JR/T 0171-2020 English PDFUS$589.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. JR/T 0171-2020: Personal financial information protection technical specification Status: Valid
Basic dataStandard ID: JR/T 0171-2020 (JR/T0171-2020)Description (Translated English): Personal financial information protection technical specification Sector / Industry: Finance Industry Standard (Recommended) Classification of Chinese Standard: A11 Word Count Estimation: 25,265 Date of Issue: 2020-02-13 Date of Implementation: 2020-02-13 Regulation (derived from): Bank-Announcement (2020) No. 45 Issuing agency(ies): People's Bank of China JR/T 0171-2020: Personal financial information protection technical specification---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.Personal financial information protection technical specification ICS 35.240.40 A 11 JR People's Republic of China Financial Industry Standards Technical specifications for personal financial information protection 2020-02-13 release 2020-02-13 Implementation Issued by the People's Bank of China Table of contentsForeword...II Introduction...III 1 Scope...1 2 Normative references...1 3 Terms and definitions...1 4 Overview of personal financial information...5 5 Basic Safety Principles...7 6 Safety technical requirements...7 7 Safety management requirements...12 Appendix A (informative appendix) Information shielding...18 References...20ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard was proposed by the People's Bank of China. This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180). Drafting organizations of this standard. Department of Science and Technology of the People’s Bank of China, Zhengzhou Central Branch of the People’s Bank of China, Beijing UnionPay Gold Card Technology Co., Ltd Bank of China Co., Ltd., China UnionPay Co., Ltd., Net Union Clearing Co., Ltd., Zhejiang Ant Small and Micro Financial Services Group Co., Ltd., Lakala Payment Co., Ltd., China Financial Electronics Corporation, Wuhan Branch of the People's Bank of China, Industrial and Commercial Bank of China Co., Ltd., Agricultural Bank of China Co., Ltd., China Construction Bank Co., Ltd., Ping An Insurance (Group) of China Co., Ltd., Beijing CICC Guosheng Certification Co., Ltd., Beijing Software Product Quality Testing and Inspection Center, CICC Financial Certification Center Co., Ltd., Information Industry Information Security Evaluation Center, Huatai Securities Co., Ltd., People's Insurance Group of China Co., Ltd., Tenpay Payment Section Technology Co., Ltd., China Payment and Clearing Association, China Internet Finance Association, CCB Financial Technology Co., Ltd. The main drafters of this standard. Li Wei, Li Xingfeng, Zhang Hongji, Guan Xiaohui, Liu Yulu, Tang Qin, Guo Linyi, Zhao Zhanyong, Xiong Jiishi, Qu Shaoguang, Meng Feiyu, Gao Qiangyi, Chen Cong, Jukun, Chen Xuexiu, Gong Lili, Xu Yanjiao, Niu Xiaowei, Wang Huan, Zhan Zhao, Qiang Qunli, Guo Lin, Yang Meng, Chen Jun, Li Yi, Feng Jianjian, Tang Ling, Huang Bentao, Wei Meng, Liu Qiongyao, Zhao Xu, Sun Yao, Zhou Lihua, Mu Yanyan, Wang Family Wei, Zhang Yang, Cai Jiayong, Liu Yang, Sun Pengliang, Nie Liqin, Liu Likang, Niu Yuehua, Chen Wei, Wang Xiujun, Ren Fengli, Xie Zongxiao, Dong Ya Nan, Zhang Xugang, Liu Jian, Dong Jingjing, Zhang Song, Yu Xiaoxue, Wu Yongqiang, Lu Jiayou, Shi Zhujun, Yu Pei, Hou Xiaochen, Tian Ran, Wang Zehang, He Weiming, Liang Weitao.IntroductionPersonal financial information refers to personal information in the financial field around account information, identification information, financial transaction information, personal identity information, financial The expansion and refinement of property information, lending information, etc. is an important foundation accumulated by financial institutions in the process of providing financial products and services Data is also an important part of personal privacy. Once personal financial information is leaked, it will not only directly infringe the legal rights of the subject of personal financial information Benefit, affect the normal operation of financial institutions, and may even bring systemic financial risks. In order to strengthen personal financial information security management, Guide all relevant institutions to regulate the handling of personal financial information, protect the legal rights and interests of personal financial information subjects to the greatest extent, and maintain the stability of the financial market. Prepare this standard. Technical specifications for personal financial information protection1 ScopeThis standard specifies the security protection of personal financial information in all aspects of the life cycle such as collection, transmission, storage, use, deletion, and destruction. Requirements, from two aspects of security technology and security management, put forward normative requirements for the protection of personal financial information. This standard applies to financial institutions that provide financial products and services, and provides security assessment agencies for security inspection and assessment work. reference.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements GB/T 25069-2010 Information Security Technical Terms GB/T 31186.2-2014 Bank Customer Basic Information Description Specification Part 2.Name GB/T 31186.3-2014 Bank Customer Basic Information Description Specification Part 3.Identification Mark GB/T 35273-2017 Information Security Technology Personal Information Security Specification JR/T 0068-2020 Internet Banking System Information Security General Specification JR/T 0071 Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry JR/T 0092-2019 Mobile Financial Client Application Software Security Management Specification JR/T 0149-2016 China Financial Mobile Payment Tokenization Technical Specification JR/T 0167-2018 Cloud Computing Technology Financial Application Specification Security Technical Requirements3 Terms and definitionsThe following terms and definitions defined in GB/T 25069-2010 and GB/T 35273-2017 apply to this document. 3.1 Financial industry institutions Financial institutions in this standard refer to licensed financial institutions supervised and managed by the national financial management department, and those involving personal financial information Relevant institutions for processing. 3.2 Personal financial information Personal information obtained, processed and stored by financial institutions through the provision of financial products and services or other channels. Note 1.Personal financial information in this standard includes account information, identification information, financial transaction information, personal identity information, property information, loan information, and Other information that reflects certain circumstances of specific individuals. Note 2.Rewrite GB/T 35273-2017, definition 3.1. 