Search result: GB/T 21078.1-2023 (GB/T 21078.1-2007 Older version)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 21078.1-2023 | English | 699 |
Add to Cart
|
6 days [Need to translate]
|
Financial services - Personal Identification Number(PIN) management and security - Part 1: Basic principles and requirements for PINs in card-based systems
| Valid |
GB/T 21078.1-2023
|
| GB/T 21078.1-2007 | English | RFQ |
ASK
|
5 days [Need to translate]
|
Banking -- Personal Identification Number management and security -- Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
| Obsolete |
GB/T 21078.1-2007
|
| Standard ID | GB/T 21078.1-2023 (GB/T21078.1-2023) | | Description (Translated English) | Financial services -- Personal Identification Number(PIN) management and security -- Part 1: Basic principles and requirements for PINs in card-based systems | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | A11 | | Classification of International Standard | 35.240.40 | | Word Count Estimation | 36,32 | | Date of Issue | 2023-03-17 | | Date of Implementation | 2023-03-17 | | Older Standard (superseded by this standard) | GB/T 21078.1-2007,GB/T 21078.2-2011 |
GB/T 21078:1-2023
ICS35:240:40
CCSA11
National Standards of People's Republic of China
Replacing GB/T 21078:1-2007, GB/T 21078:2-2011
Financial Services PIN Management and Security
Part 1: PIN basics for card-based systems
principles and requirements
PIN sin card-based systems
(ISO 9564-1:2017, MOD)
Released on 2023-03-17 Implemented on 2023-03-17
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface III
Introduction V
1 Range 1
2 Normative references 1
3 Terms and Definitions 2
4 Abbreviations4
5 Basic Principles of PIN Management 4
5:1 Overview 4
5:2 Basic principles 5
6 PIN processing device 6
6:1 Security requirements for PIN processing equipment 6
6:2 Physical security of IC card reader 6
6:3 Characteristics of PED 6
7 PIN Security Concerns 7
7:1 PIN control requirements 7
7:2 PIN Encryption 8
8 PIN verification 8
8:1 Overview 8
8:2 Online PIN Verification 8
8:3 Offline PIN Verification 8
9 Management/protection technology of account-related PIN function 8
9:1 PIN length 8
9:2 PIN establishment 8
9:3 PIN release and delivery 9
9:4 PIN selection 9
9:5 PIN change 10
9:6 PIN replacement 11
9:7 Disposal of discarded material and returned PIN letters 11
9:8 PIN Activation 11
9:9 PIN Storage 11
9:10 PIN failure 12
9:11 PIN letter 12
10 Management/protection techniques for transaction-related PIN functions 13
10:1 Input of PIN 13
10:2 Protection of PIN during transmission 13
10:3 Compressed PIN block format 15
10:4 Extended PIN data block 18
10:5 Conversion restrictions in the PIN block format 22
10:6 Transaction log containing PIN data 22
Appendix A (Normative) Sensitive Data Destruction 23
Appendix B (Informative) Design Guidelines for PEDs 25
APPENDIX C (INFORMATIVE) INFORMATION FOR CUSTOMERS 28
Reference 29
foreword
This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents"
drafting:
This document is part 1 of GB/T 21078: GB/T 21078 has issued the following parts:
---Financial Services Personal Identification Number Management and Security Part 1: PIN Basic Principles and Requirements Based on Card System
(GB/T 21078:1);
--- Banking Personal Identification Number Management and Security Part 3: Guidelines for PIN Processing in Open Networks (GB/T 21078:3);
--- Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithms (GB/T 21078:4):
This document replaces GB/T 21078:1-2007 "Management and Security of Personal Identification Numbers in Banking Services - Part 1: ATM and
Basic Principles and Requirements for Online PIN Processing in POS System" and GB/T 21078:2-2011 "Management of Banking Personal Identification Codes
and Security Part 2: Requirements for Offline PIN Processing in ATM and POS Systems: This document is based on GB/T 21078:1-2007
Mainly, it integrates the content of GB/T 21078:2-2011: Compared with GB/T 21078:1-2007, except structural adjustment and editorial changes
In addition, the main technical changes are as follows:
a) Changed the name of the standard (see the cover, the cover of the:2007 edition);
b) Added terms "cardholder PIN", "integrated circuit", "integrated circuit card", "primary account payment token", "sensitive status" (see Section 3
chapter);
