GA 1280-2015 PDF in English
GA 1280-2015 (GA1280-2015) PDF English
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GA 1280-2015 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Security requirements for automatic teller machines
| Valid |
Standards related to (historical): GA 1280-2015
PDF Preview
GA 1280-2015: PDF in English GA 1280-2015
GA
PUBLIC SECURITY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
Security requirements for automatic teller machines
ISSUED ON. OCTOBER 28, 2015
IMPLEMENTED ON. JANUARY 01, 2016
Issued by. Ministry of Public Security of PRC
Table of contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms, definitions and abbreviations ... 5
4 General requirements ... 7
5 Hardware module security requirements ... 8
6 Network access security requirements ... 10
7 Operating system security requirements ... 11
8 Application system security requirements ... 13
9 Data security requirements ... 14
10 Test methods ... 15
11 Inspection rules ... 24
Foreword
Chapter 1 to Chapter 3 of this Standard, 4.4, 4.5, 4.10, 5.1.3, 5.2.6, 5.4.3, 5.5.3,
7.1.7, and Chapter 10 are recommended, AND the remainder are mandatory.
This standard was drafted in accordance with the rules given in GB/T
1.1-2009.
This standard was proposed by the Public Security Administration Bureau of
the Ministry of Public Security.
This standard shall be under the jurisdiction of the National Security Alarm
System Standardization Technical Committee (SAC/TC 100).
The drafting organizations of this standard. Public Security Administration
Bureau of the Ministry of Public Security, the CBRC Security Bureau, GRG
Banking Financial Electronics Co., Ltd., Beijing Telesound Electronics Co., Ltd.,
Eastern Communications Co., Ltd., Security and Police Electronic Product
Quality Detection Center of the Ministry of Public Security, Industrial and
Commercial Bank of China, Agricultural Bank of China, Bank of China, China
Construction Bank.
The drafters of this standard are. Liu Wei, Yuan He, Yang Jianhua, Ren Ji, Xie
Huachun, Bian Sanping, Wang Jianli, Liu Xu, Xing Weidong, Bao Shilong, Qiu
Rixiang, Zhang Hongbin, Luo Panfeng, Xu Jun, Nie Rong, Ji Jinglin, Ye
Zaiben.
Security requirements for automatic teller machines
1 Scope
This standard specifies the general requirements, the hardware modules,
network access, operating systems, application systems and data security
requirements, test methods and inspection rules of the automatic teller
machine.
This standard applies to the design, production, inspection and acceptance of
automatic teller machine security.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this Standard.
GB10409 Burglary resistant safes
GB/T 18789.1-2013 Information technology - General specification for
automated teller machine - Part 1. Device
GB/T 19584 Magnetic stripe data content and specification for bank card
GA 745 Regulations of security and protection for bank self-service
equipment and self-service bank
JR/T 0002-2009 Specification on automatic teller machine (ATM) terminal
for bank card
JR/T 0025.3 China financial integrated circuit (IC) card specifications - Part
3. Debit/credit application independent ICC to terminal interface
requirements
JR/T 0025.11 China financial integrated circuit (IC) card specifications - Part
11. Contactless integrated circuit card communication specification
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Automatic teller machine
It refers to the self-service equipment, which integrates a variety of different
financial business functions, through which customers can finish the bank
counter services such as deposit, withdrawal, transfer, information inquiry
and other agency business, including automatic teller machine AND cash
recycling system.
3.1.2
Automatic teller machine control software
It refers to the control system software running at the automatic teller
machine terminal equipment at the bottom of the terminal trading channel,
through which the ATM components can be controlled. It is mainly used to
provide customers and ATM equipment administrator with a variety of
transaction and management interface, AND realizes certain functions
together with the ATM front-end processing system through message
exchange.
3.1.3
Automatic teller machine front-end processing system
It refers to, in case of dealing with online transactions, the processing
system that is responsible for the communication between the ATM terminal
and the ATM management center, which can receive, process and forward
the transaction request information from the ATM terminal and the
transaction result information from the management center.
3.1.4
Message
It refers to the data unit used for exchanging and transmission in the
network.
3.1.5
4.6 Different ATM cabinet doors shall not use the same key, AND the different
cabinet doors of the same ATM shall not use the same key.
4.7 ATM cabinet inside shall reserve the installation openings for the face
surveillance camera and the cash deposit and withdrawal surveillance camera.
4.8 The surveillance cameras installed in ATM shall comply with the relevant
requirements of GA 745.
4.9 ATM cabinet enclosure shall be made of steel plate of thickness greater
than or equal to 1 mm.
4.10 ATM should support the national commercial password series algorithm.
4.11 ATM shall have the function of outputting the status information such as
working normal and fault.
4.12 ATM with a cabinet door shall be installed with alarm detection device, to
detect and alarm the abnormal door opening and closing. When the safe lock
is opened, the ATM shall not enter service mode.
4.13 The card mouth shall have the function of preventing from illegal
installation of reading device, detecting the illegal installation of reading device,
AND issuing alarm.
5 Hardware module security requirements
5.1 Card reader module
5.1.1 The card reader module shall have the function of returning card in case
of power failure.
5.1.2 Contact card reader module shall have the card retention function, during
which it shall produce a fault signal.
5.1.3 Contact card reader module should have the jitter card feeding function.
5.1.4 Contact IC card reader module shall comply with the relevant provisions
of JR/T 0025.3, the contactless IC card reader module shall comply with the
relevant provisions of JR/T 0025.11, AND the magnetic stripe card reader
module shall comply with the relevant provisions of GB/T 19584.
5.2 Cash dispense module
5.2.1 It shall have the function of rejecting unauthorized instructions.
5.5.1 The anti-destructive capacity of the safe shall comply with the
requirements of C.3 in Appendix C of GB/T 18789.1-2013. The safe door shall
have safety locking device, AND the number of such safety locking devices
and the safety locking directions shall be not less than 2. The other
requirements of the safe shall comply with the relevant provisions of GB
10409.
5.5.2 The safe shall have a device and fittings fixed to the ground, AND the
fixation and connection devices shall be not less than 4, with the diameter of
the fittings greater than or equal to 12 mm.
5.5.3 The safe should be added with dynamic electronic password lock.
5.5.4 The inside of the safe door shall be installed with temperature sensor, to
conduct detection and alarming for the conditions when the temperature is
greater than or equal to 70 °C.
5.6 Encrypting PIN pad module
Encrypting PIN pad module shall simultaneously comply with the PCI-EPP
requirements AND the China UnionPay card acceptance terminal PIN input
device safety assessment requirements.
6 Network access security requirements
6.1 Access control
6.1.1 When ATMC registers for the first time, it shall provide identity validity
verification information to ATMP.
6.1.2 ATM shall have a network access control mechanism, AND conduct
identity validity verification of the terminal devices accessing the ATM through
network.
6.2 Intrusion prevention
ATM shall have intrusion prevention mechanism. In case of detecting the
network attack, it shall record the attack address, time, type and other
information, AND take the initiative to prevent transactions and other means of
protection.
6.3 Transmission security
The communication data transmission security from ATMC to ATMP shall
comply with the following requirements.
7.3.2 Remote login control
It shall turn off the operating system remote login service.
7.3.3 Password policy
7.3.3.1 It shall set a unique initial password for each user, AND prompt the
user to change it after first use. It shall authenticate the user identity before
performing a password reset.
7.3.3.2 It shall have a policy mechanism for the maximum service life of the set
password.
7.3.3.3 It shall have a policy mechanism for the controlling of password
complexity requirements, includin...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|