3.3 Payment sensitive information The payment information involves important information about the privacy and identification of the payment subject. Note. Payment sensitive information includes but is not limited to bank card track data or chip equivalent information, card verification code, card validity period, bank card password, network payment Personal financial information used for payment authentication, such as payment transaction password. 3.4 Personal financial information subject The natural person identified by personal financial information. Note. Rewrite GB/T 35273-2017, definition 3.3. 3.5 Personal financial information controller An organization that has the power to determine the purpose and method of processing personal financial information. Note. Rewrite GB/T 35273-2017, definition 3.4. 3.6 Collect The act of obtaining control over personal financial information. Note 1.Collection behaviors include active provision by personal financial information subjects, through interaction with personal financial information subjects or recording of personal financial information subjects' behavior, etc. Automatic collection, and indirect acquisition of personal financial information through sharing, transfer, and collection of public information. Note 2.If a financial product or service provider provides tools for personal financial information subjects to use, and the provider does not access personal financial information, it is not Collected in this standard. For example, after the mobile banking client application software obtains the user’s fingerprint feature information for local authentication, the fingerprint If the information is not returned to the provider, it does not belong to the collection of user fingerprint information. Note 3.Rewrite GB/T 35273-2017, definition 3.5. 3.7 Public disclosure The act of publishing information to society or unspecified groups. [GB/T 35273-2017, definition 3.10] 3.8 Transfer of control The process of transferring control of personal financial information from one controller to another. Note. Rewrite GB/T 35273-2017, definition 3.11. 3.9 Sharing The personal financial information controller provides personal financial information to other controllers, and both parties have independent control over personal financial information the process of. Note. Rewrite GB/T 35273-2017, definition 3.12. 3.10 Personal financial information security impact assessment In response to personal financial information processing activities, the degree of legal compliance is checked, and it is judged that it causes damage to the legal rights and interests of personal financial information subjects The various risks and the process of evaluating the effectiveness of various measures used to protect personal financial information subjects. Note. Rewrite GB/T 35273-2017, definition 3.8. 3.11 Payment account Bank accounts with financial transaction functions, payment accounts of non-bank payment institutions, and bank card numbers. Note. Rewrite JR/T 0149-2016, definition 3.1. 3.12 Payment token(Token) As a substitute value for original transaction elements such as payment account number, it is used to complete payment transactions in specific scenarios. [JR/T 0149-2016, definition 3.2] 3.13 Track data A mandatory or optional data element defined by one magnetic, two magnetic and three magnetic. Note. Track data can be on the magnetic stripe of the physical card, or it can be contained on an integrated circuit or other media. [JR/T 0061-2011, definition 3.20] 3.14 Card verification number card verification number; CVN The code to verify the legality of the magnetic stripe information. [JR/T 0061-2011, definition 8.7] 3.15 Card verification number 2 card verification number 2; CVN2 A code used to verify the legality of a bank card in non-face-to-face transactions such as mail order or telephone order. [JR/T 0061-2011, definition 8.8] 3.16 One-time-password (OTP), dynamic password A one-time password dynamically generated based on time, events, etc. [GM/Z 0001-2013, definition 2.15] 3.17 SMS dynamic code SMS code The backend system sends the random number bound to the user's mobile phone in the form of a mobile phone short message, and the user performs identity authentication by replying to the random number. [JR/T 0088.1-2012, definition 2.44] 3.18 Customer's legal name The legally recognized customer name. Note 1.The legal name of the customer is generally recorded on the certificate issued to the customer by the national authorized department. The customer in this standard mainly refers to the natural person customer. Note 2.Rewrite GB/T 31186.2-2014, definition 3.2. 3.19 Legal discriminating ID Is issued by the national statutory authority, can uniquely identify the customer and has the legal effect of the logo. Note 1.The identification mark of certificate is exogenous data. Exogenous data means that the user of the data is not the owner of the data, and the data is being generated, changed, and discarded. It may not be known to users of the data after termination. Note 2.The internal credential type identification generated by the users of this standard due to their own business needs shall not be used outside the user, nor shall they have legal effect. Note 3.Rewrite GB/T 31186.3-2014, definition 3.2. 3.20 Unauthorized reading The owner of the information or the authorized person has not authorized the viewing of the information. Note 1.Unauthorized viewing may be well-intentioned or malicious; unauthorized viewing unintentionally disclosed by the information processor is an information leakage incident; Unauthorized viewing intentionally obtained by an attacker through measures that invalidate related security measures is an information theft event. Note 2.Illegal viewing is an imprecise but not ambiguous term for unauthorized viewing in a specific context. 3.21 Unauthorized altering Changes to the information are not authorized by the owner or authorized person of the information. Note 1.Unauthorized changes are typically divided into unauthorized additions (that is, adding new content), and unauthorized changes (that is, modifying existing content) Or unauthorized deletion (that is, deletion of the original content), or a combination of the three. Note 2.Unauthorized changes may be well-intentioned or malicious; they are often manifested as information tampering incidents, information counterfeiting incidents, and information loss incidents Wait. Note 3.Illegal change is an imprecise but unambiguous term for unauthorized changes in a specific context. 