c) The terms "irreversible encryption", "irreversible transformation of a key", "key component", "notarization", "key splitting", "key variant" are removed (see
Chapter 3 of the:2007 edition);
d) Added the chapter "Abbreviations" (see Chapter 4);
e) Added an overview of the basic principles of PIN management, introducing and comparing the concepts of "cardholder PIN", "reference PIN" and "transaction PIN"
(see 5:1);
f) Changed part of the basic principles of PIN management (see 5:2, Chapter 4 of the:2007 edition);
g) Added security requirements for PIN processing equipment (see 6:1) and physical security matters for IC card readers (see 6:2);
h) Deleted the input requirements of PIN (see 5:3 of the:2007 edition), and the matters to be considered during packaging (see 5:4 of the:2007 edition);
i) Changed the title of the article to "PIN processing system" and adjusted the relevant requirements (see 7:1:1, 6:1:1 of the:2007 edition);
j) Changed the recording media requirements (see 7:1:2, 6:1:2 of the:2007 edition), oral communication requirements (see 7:1:3,:2007 edition
6:1:3);
k) Changed part of the content of PIN encryption, including adding the requirement of offline PIN (see 7:2, 6:2 of the:2007 edition);
l) The physical security requirement of PIN is deleted (see 6:3 of the:2007 edition);
m) Increased PIN verification requirements (see Chapter 8);
n) Changed the title of the article titled "PIN establishment" (see 9:2, 7:2 of the:2007 edition); added the requirements for "PIN selection" (see 9:4), "PIN
Replacement" requirements (see 9:6), "PIN letter" requirements (see 9:11);
o) Added the PIN protection requirements when sending to the IC card for offline PIN verification, and merged GB/T 21078:2-2011
Partial content (see 10:2:2);
p) Changed section title to "Compressed PIN block format" (see 10:3, 8:3 of version:2007); added "PIN number for format 2
"Data block" is used in offline environment, which merges part of the content of GB/T 21078:2-2011 (see 10:3:4); adds "compressed PIN
"Restrictions on the use of the data block format" (see 10:3:6);
q) Added the relevant requirements of "extended PIN data block" (see 10:4);
r) Added the relevant requirements of "Conversion Restriction of PIN Data Block Format" (see 10:5);
s) Added relevant requirements for "transaction log containing PIN data" (see 10:6);
t) Part of the content of "Destruction of Sensitive Data" has been changed (see Appendix A, Appendix F of the:2007 edition);
u) Changed part of the "PED Design Guidelines" (see Appendix B, Appendix E of the:2007 edition);
v) Part of the content of "Information Provided to Customers" has been changed (see Appendix C, Appendix G of the:2007 edition);
w) Deleted "General Principles of Key Management" (see Appendix A of the:2007 Edition), "PIN Verification Technology" (see Appendix A of the:2007 Edition
B), "PIN input device for online PIN encryption" (see Appendix C of the:2007 edition), "Pseudo-random PIN generation example"
(See the relevant content of Appendix D of the:2007 edition):
This document is modified to adopt ISO 9564-1:2017 "Financial Services Personal Identification Number Management and Security Part 1: Card-based system
PIN Basic Principles and Requirements”:
Compared with ISO 9564-1:2017, this document has made the following structural adjustments:
--- Increased "Abbreviations" chapter (see Chapter 4):
The technical differences between this document and ISO 9564-1:2017 and their reasons are as follows:
---Changed the normative reference documents and replaced ISO 9564-2 with GB/T 21078:4-2023 to adapt to the technical conditions of our country;
--- The PIN data block of format 4 is added to support the SM4 block cipher algorithm (see 10:4:1), so as to adapt to the actual domestic application:
The following editorial changes have been made to this document:
--- Deleted the terms "irreversible encryption", "key components" and "key splitting", because in this document except for the chapter "Terms and Definitions" and
Not mentioned;
--- Added the abbreviations of "host security module" and "secure cryptographic device" (see Chapter 4) for ease of use;
--- Deleted the informative references NIST/SP800-22 and NIST/SP800-88 to adapt to the actual domestic application:
Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents:
This document is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180):
