Financial Crime World

Design Requirements for Payment System in Taiwan

=============================================

Security Requirements

The design requirements outline specific security measures to ensure secure transactions.

Reconfirmation of Payments

  • When users make payments via online credit cards or e-payment accounts, the electronic payment institution must notify the payor for reconfirmation before proceeding with the transaction.
  • This step is crucial in preventing unauthorized transactions and ensuring that the user is aware of the payment details.

Barcode Technology Compliance

  • The design of barcode technology must conform to self-disciplinary regulations specified by the Bankers Association regarding security applications.
  • This ensures that the barcode technology used for payments meets industry standards for security and authentication.

Payment via Linked Deposit Account

The electronic payment institution uses direct or indirect link mechanisms to provide payment services via linked deposit accounts.

  • The electronic payment institution uses a direct link mechanism, where the financial institution holding the account is given a payment deduction instruction, authenticated and checked before disbursing funds.
  • Alternatively, an indirect link mechanism can be used, where the electronic payment institution gives the financial institution holding the account a payment deduction instruction through a connected financial information service enterprise or clearing house.

Agreed Linkage Procedure

  1. Users apply to the electronic payment institution for account linkage and agree to have funds transferred on their behalf.
  2. Users provide required information, such as bank deposit account numbers and e-payment account numbers, to the financial institution holding the account.
  3. The electronic payment institution verifies user identity through a secure interface design for transactions.

Transaction Procedure

  • Direct link mechanism: The electronic payment institution gives the financial institution holding the account a payment deduction instruction, which is authenticated and checked before disbursing funds.
  • Indirect link mechanism: The electronic payment institution gives the financial institution holding the account a payment deduction instruction through a connected financial information service enterprise or clearing house.

Private Key Protection

Private keys for certificates are stored in hardware security modules that meet certain security standards (Common Criteria EAL 4+ or FIPS 140-2 Level 3).

  • Access to private keys and related programs is restricted by a control mechanism to prevent unauthorized access.

Notification Mechanism

The electronic payment institution asks the financial institution holding the account to establish a notification mechanism for instant notifications after fund transfers are made.

Risk Control

The dedicated deposit account bank or the financial institution holding the account establishes reasonable transaction flow control mechanisms.

Termination of Agreed Linkage

  1. Users apply for termination in a manner provided by the electronic payment institution or the financial institution holding the account.
  2. The financial institution holding the account notifies the electronic payment institution, and the agreed linkage is terminated.