Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

JR/T 0068-2020 English PDF

US$879.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0068-2020: General specification of information security for internet banking system
Status: Valid

JR/T 0068: Historical versions

Standard IDUSDBUY PDFLead-DaysStandard Title (Description)Status
JR/T 0068-2020879 Add to Cart 6 days General specification of information security for internet banking system Valid
JR/T 0068-2012RFQ ASK 7 days General specification of information security for internet banking sysytem Obsolete

Similar standards

GB/T 19584   GB/T 12406   JR/T 0067   JR/T 0060   JR/T 0071.1   

Basic data

Standard ID: JR/T 0068-2020 (JR/T0068-2020)
Description (Translated English): General specification of information security for internet banking system
Sector / Industry: Finance Industry Standard (Recommended)
Classification of Chinese Standard: A11
Word Count Estimation: 37,357
Date of Issue: 2020-02-05
Date of Implementation: 2020-02-05
Older Standard (superseded by this standard): JR/T 0068-2012
Regulation (derived from): Bank-Announcement (2020) No. 35
Issuing agency(ies): People's Bank of China

JR/T 0068-2020: General specification of information security for internet banking system

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
General specification of information security for internet banking system ICS 35.240.40 A 11 People's Republic of China Financial Industry Standards Replace JR/T 0068-2012 General Specification for Information Security of Online Banking System 2020-02-05 release 2020-02-05 Implementation Issued by the People's Bank of China

Table of contents

Foreword...II Introduction...III 1 Scope...1 2 Normative references...1 3 Terms and definitions...2 4 Abbreviations...3 5 Overview of Online Banking System...4 6 Safety regulations...7 References...32

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces JR/T 0068-2012 "General Specification for Internet Banking System Information Security". Compared with JR/T 0068-2012, the main changes of this standard are as follows. --Add the related requirements of SM series algorithms (see 5.4); - Deleted content that overlapped with JR/T 0071 "Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry" (2012 6.1.4 and 6.2 of the annual version); --Modified the description of client security and added security requirements such as self-protection and sensitive information protection (see 6.2.1.1,.2012 Version 6.1.1); --Added barcode payment related requirements (see 6.2.1.1, 6.2.4.3); --Modified the safety requirements of special safety equipment and renamed it "Special safety mechanism" (see 6.2.2, 6.1.2 of the.2012 edition); ---Added security unit and mobile terminal payment trusted environment related requirements (see 6.2.2.1, 6.2.2.5); ---Added biometric requirements (see 6.2.2.5); --Added cloud computing security related requirements (see 6.2.4.1, 6.3.1); --- Added IPv6 related requirements (see 6.2.4.3); --Added virtualization security related requirements (see 6.2.4.4); --Added the basic description and security requirements of the connection security between the online banking system and external systems (see 6.2.5); --Modified business continuity and disaster recovery safety requirements (see 6.3.7, k and l in 6.2.6 of the.2012 edition); --Modified the security requirements for security incidents and emergency response (see 6.3.8, m and n in 6.2.6 of the.2012 edition); ---Added the relevant requirements for bank settlement accounts and transaction security locks for types II and III (see 6.4.1); - Deleted the basic network protection architecture reference diagram, enhanced network protection architecture reference diagram and physical security (2012 Appendix A, Appendix B, and Appendix C of the annual edition). This standard was proposed by the People's Bank of China. This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180). Drafting organizations of this standard. Science and Technology Department of the People's Bank of China, China UnionPay Co., Ltd., Bank Card Testing Center, Industrial and Commercial Bank of China Co., Ltd., China Construction Bank Co., Ltd., Agricultural Bank of China Co., Ltd., China Postal Savings Bank Co., Ltd. Company, China Merchants Bank Co., Ltd., China Minsheng Bank Co., Ltd., National Information Technology Security Research Center, CICC Certificate Center Co., Ltd. The main drafters of this standard. Li Wei, Chen Liwu, Che Zhen, Zhou Heng, Zan Xin, Xia Lei, Yan Jinguo, Qu Weimin, Shen Xiaoyan, Zhao Qiaowei, He Shuo, Hua Jinzhi, Yang Yang, Xu Yanjun, Zhang Ming, Tang Yang, Qu Shaoguang, Meng Feiyu, Zhang Zhibo, Gao Zhimin, Sun Maozeng, Gao Qiangyi, Ma Zhe, Li Bowen, Zhao Mengjie, Li Jingchun, Li Bing, Cao Yue, Su Jianming, Jiang Cheng, Wu Hongwei, Li Hui, Wang Ning, Yang Jie, Liao Minfei, Liu Hong Bo, Liang Zhiyang, Liao Yuan, Xia Lei, Liang Jianfeng, Wu Xin, Li Xiao, Wu Degang, Li Qiang, Zeng Qingxiang, Ji Xiaojie, Li Chao, Ma Chunwang, Zhao Shengli, Huang Chunfang, Xue Jinchuan, Jiang Jianxiao, Li Wei, Hou Manli. The previous versions of the standard replaced by this standard are as follows.

