ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               •    Data confidentiality: Protection of data from unauthorised disclosure.

               •    Communication security: Assurance that information only flows between authorized endpoints.
               •    Data integrity: Protection of the correctness and accuracy of data.
               •    Availability: Prevention of denial of authorized access to network elements and data.

               •    Privacy: Protection of data information that might be derived from observing network activity.
               As we consider each of the elements comprising the DFS ecosystem, we will discuss the security challenges
               they face in terms of the security dimensions listed above, as well as distinguishing the security layer at which
               solutions are to be deployed. [ITU-T X.805] defines three layers: an infrastructure security layer, a security
               services layer, and an applications security layer. Protections are additive, with vulnerabilities first addressed
               at the infrastructure security layer, then at the services security layer, and finally, at the applications layer.

               Finally, there are three planes of security defined by [ITU-T X.805] comprising management, control, and end-
               user planes. These address the security needs associated with activities that occur at each of these levels and
               solutions and should ensure that events on one plane are isolated from others. In this report, we will discuss
               security challenges and solutions.


               2.1    Security stakeholders in the DFS ecosystem

               In the DFS environment, security and service integrity needs to be addressed at multiple levels simultaneously,
               an approach that must be applied from design to live operation. Our discussion of the DFS ecosystem is
               concentrated on the security perspective within a wireless communications environment – note that other
               access models are possible within the DFS ecosystem, such as the use of computing devices such as laptops
               or smartphones, communication over Wi-Fi that connect to DFS providers over the Internet, or business
               customers who leverage mobile money services through APIs. The full role of stakeholders is discussed in the
               ITU-T FG-DFS Technical Report, “The Digital Financial Services Ecosystem” [15]. We expand on the role of certain
               stakeholders where necessary to fully describe security requirements; these stakeholders are also informed
               by [ITU-T Y.2741], “Architecture of secure mobile financial transactions in next generation networks” [9].


               Figure 2: Security stakeholders in DFS

























               The stakeholders throughout the ecosystem are comprised of: the end-user making use of a mobile money
               application; the application developer of the mobile money app; the mobile handset manufacturer; the
               mobile carrier, who is responsible for provisioning the SIM card and the infrastructure through which to allow
               transactions to occur; the digital financial services provider, who operates the back-end systems to process the
               financial transactions; and the external service providers who continue the monetization of the transaction
               and finalize the operations.




                                                                                                        3