Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 21078.1-2023 English PDF

US$699.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 21078.1-2023: Financial services - Personal Identification Number(PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
Status: Valid

GB/T 21078.1: Historical versions

Standard IDUSDBUY PDFLead-DaysStandard Title (Description)Status
GB/T 21078.1-2023699 Add to Cart 6 days Financial services - Personal Identification Number(PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems Valid
GB/T 21078.1-2007RFQ ASK 5 days Banking -- Personal Identification Number management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems Obsolete

Similar standards

JR/T 0197   JR/T 0154   GB/T 19584   GB/T 21078.4   GB/T 21079.1   GB/T 21079.2   

Basic data

Standard ID: GB/T 21078.1-2023 (GB/T21078.1-2023)
Description (Translated English): Financial services - Personal Identification Number(PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: A11
Classification of International Standard: 35.240.40
Word Count Estimation: 36,381
Date of Issue: 2023-03-17
Date of Implementation: 2023-03-17
Older Standard (superseded by this standard): GB/T 21078.1-2007,GB/T 21078.2-2011
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 21078.1-2023: Financial services - Personal Identification Number(PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems


---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS35:240:40 CCSA11 National Standards of People's Republic of China Replacing GB/T 21078:1-2007, GB/T 21078:2-2011 Financial Services PIN Management and Security Part 1: PIN basics for card-based systems principles and requirements PIN sin card-based systems (ISO 9564-1:2017, MOD) Released on 2023-03-17 Implemented on 2023-03-17 State Administration for Market Regulation Released by the National Standardization Management Committee

table of contents

Preface III Introduction V 1 Scope 1 2 Normative references 1 3 Terms and Definitions 2 4 Abbreviations4 5 Basic Principles of PIN Management 4 5:1 Overview 4 5:2 Basic principles 5 6 PIN processing device 6 6:1 Security requirements for PIN processing equipment 6 6:2 Physical security of IC card reader 6 6:3 Characteristics of PED 6 7 PIN Security Concerns 7 7:1 PIN control requirements 7 7:2 PIN Encryption 8 8 PIN verification 8 8:1 Overview 8 8:2 Online PIN Verification 8 8:3 Offline PIN Verification 8 9 Management/protection technology of account-related PIN function 8 9:1 PIN length 8 9:2 PIN establishment 8 9:3 PIN release and delivery 9 9:4 PIN selection 9 9:5 PIN change 10 9:6 PIN replacement 11 9:7 Disposal of discarded material and returned PIN letters 11 9:8 PIN Activation 11 9:9 PIN Storage 11 9:10 PIN failure 12 9:11 PIN letter 12 10 Management/protection techniques for transaction-related PIN functions 13 10:1 Input of PIN 13 10:2 Protection of PIN during transmission 13 10:3 Compressed PIN block format 15 10:4 Extended PIN data block 18 10:5 Conversion restrictions in the PIN block format 22 10:6 Transaction log containing PIN data 22 Appendix A (Normative) Sensitive Data Destruction 23 Appendix B (Informative) Design Guidelines for PEDs 25 APPENDIX C (INFORMATIVE) INFORMATION FOR CUSTOMERS 28 Reference 29