Introduction

This standard collects and analyzes the information security problems of the online banking system and the online banking cases that have occurred during the assessment and inspection. Put forward safety requirements pertinently. The purpose of this standard is to effectively enhance the security protection capabilities of the existing online banking system and promote the standardized and healthy development of online banking. This standard can either As a security basis for the construction, transformation and upgrading of various units’ online banking systems, security inspections and internal audits, it can also be used as an industry leader The basis for inspection, testing and certification by administrative departments and professional testing institutions. General Specification for Information Security of Online Banking System

1 Scope

This standard specifies the security technical requirements, security management requirements, and business operation security requirements of the online banking system, and provides Design, operation and evaluation provided the basis. This standard applies to the online banking system operated by commercial banks and other banking financial institutions established within the territory of the People’s Republic of China. Other The business system of financial institutions providing online financial services should refer to this standard. Note 1.This standard is divided into two levels. basic requirements and enhanced requirements. The basic requirements are the minimum security requirements, and the enhanced requirements are to further enhance the security of the system. Claim. All units shall, while complying with the basic requirements for implementation, actively take improvement measures in accordance with the enhanced requirements to continuously improve their safety assurance capabilities. Note 2.If there is no “corporate online banking” specified in the terms of this standard, it applies to both personal online banking and corporate online banking.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 25069-2010 Information Security Technical Terms GB/T 27912-2011 Financial Services Biometrics Security Framework GM/Z 0001-2013 Cryptographic terms GM/T 0002-2012 SM4 block cipher algorithm GM/T 0003-2012 SM2 Elliptic Curve Public Key Cryptographic Algorithm GM/T 0004-2012 SM3 cryptographic hash algorithm GM/T 0021-2012 Dynamic Password Password Application Technical Specification JR/T 0071 Implementation Guidelines for the Cyber Security Level Protection of the Financial Industry JR/T 0098.5 China Financial Mobile Payment Testing Specification Part 5.Security Unit (SE) Embedded Software Security JR/T 0118-2015 Financial Electronics Certification Specification JR/T 0149-2016 China Financial Mobile Payment Tokenization Technical Specification JR/T 0156-2017 Technical Specification for Trusted Environment of Mobile Terminal Payment JR/T 0166-2018 Cloud Computing Technology Financial Application Specification Technical Architecture JR/T 0167-2018 Cloud Computing Technology Financial Application Specification Security Technical Requirements JR/T 0168-2018 Cloud Computing Technology Financial Application Specification Disaster Recovery Notice of the People's Bank of China on Improving Personal Bank Account Services and Strengthening Account Management (Yinfa [2015] No. 392),.2015-12-25 Notice of the People’s Bank of China on Further Strengthening Bank Card Risk Management (Yinfa [2016] No. 170),.2016-06-13 Notice of the People’s Bank of China on Strengthening the Management of Payment and Settlement and Preventing New Types of Illegal Crimes in Telecommunications Networks 261),.2016-09-30 Notice of the People's Bank of China on Implementing the Classification Management System for Personal Bank Accounts (Yinfa [2016] No. 302),.2016-11-25 Notice of the General Office of the People's Bank of China on Strengthening the Security Management of Bank Card Magnetic Strip Transactions (Yinbanfa [2017] No. 120),.2017-05-31 Barcode Payment Security Technical Specifications (for Trial Implementation) (Yinbanfa [2017] No. 242 issued),.2017-12-22 Notice of the People's Bank of China on Issues Concerning the Improvement of Classified Management of Personal Bank Accounts (Yinfa [2018] No. 16),.2018-01-10 Notice of the People’s Bank of China on Further Strengthening the Administration of Payment and Settlement and Preventing New Types of Illegal Crimes in Telecommunications Networks [2019] No. 85),.2019-03-22

