Skip to content
Front Page: Traficom
Front Page: Traficom
Log in to e-services
Go to SearchSearch
English
Menu
Log in to e-services

Information security in opening interface

To ensure information security of the interface and the service, good information security practices must be followed.

Best practices for assessing the contractual partner’s reliability will be drafted in cooperation with stakeholders at events arranged by Traficom during 2020.

The parties should mutually agree on availability issues, taking into account statutory requirements on fairness, reasonableness and non-discrimination. 

Maintenance of information security means the technical and organisational measures that a party implements to ensure integrity and availability of networks and data systems, as well as confidentiality of information.

The verification of information security requires continuous management of overall information security and implementation of the necessary information security measures to verify the security of data communication and data systems, operational security and physical security. 

These measures must be based on the latest technical development and the costs of the measures, and the measures must be proportional to threats and risks. 

Procedures in proportion to risks

The starting point of the information security practices required from both parties is the use of threat modelling and risk evaluations. These can be based on the amount of personal data and payment instrument data to be protected and financial risks, as well as financial losses or reputation risks if the service is not available due to a denial of service. 

Information security and data protection requirements when opening a sales interface

The party obliged to open a sales interface must ensure that it can be opened without endangering information security or privacy protection. 

A contracting party may require that the other party applies good information security practices in proportion to the risks to data connections related to the sales interface of the ticket and payment system and to its own systems that have an impact on the data connections of the sales interface or the information security of data obtained through it. 

Information security and data protection requirements when acting on someone else’s behalf

The list below contains a general description of the information security and personal data protection requirements in the acting on someone else’s behalf. 
The party acting on someone else’s behalf can access the user account using the interface or identifiers of the user/the party acting on someone else’s behalf that the party obliged to open its interface provides for them as the party maintaining the user account and on which an agreement is made when establishing the connection. 

A transaction carried out on someone else’s behalf is initiated by the customer. 

The party acting on someone else’s behalf and the party obliged to open its interface must both do the following:

  • observe good information security practices proportional to the risks when processing data in their own data systems 
  • observe good information security practices proportional to the risks when transferring data 
  • ensure that the user’s personal data is processed in a secure manner 
  • ensure that only the personal data needed to complete the transaction carried out on someone else’s behalf is processed 
  • ensure that the contracting parties’ business secrets, cryptographic secrets or any other data required to open the user account when acting on someone else’s behalf are processed in a secure manner and are only used for the agreed purpose 
  • save the data required to authenticate the transaction carried out on someone else’s behalf and retain it for the period needed to investigate any incidents or complete any similar actions.

The party acting on someone else’s behalf must do the following:   

  • identify itself to the party obliged to open its interface that maintains the user account in the manner agreed on when the connection is established 
  • ensure that the user’s identifiers and other personal data are only made available to the user and the party obliged to open its interface. 

Information security issues

The parties must agree at least on the following information security matters: 

  • Information security in the storage of data 
  • Information security in the transfer of data 
  • Procedures regarding changes in systems, interfaces and requirements 
  • Handling of incidents and threats related to the interface or the system 
  • Confidentiality of incident, change and transaction data 
  • Procedures to ensure information security/reliability of the contracting parties 

Verifying the information security of the contracting parties  

A contracting party can require from the other party that the two parties agree on a procedure for verifying that their information security levels are adequately maintained. 

A recommended and reasonable procedure is to define thorough requirements in the agreement and carry out a technical test for interfaces that are open towards the internet. 

Simply for the sake of opening the sales interface, it is not reasonable to demand an independent audit or certification of the entire system. If a contracting party conducts an audit, the protection of trade and professional secrets and personal data must be taken into account. More extensive procedures can be used if they are also otherwise used by the parties for business reasons. 

Updated