generated and used according to its purpose. The key should be safely
managed so as not to be leaked or exposed. And the keys
...