foreword

This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document is part 1 of GB/T 21078: GB/T 21078 has issued the following parts: ---Financial Services Personal Identification Number Management and Security Part 1: PIN Basic Principles and Requirements Based on Card System (GB/T 21078:1); --- Banking Personal Identification Number Management and Security Part 3: Guidelines for PIN Processing in Open Networks (GB/T 21078:3); --- Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithms (GB/T 21078:4): This document replaces GB/T 21078:1-2007 "Management and Security of Personal Identification Numbers in Banking Services - Part 1: ATM and Basic Principles and Requirements for Online PIN Processing in POS System" and GB/T 21078:2-2011 "Management of Banking Personal Identification Codes and Security Part 2: Requirements for Offline PIN Processing in ATM and POS Systems: This document is based on GB/T 21078:1-2007 Mainly, it integrates the content of GB/T 21078:2-2011: Compared with GB/T 21078:1-2007, except structural adjustment and editorial changes In addition, the main technical changes are as follows: a) Changed the name of the standard (see the cover, the cover of the:2007 edition); b) Added terms "cardholder PIN", "integrated circuit", "integrated circuit card", "primary account payment token", "sensitive status" (see Section 3 chapter); c) The terms "irreversible encryption", "irreversible transformation of a key", "key component", "notarization", "key splitting", "key variant" are removed (see Chapter 3 of the:2007 edition); d) Added the chapter "Abbreviations" (see Chapter 4); e) Added an overview of the basic principles of PIN management, introducing and comparing the concepts of "cardholder PIN", "reference PIN" and "transaction PIN" (see 5:1); f) Changed part of the basic principles of PIN management (see 5:2, Chapter 4 of the:2007 edition); g) Added security requirements for PIN processing equipment (see 6:1) and physical security matters for IC card readers (see 6:2); h) Deleted the input requirements of PIN (see 5:3 of the:2007 edition), and the matters to be considered during packaging (see 5:4 of the:2007 edition); i) Changed the title of the article to "PIN processing system" and adjusted the relevant requirements (see 7:1:1, 6:1:1 of the:2007 edition); j) Changed the recording media requirements (see 7:1:2, 6:1:2 of the:2007 edition), oral communication requirements (see 7:1:3,:2007 edition 6:1:3); k) Changed part of the content of PIN encryption, including adding the requirement of offline PIN (see 7:2, 6:2 of the:2007 edition); l) The physical security requirement of PIN is deleted (see 6:3 of the:2007 edition); m) Increased PIN verification requirements (see Chapter 8); n) Changed the title of the article titled "PIN establishment" (see 9:2, 7:2 of the:2007 edition); added the requirements for "PIN selection" (see 9:4), "PIN Replacement" requirements (see 9:6), "PIN letter" requirements (see 9:11); o) Added the PIN protection requirements when sending to the IC card for offline PIN verification, and merged GB/T 21078:2-2011 Partial content (see 10:2:2); p) Changed section title to "Compressed PIN block format" (see 10:3, 8:3 of version:2007); added "PIN number for format 2 "Data block" is used in offline environment, which merges part of the content of GB/T 21078:2-2011 (see 10:3:4); adds "compressed PIN "Restrictions on the use of the data block format" (see 10:3:6); q) Added the relevant requirements of "extended PIN data block" (see 10:4); r) Added the relevant requirements of "Conversion Restriction of PIN Data Block Format" (see 10:5); s) Added relevant requirements for "transaction log containing PIN data" (see 10:6); t) Part of the content of "Destruction of Sensitive Data" has been changed (see Appendix A, Appendix F of the:2007 edition); u) Changed part of the "PED Design Guidelines" (see Appendix B, Appendix E of the:2007 edition); v) Part of the content of "Information Provided to Customers" has been changed (see Appendix C, Appendix G of the:2007 edition); w) Deleted "General Principles of Key Management" (see Appendix A of the:2007 Edition), "PIN Verification Technology" (see Appendix A of the:2007 Edition B), "PIN input device for online PIN encryption" (see Appendix C of the:2007 edition), "Pseudo-random PIN generation example" (See the relevant content of Appendix D of the:2007 edition): This document is modified to adopt ISO 9564-1:2017 "Financial Services Personal Identification Number Management and Security Part 1: Card-based system PIN Basic Principles and Requirements”: Compared with ISO 9564-1:2017, this document has made the following structural adjustments: --- Increased "Abbreviations" chapter (see Chapter 4): The technical differences between this document and ISO 9564-1:2017 and their reasons are as follows: ---Changed the normative reference documents and replaced ISO 9564-2 with GB/T 21078:4-2023 to adapt to the technical conditions of our country; --- The PIN data block of format 4 is added to support the SM4 block cipher algorithm (see 10:4:1), so as to adapt to the actual domestic application: The following editorial changes have been made to this document: --- Deleted the terms "irreversible encryption", "key components" and "key splitting", because in this document except for the chapter "Terms and Definitions" and Not mentioned; --- Added the abbreviations of "host security module" and "secure cryptographic device" (see Chapter 4) for ease of use; --- Deleted the informative references NIST/SP800-22 and NIST/SP800-88 to adapt to the actual domestic application: Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180): This document was drafted by: China UnionPay Co:, Ltd:, Beijing UnionPay Gold Card Technology Co:, Ltd:, Agricultural Bank of China Co:, Ltd: company: The main drafters of this document: Zhao Hai, Tang Yang, Yuan Sisi, Zhang Yanchao, Tan Yifu, Liu Gang, Ma Jun, Wang Peng: The release status of previous versions of this document and the documents it replaces are as follows: ---GB/T 21078:1, first released in:2007, this is the first revision; ---GB/T 21078:2, first released in:2011, this is the first revision:

