A standard setting out the minimum requirements for IT applications and systems connecting to the internet.
This standard seeks to address the rise in internet threats by implementing customer authentication and layered security controls for all internet facing applications that provide external funds transfer and or access Sensitive Personal Information.
The risk classification for each in-scope application is based on the customer type (consumer or commercial), transaction capabilities (external funds transfer) and sensitivity of customer information. In addition the application type and method by which the application’s information is accessed over the internet is determined. The risk classification and application type results are then used to identify the minimum control for the application.