Танилцуулга / Стандартууд
Стандартын adoption matrix
Зарчим: дотооддоо invent хийгдсэн proprietary protocol хэрэглэхгүй; open standard-аас verbatim copy + Mongol-аар тус localization layer л нэмнэ. Доор PayGrid stack-ийн хуулжих стандарт бүгдийг.
1. Adoption matrix
| Layer | Standard | Spec ver | Source |
|---|---|---|---|
| Bank API | Berlin Group NextGenPSD2 | v2.x (latest) | berlin-group.org |
| QR encoding | EMVCo MPQR | v1.1 | emvco.com |
| QR encoding | EMVCo CPQR | v1.0 | (same) |
| QR data | ISO/IEC 18004 | latest | ISO |
| QR checksum | CRC-16/CCITT-FALSE | — | EMVCo spec |
| MCC | ISO 18245 | latest | ISO |
| Inter-bank message | ISO 20022 | pacs.008 v10, pacs.002 v11 | iso20022.org |
| Identity | eIDAS-equivalent (Mongolian DSL 2020) | — | legalinfo.mn |
| Cert profile | ETSI EN 319 412-1 / 412-2 | v1.4.4 / v2.5.1 | ETSI |
| TSP policy | ETSI EN 319 411-1 / 411-2 | v1.3.1 / v2.5.1 | ETSI |
| Time-stamping | RFC 3161 + ETSI EN 319 421 | RFC 3161 / v1.2.1 | RFC + ETSI |
| TSA security | ETSI EN 319 422 | v1.2.1 | ETSI |
| QSCD protection profile | CEN EN 419 211 / 419 241-2 | v1.0 | CEN |
| HSM | FIPS 140-2 Level 3 | — | NIST |
| TLS | TLS 1.3 (RFC 8446) | RFC 8446 | IETF |
| OAuth | OAuth 2.0 (RFC 6749) + PKCE (RFC 7636) | — | IETF |
| OIDC | OpenID Connect Core 1.0 + CIBA | Core 1.0 / CIBA 1.0 | OpenID Foundation |
| JWT | RFC 7519 | — | IETF |
| JWS | RFC 7515 | — | IETF |
| JWE | RFC 7516 | — | IETF |
| CMS | RFC 5652 | — | IETF |
| OCSP | RFC 6960 | — | IETF |
| CRL | RFC 5280 | — | IETF |
| HSTS | RFC 6797 | — | IETF |
| CSP | W3C Content Security Policy | Level 3 | W3C |
| WebAuthn | W3C WebAuthn Level 3 | L3 | W3C |
| PSD2 RTS SCA | (EU) 2018/389 | — | EU |
| Personal Data | Mongolian PDPL 2021 | — | MN |
| AML | Mongolian AML Law | — | MN |
2. Verbatim copy
- Berlin Group NextGenPSD2 endpoints, schemas, semantics
- ISO 20022 pacs.008 / pacs.002 message structure
- ETSI cert profile fields
- RFC 3161 TSA protocol
- JWT / JWS / CMS structures
- TLS 1.3 cipher suites
- OCSP / CRL formats
- Sanctions list formats (OFAC SDN, EU consolidated)
- EMVCo TLV encoding + CRC-16/CCITT-FALSE
3. Mongol-specific layer (PayGrid extensions)
binding_jwsfield on payment initiate (PSD2 RTS Article 5 stricter binding)creditorAliasfield (alias resolution)frm_score/frm_actionreturned to PSPpsp_attestationin pacs.008 SplmtryData (X-Road bank-side SCA proof)- Mongolian semantic ID format (
PNOMN-АА00000000) - MNT currency
- Mongolian regulatory metadata
- EMVCo Tag 81
mn.paygrid://pay_uri (RFU range, Mongol extension)
4. Бид invent хийгээгүй
- No custom "PayGrid protocol" replacing NextGenPSD2
- No custom message format replacing pacs.008
- No custom cert profile (use ETSI verbatim)
- No custom crypto (standard libraries only)
- No custom OAuth / OIDC flow (CIBA verbatim if used Phase 4)
5. Conformance tests
EMVCo QR Code
Tools: EMVCo Test Tools (commercial) + custom test suite
Tests:
✓ TLV encoder produces valid EMVCo MPQR
✓ TLV decoder parses spec-compliant QR
✓ CRC-16/CCITT-FALSE checksum correct
✓ Tag 26 / 49 / 81 reserved per spec
✓ Tag 81 PayGrid extension does NOT break vanilla EMVCo parsers