Introduction

GB/T 21078 aims to specify the basic principles and requirements of PIN management and security in financial services, and is intended to be composed of three parts: --- "Financial Services Personal Identification Number Management and Security Part 1: Basic Principles and Requirements of PIN Based on Card System" (GB/T 21078:1), which aims to provide the basic principles and techniques for the minimum security measures required for effective PIN management: --- "Management and Security of Personal Identification Numbers in Banking Services Part 3: Guidelines for PIN Processing in Open Networks" (GB/T 21078:3), aimed at Define minimum PIN security guidelines in an open network environment: --- "Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithms" (GB/T 21078:4), aimed at Define approved PIN encryption algorithms and requirements for their use: It has been more than ten years since the first part of GB/T 21078 was released in:2007: During this period, the application of PIN in financial services has continued to deepen: Changes have also taken place in the management and security requirements for PIN and related international standards: ---ISO 9564-1:2002 adopted by GB/T 21078:1-2007 was revised twice in:2011 and:2017; ---GB/T 21078:2-2011 revised ISO 9564-3:2003 which was merged into ISO 9564-1 in:2011, ISO 9564-3:2003 has been abolished; ---GB/T 21078:3-2011 equivalently adopts ISO /T R9564-4:2004 to provide security for PIN in an open network environment Protect; ---GB/T 21078:4-2023 amended to adopt ISO 9564-2:2014 to supplement the blank of the approved PIN encryption algorithm and adapt to New requirements for the application of cryptographic algorithms are constantly being generated: This document replaces GB/T 21078:1-2007 and GB/T 21078:2-2011, and provides the basic principles and principles of PIN management and protection: This technology helps to improve the level of PIN security management and protect the security of financial transactions: Among them, the confidentiality of PIN is always in the whole life cycle of PIN: Finally, it needs to be guaranteed, including the generation, release, activation, storage, input, transmission, verification, deactivation and other links of PIN: The basic security requirements of PIN have universal applicability and can be applied to both online PIN verification and offline PIN verification: Due to different verifiers Depending on the applicable transaction scenarios, the card issuer can choose the appropriate PIN verification method according to the actual transaction situation, and provide additional PIN verification methods as needed: Safeguard: For example, in-line PIN verification can be performed independently of the card itself, so any type of card or device can be used to initiate Online PIN verification transactions; and offline PIN verification has special requirements for the implementation of the card, such as cards with embedded integrated circuits can support offline PIN verification: Financial Services PIN Management and Security Part 1: PIN basics for card-based systems principles and requirements

1 Scope

Basic principles and techniques of security measures: These measures apply to agencies responsible for implementing PIN management and protection technologies, including PIN creation, Publish, use and deactivate, etc: This document applies to the management of cardholder PINs used to authenticate cardholders in retail banking systems, especially in automated teller machines kiosks and PIN selection/change systems: This document also applies to card issuers and switching systems: The terms of this document do not cover the following: --- PIN management and security where there is no persistent cryptographic relationship between the transaction originating device and the acquirer, e:g:, using a browser conduct online shopping (see ISO 9564-4 for this environment); ---Prevent customers from losing or intentionally using wrong PIN; ---Confidentiality of non-PIN transaction data; ---Protect transaction information from being altered or replaced; ---Prevent replaying of PINs or transactions; ---Specific key management technology; --- Offline PIN verification used in contactless devices; --- Special PIN management requirements involving integrated circuit card (IC card) multi-application functions:

2 Normative references

The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: GB/T 21078:4-2023 Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithm (ISO 9564-2:2014, MOD) Note: GB/T 27909 (all parts) Banking key management (retail) [ISO 11568 (all parts)] ISO 13491-1 Secure cryptographic devices for financial services (retail) Part 1: Concepts, requirements and evaluation methods [Financial ods] Note: GB/T 21079:1-2022 Financial Services Security Encryption Equipment (Retail) Part 1: Concepts, Requirements and Assessment Methods (ISO 13491-1: 2016, MOD) ISO 13491-2:2017 Security encryption equipment for financial services (retail) Part 2: Equipment security compliance inspection for financial transactions ......
Image     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 21078.1-2023_English be delivered?

Answer: Upon your order, we will start to translate GB/T 21078.1-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 21078.1-2023_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 21078.1-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

Question 5: Should I purchase the latest version GB/T 21078.1-2023?

Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 21078.1-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.