Security Appendix — ODG-PASS Bank Connector
Version 0.1 · Pre-regulatory · Classification: bank confidential / supervisory review · ODG-PASS Innovation LLC · funds_moved: false
Scope. This appendix supports information-security and regulatory review of Mode 2 (Bank Connector). It does not replace the bank's own risk assessment, legal opinion, or regulatory filing.
1. System context
ODG-PASS Gateway provides deterministic pre-validation of ISO 20022 payment messages (SWIFT CBPR+ alignment). The Bank Connector runs entirely inside the bank's security zone. ODG-PASS acts as a software vendor only.
[Public Internet]
│
│ HTTPS (Mode 1 only — optional, separate)
▼
┌─────────────────────────────────────────────────────────────┐
│ BANK — DMZ / App VLAN │
│ │
│ ┌──────────────────┐ ┌─────────────────────────┐ │
│ │ Bank Connector │────────▶│ Bank sandbox / UAT API │ │
│ │ · robot │ mTLS │ (bank credentials) │ │
│ │ · license client │ └─────────────────────────┘ │
│ └────────┬─────────┘ │
│ │ outbound (optional) │
└───────────┼──────────────────────────────────────────────────┘
│ TLS 1.2+ license.odg… (org id, expiry — no payload)
▼
[ODG-PASS License Service]
2. Component inventory
| Component | Location | Function |
| Public Gateway (Mode 1) | Vendor-hosted web | Browser terminal, /validate API, no bank secrets |
| Validation Robot | Bank Connector (primary) or public API (Mode 1) | Rule engine: IBAN, ISO 20022 fields, purpose codes |
| Sandbox adapter | Bank Connector only | Fetches test messages from bank endpoint |
| License client | Bank Connector | Entitlement verification |
| License service | Vendor | Issue / revoke keys; no payment content |
| AI extract (optional) | Separate module | Not on critical path for Connector v1 |
3. Data classification & flows
| Data type | Examples | Where processed | Retention (target) |
| Payment message metadata | pain.001 / pacs.008 fields, amounts, IBAN, BIC | Bank Connector (in-memory + bank-controlled logs) | Bank policy; default recommendation: 90 days operational logs |
| Bank sandbox credentials | API keys, client certs | Bank secret store / Connector config vault | Never sent to ODG-PASS public site |
| License metadata | org_id, expiry, tier | Vendor license service | Contract lifetime + audit |
| PAN / card data | — | Out of scope | Not collected by design |
| Customer authentication | Bank logins | Never on public Gateway | N/A |
4. Network & cryptography (target)
- Inbound to Connector: bank-internal only (admin API bind
127.0.0.1 or private VLAN).
- Outbound from Connector: (a) bank sandbox endpoint; (b) optional
license.* HTTPS.
- TLS: 1.2 minimum, 1.3 preferred; bank may pin vendor license CA.
- Secrets at rest: OS keychain, HashiCorp Vault, or bank KMS — not plaintext in repo.
- License key: signed JWT or HMAC token; offline validation supported for air-gapped pilots.
5. STRIDE summary (Connector)
| Threat | Mitigation |
| Spoofing | mTLS to sandbox; signed license; admin API auth (bank SSO) |
| Tampering | Signed rulepack versions; immutable audit log option |
| Repudiation | Per-check audit ID, timestamp, rulepack version in logs |
| Information disclosure | Connector in bank zone; no payment payload to license service |
| Denial of service | Rate limits; bank WAF; Connector resource caps |
| Elevation of privilege | Least-privilege OS user; no root by default; read-only container FS |
6. Security controls matrix (high level)
| Control area | Implementation | Owner |
| Segregation of duties | Bank operates sandbox; vendor supplies software only | Bank + Vendor |
| Least privilege | Connector service account; no production payment rails | Bank |
| Encryption in transit | TLS to sandbox & license | Bank / Vendor |
| Encryption at rest | Bank disk/KMS policy | Bank |
| Logging & monitoring | Check results, errors, license status — SIEM integration | Bank |
| Vulnerability management | Signed releases, CVE response SLA in license | Vendor |
| Change management | Versioned rulepack; bank approval before upgrade | Bank |
| Incident response | Joint contact tree; vendor security advisory channel | Both |
7. RACI (simplified)
| Activity | Bank | ODG-PASS | Regulator |
| Deploy Connector | R/A | C | I |
| Sandbox credentials | R/A | I | — |
| License entitlement | C | R/A | — |
| Payment execution | R/A | — | Oversight |
| Format pre-validation | C | R (software) | I |
| AML / sanctions decision | R/A | — (signal only) | Oversight |
R=Responsible · A=Accountable · C=Consulted · I=Informed
8. Regulatory positioning (non-legal)
- Product category: validation / testing tooling on the information layer.
- Not: payment system, e-money, custody, or payment initiation under typical PSD2/MiCA framing — bank counsel to confirm per jurisdiction.
- GCC / Oman / KSA: Mode 2 deployment follows bank's localization and sandbox rules; ODG-PASS does not submit to ZATCA/FTA on behalf of the bank.
- Explicit invariant:
funds_moved: false — no settlement, no nostro movement, no client debit.
9. Audit artifacts (for pilot & supervision)
- Architecture diagram (this pack + For Banks page)
- Connector version & rulepack hash
- Sample validation report (redacted)
- License activation record
- Pen-test summary (vendor, per release)
- Data flow & retention statement
- Incident contact & SLA excerpt
10. Roadmap to production hardening
| Phase | Deliverable |
| Now (pre-approval) | This pack · For Banks page · Connector architecture spec · evaluation license |
| Pilot | Docker Connector MVP · 1 sandbox adapter · admin CLI · audit logs |
| Licensed | Signed releases · offline license · SIEM export · bank SSO |
| Supervisory | Third-party pen-test report · updated appendix per jurisdiction |
© ODG-PASS Innovation LLC · Appendix v0.1 · For bank IS & supervisory discussion only.