✓ pay_uri URI scheme valid
✓ Currency / country / MCC valid per ISO
Berlin Group NextGenPSD2
Test platform: Berlin Group test environment (when accessible)
OR: Third-party conformance test tools
Tests:
✓ All required endpoints present + correct semantics
✓ Authentication (OAuth/PSU consent equivalent)
✓ Idempotency
✓ Error responses match spec
✓ JSON schemas conform
✓ HTTP semantics (codes, headers)
ISO 20022 message
Tools: ISO 20022 schema validation (XSD)
Tests:
✓ pacs.008 schema valid
✓ pacs.002 status reporting
✓ Mandatory fields per spec
✓ Repetitions / occurrences correct
✓ Currency codes ISO 4217
✓ BIC format
✓ IBAN format
✓ UETR uniqueness
eIDAS / ETSI cert
Tools: openssl x509 + custom validator
Tests:
✓ ETSI EN 319 412-2 §4 cert profile fields present
✓ QcStatements (id-etsi-qcs-QcCompliance, id-etsi-qcs-QcSSCD)
✓ KeyUsage = nonRepudiation for signature certs
✓ Subject SERIALNUMBER format: PNOMN-АА00000000
✓ Validity period reasonable
✓ Issuer chains to trusted root
✓ OCSP responder reachable
RFC 3161 timestamp
Tools: openssl ts
Tests:
✓ TSA token cryptographically valid
✓ Hash algorithm matches signed document
✓ Timestamp within reasonable window
✓ TSA cert valid + chains to trusted
PSD2 RTS Article 5 Dynamic Linking
- Amount + payee bound in JWS
- Tampering with amount → signature verify fails
- Tampering with payee → signature verify fails
- Replay (same JWS within window) → idempotency catches
- Replay (after TTL) → exp check catches
Security baselines
- gosec: 0 critical issues
- govulncheck: 0 known vulnerabilities
- staticcheck: 0 high-priority issues
- gitleaks: 0 secrets in repo
- TLS audit: ssllabs.com A+ rating
- HSTS preload list eligible
6. Audit cadence
| Audit | Frequency | Body |
|---|---|---|
| Penetration test | Quarterly | Independent firm |
| Code security audit | Quarterly | Internal + external |
| SOC 2 readiness | Annually | Internal |
| SOC 2 Type II | Annually | Big 4 firm |
| ISO 27001 (target) | Phase 3+ | ISO certification body |
| ETSI 319 411-2 | Annually | ETSI-approved auditor |
| Mongolbank financial | Annually | Mongolbank or designated |
| Vulnerability scan | Continuous | Snyk / Dependabot |
7. Reference materials
Standards (ил тод хандах боломжтой)
Berlin Group NextGenPSD2 v2.x:
https://www.berlin-group.org/nextgenpsd2-downloads
ISO 20022 message definitions:
https://www.iso20022.org/iso-20022-message-definitions
ETSI standards (бүртгэл шаардлагатай):
https://www.etsi.org/standards-search
PSD2 RTS:
https://eur-lex.europa.eu/eli/reg_del/2018/389/oj
eIDAS Regulation:
https://eur-lex.europa.eu/eli/reg/2014/910/oj
Smart-ID documentation:
https://github.com/SK-EID/smart-id-documentation
Mongolian regulations:
https://legalinfo.mn — Digital Signature Law (2020), AML Law, PDPL (2021)
Mongolbank — E-money issuer regulation (2019)
RFCs (free)
RFC 3161 (TSA)
RFC 5280 (X.509 PKI)
RFC 5652 (CMS)
RFC 6749 (OAuth 2.0)
RFC 6797 (HSTS)
RFC 6960 (OCSP)
RFC 7515 (JWS)
RFC 7516 (JWE)
RFC 7519 (JWT)
RFC 7636 (PKCE)
RFC 8446 (TLS 1.3)
RFC 9126 (PAR)
RFC 9449 (DPoP)
Эх сурвалж: PLAN/12-CONFORMANCE.md.
Дараагийн хуудас: Dev workflow →