3 Terms and definitions

The following terms and definitions defined in GB/T 25069-2010 and GM/Z 0001-2013 apply to this document. For ease of use, Some terms and definitions in GM/Z 0001-2013 are repeated below. 3.1 Internet banking Commercial banks and other banking financial institutions use the Internet, mobile communication networks, other open public networks or private network infrastructure Online financial services provided to its customers. 3.2 Personal internet banking Online financial services provided by banking financial institutions such as commercial banks to individual users. 3.3 Corporate internet banking Commercial banks and other banking financial institutions provide online financial services to enterprises, institutions and other organizations. 3.4 Payment sensitive information Passwords, keys, and sensitive transaction data that affect the security of online banking. Note. Passwords include but are not limited to transfer passwords, query passwords, login passwords, certificate PINs, etc. Keys include but are not limited to ensure communication security, report Symmetric keys, private keys, etc. for document integrity, transaction sensitive data include but are not limited to complete track information, validity period, CVN, CVN2, etc. 3.5 Mobile terminal Different from the PC method, mobile devices such as mobile phones, tablets, and wearable devices are used to access online banking. 3.6 Client program Programs that provide online banking customers with human-computer interaction functions, as well as components that provide necessary functions. Note. Including but not limited to executable files, controls, static link libraries, dynamic link libraries, etc. In this standard, client programs include those running on mobile terminals Application software does not include general-purpose browsers such as IE. 3.7 Cryptographic smart token Terminal cryptographic devices that provide cryptographic operations, key management, and other cryptographic services generally use USB, Bluetooth, audio, SD and other interface forms. 3.8 Cryptographic smart token firmware The program code that affects the security of the smart password key is built in the smart password key. 3.9 Dynamic password one-time-password (OTP), dynamic password A one-time password dynamically generated based on time, events, etc. [GM/Z 0001-2013, definition 2.15] 3.10 Dynamic password token one time password token A device used to generate dynamic passwords. [GM/Z 0001-2013, definition 2.16] 3.11 Biometric Human physiological or behavioral measurable characteristics, which can reliably distinguish a person from others in order to identify and register The identity of the person or confirm the registered identity as claimed by him. [GM/Z 0001-2013, definition 4.4] 3.12 Funds transaction Fund operation transactions through online banking. Note. For example, transfer, order payment, payment, etc. Investment and wealth management, escrow account under my name, and entrusted withholding for signing an entrusted withholding agreement Risk-controllable capital changes do not fall into this category. 3.13 Information and business changing transaction Change customer-related information or open or cancel business transactions through online banking. Note. For example, customers modify basic information, adjust transaction limits, authorize entrusted transactions, modify transaction orders, open (sign) a new business, cancel a certain business Services, electronic contract signing, electronic insurance policies, etc.

4 Abbreviations

The following abbreviations apply to this document.

