PayGrid · paygrid.mn

Танилцуулга / Аюулгүй байдал

Аюулгүй байдал

Defense in depth + Fail securely + Least privilege + Audit everything important + No shortcuts. e-ID Mongolia v2-ын baseline-аас verbatim adopt. Доор PayGrid security tier бүр — mTLS, JWT, HSM, RBAC, RLS, hash-chained audit, threat model.

1. Зургаан зарчим — non-negotiable

  1. Defense in depth — нэг давхаргын compromise бүх системийг бүү эвдэг.
  2. Fail securely — алдаа нь хаалт-руу унана, нээлт-рүү бус.
  3. Least privilege — service / user / DB role хамгийн бага хүрээтэй.
  4. Audit everything important — repudiation impossible.
  5. No security shortcuts — TLS, parameterized queries, secret rotation.
  6. Standards verbatim — Berlin Group + ISO 20022 + eIDAS, шинэ зохион бичсэн биш.

2. Tripwires — хориотой зүйл

  • --no-verify, --skip-verify, --insecure flag-ууд
  • Plaintext password / PIN / token DB-д эсвэл log-д
  • 'unsafe-inline', 'unsafe-eval' CSP
  • Гар-аар бичигдсэн crypto algorithm — стандарт library-аас л
  • HSM-bypassed sensitive private key handling
  • Mongolbank settlement данс ramp-between actions
  • Merchant identity-аас PayGrid-д шууд хадгалах (PSP-only)

3. Authentication

mTLS (mandatory)

TLS 1.3 only (no TLS 1.2 эсвэл доороос)
Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
ECDHE key exchange only
Client cert pinning per participant (fingerprint match in DB)
Cert validity: max 1 жил
Cert revocation: OCSP + CRL
HSTS: max-age=63072000; includeSubDomains; preload

JWT (per-request)

Algorithm: ES256 preferred, RS256 OK; HS256 forbidden
Issuer:     participant BIC
Audience:   api.paygrid.mn
exp:        ≤ 60 sec from iat
jti:        unique per request (replay protection)
Public key: pinned per participant in `participant_keys`

X-Road client (e-ID Mongolia-аар)

X-Road global trust anchor
Client subsystem: MN/COM/<reg>/PAYGRID-CLIENT
mTLS with X-Road managed certs

Endpoint:
   /r1/MN/COM/<eidmongol-member>/eid-rp/sign/initiate
   (тус бүрд PayGrid-ын өөрийн service-side signing-ад)

PayGrid does NOT proxy user SCA — банкууд e-ID-руу шууд
дуудна.

4. Cryptography policy

Approved

Hashing:    SHA-256, SHA-384, SHA-512
Symmetric:  AES-256-GCM, ChaCha20-Poly1305
Asymmetric: ECDSA P-256/P-384, Ed25519, RSA 2048/3072
KDF:        HKDF-SHA-256/512, Argon2id
Random:     crypto/rand (Go), /dev/urandom

Forbidden

  • MD5, SHA-1 хаа ч хамаагүй
  • AES-CBC/ECB, RC4, DES, 3DES
  • RSA < 2048
  • Custom crypto algorithms
  • XOR encryption, hardcoded IV/nonce
  • Predictable random
  • Source code эсвэл config-д хадгалсан key

5. HSM integration

  • Бүх long-lived signing keys HSM-д
  • PKCS#11 abstraction (github.com/miekg/pkcs11)
  • Vendors: Thales Luna (production) · AWS CloudHSM (cloud) · SoftHSM (dev)
  • Key types: server signing (ES256), master enc (AES-256), TLS server cert
  • HSM HA: active-active cluster, < 30 сек failover
  • Key ceremony: documented, witnessed (M-of-N), quarter тутам

6. Secrets management

  • Бүх secret Vault эсвэл KMS-д
  • Git, config файл (encrypted биш), env vars (boot-time биш), log, URL query string-д хэзээ ч биш
  • Rotation: ≤ 90 хоног API key-аар; ≤ 1 жил HSM key-аар
  • Detection: gitleaks pre-commit hook (mandatory)
  • Vault audit log — secret access бүх

7. RBAC + RLS

Application roles

paygrid_appApplication service account (RW with RLS)
paygrid_readerRead-only reporting (no PII)
paygrid_auditAudit log read access
paygrid_migrateDDL + RLS bypass — migration only
paygrid_operatorOperator portal (M-of-N for sensitive ops)

Per-participant context

paygrid.current_participant_bic   set per-request via session var
paygrid.is_operator               TRUE only when authenticated as operator

RLS enforces participant isolation:

CREATE POLICY payments_psp_isolation ON payments
    FOR SELECT
    USING (
        initiating_psp = current_setting('paygrid.current_participant_bic')
        OR creditor_psp = current_setting('paygrid.current_participant_bic')
        OR current_setting('paygrid.is_operator', true) = 'true'
    );

Operator portal

  • mTLS + WebAuthn (FIDO2 hardware token required)
  • IP allowlist (operator office VPN)
  • Session timeout: 15-минут idle, 4-цаг absolute
  • Sensitive ops (alias revoke, participant suspend) — M-of-N (2-of-3) approval
  • Бүх admin action audit-logged

8. Rate limiting

Per-participant:
   /v1/payments/sepa-credit-transfers   100 req/sec, 1000 req/min
   /v1/aliases/{alias}                   500 req/sec
   /v1/aliases (POST)                    10 req/sec
   /v1/psp/{bic}/balance                 10 req/sec

Per-IP (unauthenticated):
   /v1/health/*                           100 req/sec

Implementation: Redis sliding-window counter
Response:       429 + Retry-After header
Burst:          2× limit for 1-second burst

9. Audit log

Бүх чухал action бичигдэнэ — authentication attempt, authorization decision, payment lifecycle, alias create/update/revoke, participant onboard/suspend, operator portal action, settlement batch generation, webhook delivery, HSM key operation, secret access.

Schema overview (PLAN/06-DATA-MODEL.md §audit_log):

CREATE TABLE audit_log_template (
    id           BIGSERIAL,
    shard        SMALLINT NOT NULL,                 -- 0-15
    actor        VARCHAR(100) NOT NULL,
    action       VARCHAR(50)  NOT NULL,
    resource_id  VARCHAR(100),
    metadata     JSONB,
    prev_hash    CHAR(64),                          -- hash of previous in shard
    record_hash  CHAR(64) NOT NULL,                 -- SHA-256 chain
    occurred_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    PRIMARY KEY (shard, id)
);

-- 16 шард for concurrency
-- Sharded by abs(hashtext(resource_id)) % 16
-- new_hash = SHA-256(prev_hash || actor || action || resource || metadata || ts)
  • Hash-chained per shard for tamper detection
  • Off-site backup: daily encrypted snapshot to immutable S3 (object lock)
  • Retention: 7 жил (regulatory baseline)
  • Export: signed CSV/JSON-аар regulator-руу e-ID Mongolia QES-аар

Logging policy

❌ Хэзээ ч log хийхгүй

  • PIN, password, secret, key
  • JWT (full)
  • Card PAN
  • National ID
  • Phone, email
  • IP address (30 хоногоос гадуур)
  • Authorization header

✅ Log хийх

  • participant BIC (routing)
  • payment_id (UUID)
  • alias (truncated: ed***@gerege)
  • status code
  • error category

10. Threat model

ThreatMitigation
Stolen API keymTLS + JWT (key alone insufficient); rotation; audit
Replay attackjti + idempotency-key + JWT exp
MITMTLS 1.3 + cert pinning + HSTS
Insider threatRBAC + RLS + audit + M-of-N for sensitive ops
Database breachEncryption at rest (pgcrypto) + KMS-wrapped DEK
HSM compromiseActive-active with key escrow ceremony
DDoSCloudflare + rate limit + Redis caching
SQL injectionParameterized queries (sqlc) — no string concat
XSS (portal)CSP strict + sanitize all rendered user input
CSRFSameSite cookies + CSRF tokens on portal
Phishing (PSP staff)WebAuthn + IP allowlist for operator portal
Sanctions evasionReal-time screening on every tx
AML structuringFRM velocity rules + suspicious pattern detection
Settlement riskPre-funded nostro + DvP at Mongolbank
Regulatory non-complianceAudit log + auto-export tooling

11. Compliance requirements

  • Mongolian Personal Data Protection Law (2021): consent, DSAR
  • Mongolian Anti-Money Laundering Law: SAR reporting to FIU
  • Mongolian Payment Systems regulation: scheme operator obligations
  • ISO 27001: target Phase 3+ certification
  • PCI-DSS: scope minimization (no PAN handling)
  • ETSI EN 319 401: TSP general policy (PayGrid issues нь cert)
  • GDPR-equivalent: cross-border consideration (Phase 4)

12. Vulnerability response

  • Public bug bounty (HackerOne or similar) Phase 3+
  • Internal security@paygrid.mn
  • Disclosure SLA: critical 7 хоног, high 30 хоног
  • Patches deployed via automated CI (no manual steps)
  • Quarterly penetration test (3rd party)
  • Annual full security audit (regulator-approved firm)

Эх сурвалж: PLAN/07-SECURITY.md, PLAN/12-CONFORMANCE.md. Дараагийн хуудас: Settlement →