3.22 Explicit consent The subject of personal financial information clarifies the specific processing of his personal financial information through a written statement or proactive affirmative action Authorized behavior. Note 1.Affirmative actions include the personal financial information subject actively making a statement (electronic or paper form), actively checking, and actively clicking "agree" and "register" "Send", "Call", fill in or provide, etc. Note 2.Rewrite GB/T 35273-2017, definition 3.6. 3.23 Anonymization Through the technical processing of personal financial information, the subject of personal financial information cannot be identified, and the processed information cannot be restored the process of. Note 1.The information obtained after anonymization of personal financial information is not personal financial information. Note 2.Rewrite GB/T 35273-2017, definition 3.13. 3.24 De-identification Through the technical processing of personal financial information, it is impossible to identify the subject of personal financial information without using additional information. process. Note 1.De-identification is still based on the individual, retaining the granularity of the individual, using pseudonyms, encryption, salted hash functions and other technical means to replace the Identification of personal financial information. Note 2.Rewrite GB/T 35273-2017, definition 3.14. 3.25 Delete delete The act of removing personal financial information from the systems involved in financial products and services, so that it can be kept in a state where it cannot be retrieved or accessed. Note. Rewrite GB/T 35273-2017, definition 3.9.4 Overview of personal financial information4.1 Personal financial information content Personal financial information includes account information, identification information, financial transaction information, personal identification information, property information, loan information and other information. It reflects the information of certain personal financial information subjects, specifically as follows. a) Account information refers to account and account-related information, including but not limited to payment account number, bank card track data (or chip equivalent information), Bank card validity period, securities account, insurance account, account opening time, account opening institution, account balance and based on the above information Generated payment mark information, etc. b) Authentication information refers to information used to verify whether the subject has access or use authority, including but not limited to bank card passwords, prepaid cards Payment password; personal financial information subject login password, account query password, transaction password; card verification code (CVN and CVN2), Dynamic password, SMS verification code, password prompt answer, etc. c) Financial transaction information refers to various types of information generated by personal financial information subjects during the transaction process, including but not limited to transaction amount, expenditure Payment records, overdraft records, transaction logs, transaction vouchers; securities entrustment, transaction, and position information; insurance policy information and claims information Wait. d) Personally identifiable information refers to basic personal information, personal biometric information, etc.. Basic personal information includes but is not limited to the client’s legal name, gender, nationality, nationality, occupation, marital status, family status Status, income, ID card and passport and other document information, mobile phone number, fixed phone number, e-mail address, work And home address, as well as information such as photos, audio and video collected in the process of providing products and services; Personal biometric information includes but is not limited to fingerprints, face, iris, ear prints, palm prints, veins, voice prints, eye prints, steps Biometric sample data, feature values and templates such as state and handwriting. e) Property information refers to the personal financial information subject property information collected or generated by financial institutions in the process of providing financial products and services. Interests, including but not limited to personal income status, real estate status, vehicle status, tax payment, provident fund deposit Amount, etc. f) Lending information refers to the information generated by the personal financial information subject’s lending business in financial institutions, including but not limited to credit, credit Issuance, repayment, guarantee status of cards and loans. g) Other information. The information formed by processing and analyzing the original data that can reflect certain circumstances of a specific individual, including but not limited to special Determine the consumption intention, payment habits and other derivative information of personal financial information subjects; Other personal information obtained and stored in the process of providing financial products and services. 4.2 Categories of Personal Financial Information According to the impact and harm caused by unauthorized viewing or unauthorized modification of information, personal financial information is classified as sensitive The degree is divided into three categories. C3, C2, and C1 from high to low. details as follows. a) C3 category information is mainly user authentication information. Once such information is viewed without authorization or changed without authorization, it will Cause serious harm to the information security and property security of personal financial information subjects, including but not limited to. Bank card magnetic track data (or chip equivalent information), card verification code (CVN and CVN2), card validity period, bank card Password, online payment transaction password; Account (including but not limited to payment account, securities account, insurance account) login password, transaction password, and query password; Per......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of JR/T 0171-2020_English be delivered?Answer: Upon your order, we will start to translate JR/T 0171-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of JR/T 0171-2020_English with my colleagues?Answer: Yes. The purchased PDF of JR/T 0171-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
