PayGrid · paygrid.mn

Танилцуулга / Стандартууд

Стандартын adoption matrix

Зарчим: дотооддоо invent хийгдсэн proprietary protocol хэрэглэхгүй; open standard-аас verbatim copy + Mongol-аар тус localization layer л нэмнэ. Доор PayGrid stack-ийн хуулжих стандарт бүгдийг.

1. Adoption matrix

LayerStandardSpec verSource
Bank APIBerlin Group NextGenPSD2v2.x (latest)berlin-group.org
QR encodingEMVCo MPQRv1.1emvco.com
QR encodingEMVCo CPQRv1.0(same)
QR dataISO/IEC 18004latestISO
QR checksumCRC-16/CCITT-FALSEEMVCo spec
MCCISO 18245latestISO
Inter-bank messageISO 20022pacs.008 v10, pacs.002 v11iso20022.org
IdentityeIDAS-equivalent (Mongolian DSL 2020)legalinfo.mn
Cert profileETSI EN 319 412-1 / 412-2v1.4.4 / v2.5.1ETSI
TSP policyETSI EN 319 411-1 / 411-2v1.3.1 / v2.5.1ETSI
Time-stampingRFC 3161 + ETSI EN 319 421RFC 3161 / v1.2.1RFC + ETSI
TSA securityETSI EN 319 422v1.2.1ETSI
QSCD protection profileCEN EN 419 211 / 419 241-2v1.0CEN
HSMFIPS 140-2 Level 3NIST
TLSTLS 1.3 (RFC 8446)RFC 8446IETF
OAuthOAuth 2.0 (RFC 6749) + PKCE (RFC 7636)IETF
OIDCOpenID Connect Core 1.0 + CIBACore 1.0 / CIBA 1.0OpenID Foundation
JWTRFC 7519IETF
JWSRFC 7515IETF
JWERFC 7516IETF
CMSRFC 5652IETF
OCSPRFC 6960IETF
CRLRFC 5280IETF
HSTSRFC 6797IETF
CSPW3C Content Security PolicyLevel 3W3C
WebAuthnW3C WebAuthn Level 3L3W3C
PSD2 RTS SCA(EU) 2018/389EU
Personal DataMongolian PDPL 2021MN
AMLMongolian AML LawMN

2. Verbatim copy

  • Berlin Group NextGenPSD2 endpoints, schemas, semantics
  • ISO 20022 pacs.008 / pacs.002 message structure
  • ETSI cert profile fields
  • RFC 3161 TSA protocol
  • JWT / JWS / CMS structures
  • TLS 1.3 cipher suites
  • OCSP / CRL formats
  • Sanctions list formats (OFAC SDN, EU consolidated)
  • EMVCo TLV encoding + CRC-16/CCITT-FALSE

3. Mongol-specific layer (PayGrid extensions)

  • binding_jws field on payment initiate (PSD2 RTS Article 5 stricter binding)
  • creditorAlias field (alias resolution)
  • frm_score / frm_action returned to PSP
  • psp_attestation in pacs.008 SplmtryData (X-Road bank-side SCA proof)
  • Mongolian semantic ID format (PNOMN-АА00000000)
  • MNT currency
  • Mongolian regulatory metadata
  • EMVCo Tag 81 mn.paygrid:// pay_uri (RFU range, Mongol extension)

4. Бид invent хийгээгүй

  • No custom "PayGrid protocol" replacing NextGenPSD2
  • No custom message format replacing pacs.008
  • No custom cert profile (use ETSI verbatim)
  • No custom crypto (standard libraries only)
  • No custom OAuth / OIDC flow (CIBA verbatim if used Phase 4)

5. Conformance tests

EMVCo QR Code

Tools: EMVCo Test Tools (commercial) + custom test suite
Tests:
   ✓ TLV encoder produces valid EMVCo MPQR
   ✓ TLV decoder parses spec-compliant QR
   ✓ CRC-16/CCITT-FALSE checksum correct
   ✓ Tag 26 / 49 / 81 reserved per spec
   ✓ Tag 81 PayGrid extension does NOT break vanilla EMVCo parsers
   ✓ pay_uri URI scheme valid
   ✓ Currency / country / MCC valid per ISO