5 Overview of Online Banking System

5.1 System identification The following should be indicated in the system logo. --Owned bank. 5.2 System description The online banking system integrates traditional banking services with resources and technologies such as the Internet, and integrates traditional counters through the Internet and mobile Communication networks, other open public networks or private networks extend to customers, which is the role of commercial banks and other banking financial institutions in the network economy In the current environment, important measures such as opening up new business, facilitating customer operations, improving service quality, and promoting production relations, have improved business The social and economic benefits of banks and other banking financial institutions. The online banking system mainly includes PC, mobile phone, tablet, smart Internet banking systems accessed by terminals such as TVs and wearable devices, such as mobile banking, WeChat banking, direct banking, bank-enterprise direct connection, small Micro-enterprise banking and other systems. The online banking system covers both personal online banking systems and corporate online banking systems. 5.3 System components 5.3.1 Overview The online banking system is mainly composed of client, communication network and server, and can be connected to the outside through different types of communication networks System to carry out various cooperative services, including the server side including online banking access subnet, online banking business system, intermediate isolation equipment and Bank processing system, etc., as shown in Figure 1. 5.3.2 Client The client of the online banking system mainly includes the client program and the client environment. The client environment refers to the hardware terminal where the client program is located. Terminal (Currently, it mainly includes terminals such as PCs, mobile phones, tablets, smart TVs, wearable devices, etc., and may include other forms of terminals in the future) And the overall operating environment composed of the operating system, browser and other programs on the terminal. The client environment is usually not or not fully equipped Provide trusted input capabilities, trusted output capabilities, trusted communication capabilities, trusted storage capabilities, and trusted computing capabilities of dedicated financial transaction equipment, Therefore, it is necessary to use a dedicated security mechanism and deal with transaction risks through the strategies of acceptance, mitigation, evasion and transfer. Financial institutions should start from Software and hardware legality verification, program integrity protection, data access control, data input security, data transmission security, and data storage security And trusted execution environment to ensure the security of the client. 5.3.3 Communication network Online banking uses technologies such as the Internet and mobile communication networks to provide customers with financial services, which are vulnerable to security threats at the communication level. Financial institutions should take measures to effectively deal with related risks from the aspects of communication protocol, safety certification, and communication link security. 5.3.4 Server side The server side of the online banking system provides online banking application services and core business processing functions. Financial institutions should make full use of the physical environment. Protection technologies in the fields of environment, communication network, computing environment, etc., establish multiple tight security lines of defense between attackers and protected resources. 5.3.5 Connection with external systems In addition to providing financial services directly to users, online banking may also conduct business cooperation with external institutions. In the online banking system design, In the process of development, deployment, and operation, the possible security risks of external organizations’ systems should be fully considered, and various risks should be effectively addressed. Protection. 5.4 System security description The online banking system should divide the security domains according to the application system, customer target, data sensitivity, etc. Through the description and boundary of the security domain It can better describe the information security of the online banking system. Financial institutions should adopt special security mechanisms, including digital certificates, dynamic passwords, SMS verification codes, biometrics, etc., to protect online banking Line system security. Financial institutions should follow their credible communication capabilities, credible input capabilities, credible output capabilities, and credible storage capabilities in transactions. The combination of the five capabilities of storage capability and trusted computing capability classifies and manages security mechanisms, and formulates corresponding transaction security risk prevention Strategy. Before applying cloud computing technology to the online banking system, financial institutions should combine the business importance and data sensitivity of the online banking system, The degree of damage caused by security incidents, etc., fully evaluate the scientificity, security and reliability of the application of cloud computing technology, and ensure the Under the premise of continuity, data and fund security, uphold the principle of security first and be responsible to users, and fully evaluate possible hidden risks. Carefully select the cloud computing deployment model in the financial sector that is compatible with the business system. Online banking systems should follow when adopting cloud computing technology Technical standards such as JR/T 0166-2018, JR/T 0167-2018, JR/T 0168-2018 and relevant requirements of industry authorities. The online banking system shall comply with the requirements of the national cryptography authority when using cryptographic algorithms, and shall be It is advisable to support and preferentially use SM series cryptographic algorithms (GM/T 0002-2012, GM/T 0003-2012, GM/T 0004-2012).

6 Safety regulations

6.1 Overview This specification is divided into three parts. safety technical specifications, safety management specifications and business operation safety specifications. Financial institutions should target different industries The corresponding level of security measures shall be adopted for the service type. Taking into account the business relevance, this specification also includes the external connection of the online banking system Security requirements. The online banking system shall be constructed and operated and maintained in accordance with the third-level security requirements of the network security level protection. 6.2 Safety technical specifications 6.2.1 Cl......
Image     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of JR/T 0068-2020_English be delivered?

Answer: Upon your order, we will start to translate JR/T 0068-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of JR/T 0068-2020_English with my colleagues?

Answer: Yes. The purchased PDF of JR/T 0068-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

Question 5: Should I purchase the latest version JR/T 0068-2020?

Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version JR/T 0068-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.