Berlin Group NextGenPSD2

Test platform: Berlin Group test environment (when accessible)
   OR: Third-party conformance test tools

Tests:
   ✓ All required endpoints present + correct semantics
   ✓ Authentication (OAuth/PSU consent equivalent)
   ✓ Idempotency
   ✓ Error responses match spec
   ✓ JSON schemas conform
   ✓ HTTP semantics (codes, headers)

ISO 20022 message

Tools: ISO 20022 schema validation (XSD)
Tests:
   ✓ pacs.008 schema valid
   ✓ pacs.002 status reporting
   ✓ Mandatory fields per spec
   ✓ Repetitions / occurrences correct
   ✓ Currency codes ISO 4217
   ✓ BIC format
   ✓ IBAN format
   ✓ UETR uniqueness

eIDAS / ETSI cert

Tools: openssl x509 + custom validator
Tests:
   ✓ ETSI EN 319 412-2 §4 cert profile fields present
   ✓ QcStatements (id-etsi-qcs-QcCompliance, id-etsi-qcs-QcSSCD)
   ✓ KeyUsage = nonRepudiation for signature certs
   ✓ Subject SERIALNUMBER format: PNOMN-АА00000000
   ✓ Validity period reasonable
   ✓ Issuer chains to trusted root
   ✓ OCSP responder reachable

RFC 3161 timestamp

Tools: openssl ts
Tests:
   ✓ TSA token cryptographically valid
   ✓ Hash algorithm matches signed document
   ✓ Timestamp within reasonable window
   ✓ TSA cert valid + chains to trusted

PSD2 RTS Article 5 Dynamic Linking

  • Amount + payee bound in JWS
  • Tampering with amount → signature verify fails
  • Tampering with payee → signature verify fails
  • Replay (same JWS within window) → idempotency catches
  • Replay (after TTL) → exp check catches

Security baselines

  • gosec: 0 critical issues
  • govulncheck: 0 known vulnerabilities
  • staticcheck: 0 high-priority issues
  • gitleaks: 0 secrets in repo
  • TLS audit: ssllabs.com A+ rating
  • HSTS preload list eligible

6. Audit cadence

AuditFrequencyBody
Penetration testQuarterlyIndependent firm
Code security auditQuarterlyInternal + external
SOC 2 readinessAnnuallyInternal
SOC 2 Type IIAnnuallyBig 4 firm
ISO 27001 (target)Phase 3+ISO certification body
ETSI 319 411-2AnnuallyETSI-approved auditor
Mongolbank financialAnnuallyMongolbank or designated
Vulnerability scanContinuousSnyk / Dependabot

7. Reference materials

Standards (ил тод хандах боломжтой)

Berlin Group NextGenPSD2 v2.x:
   https://www.berlin-group.org/nextgenpsd2-downloads

ISO 20022 message definitions:
   https://www.iso20022.org/iso-20022-message-definitions

ETSI standards (бүртгэл шаардлагатай):
   https://www.etsi.org/standards-search

PSD2 RTS:
   https://eur-lex.europa.eu/eli/reg_del/2018/389/oj

eIDAS Regulation:
   https://eur-lex.europa.eu/eli/reg/2014/910/oj

Smart-ID documentation:
   https://github.com/SK-EID/smart-id-documentation

Mongolian regulations:
   https://legalinfo.mn — Digital Signature Law (2020), AML Law, PDPL (2021)
   Mongolbank — E-money issuer regulation (2019)

RFCs (free)

RFC 3161 (TSA)
RFC 5280 (X.509 PKI)
RFC 5652 (CMS)
RFC 6749 (OAuth 2.0)
RFC 6797 (HSTS)
RFC 6960 (OCSP)
RFC 7515 (JWS)
RFC 7516 (JWE)
RFC 7519 (JWT)
RFC 7636 (PKCE)
RFC 8446 (TLS 1.3)
RFC 9126 (PAR)
RFC 9449 (DPoP)

Эх сурвалж: PLAN/12-CONFORMANCE.md. Дараагийн хуудас: Dev workflow →