This document was drafted by: China UnionPay Co:, Ltd:, Beijing UnionPay Gold Card Technology Co:, Ltd:, Agricultural Bank of China Co:, Ltd:
company:
The main drafters of this document: Zhao Hai, Tang Yang, Yuan Sisi, Zhang Yanchao, Tan Yifu, Liu Gang, Ma Jun, Wang Peng:
The release status of previous versions of this document and the documents it replaces are as follows:
---GB/T 21078:1, first released in:2007, this is the first revision;
---GB/T 21078:2, first released in:2011, this is the first revision:
introduction
GB/T 21078 aims to specify the basic principles and requirements of PIN management and security in financial services, and is intended to be composed of three parts:
--- "Financial Services Personal Identification Number Management and Security Part 1: Basic Principles and Requirements of PIN Based on Card System"
(GB/T 21078:1), which aims to provide the basic principles and techniques for the minimum security measures required for effective PIN management:
--- "Management and Security of Personal Identification Numbers in Banking Services Part 3: Guidelines for PIN Processing in Open Networks" (GB/T 21078:3), aimed at
Define minimum PIN security guidelines in an open network environment:
--- "Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithms" (GB/T 21078:4), aimed at
Define approved PIN encryption algorithms and requirements for their use:
It has been more than ten years since the first part of GB/T 21078 was released in:2007: During this period, the application of PIN in financial services has continued to deepen:
Changes have also taken place in the management and security requirements for PIN and related international standards:
---ISO 9564-1:2002 adopted by GB/T 21078:1-2007 was revised twice in:2011 and:2017;
---GB/T 21078:2-2011 revised ISO 9564-3:2003 which was merged into ISO 9564-1 in:2011,
ISO 9564-3:2003 has been abolished;
---GB/T 21078:3-2011 equivalently adopts ISO /T R9564-4:2004 to provide security for PIN in an open network environment
Protect;
---GB/T 21078:4-2023 amended to adopt ISO 9564-2:2014 to supplement the blank of the approved PIN encryption algorithm and adapt to
New requirements for the application of cryptographic algorithms are constantly being generated:
This document replaces GB/T 21078:1-2007 and GB/T 21078:2-2011, and provides the basic principles and principles of PIN management and protection:
This technology helps to improve the level of PIN security management and protect the security of financial transactions: Among them, the confidentiality of PIN is always in the whole life cycle of PIN:
Finally, it needs to be guaranteed, including the generation, release, activation, storage, input, transmission, verification, deactivation and other links of PIN:
The basic security requirements of PIN have universal applicability and can be applied to both online PIN verification and offline PIN verification: Due to different verifiers
Depending on the applicable transaction scenarios, the card issuer can choose the appropriate PIN verification method according to the actual transaction situation, and provide additional PIN verification methods as needed:
Safeguard: For example, in-line PIN verification can be performed independently of the card itself, so any type of card or device can be used to initiate
Online PIN verification transactions; and offline PIN verification has special requirements for the implementation of the card, such as cards with embedded integrated circuits can support offline
PIN verification:
Financial Services PIN Management and Security
Part 1: PIN basics for card-based systems
principles and requirements
1 Scope
Basic principles and techniques of security measures: These measures apply to agencies responsible for implementing PIN management and protection technologies, including PIN creation,
Publish, use and deactivate, etc:
This document applies to the management of cardholder PINs used to authenticate cardholders in retail banking systems, especially in automated teller machines
kiosks and PIN selection/change systems: This document also applies to card issuers and switching systems:
The terms of this document do not cover the following:
--- PIN management and security where there is no persistent cryptographic relationship between the transaction originating device and the acquirer, e:g:, using a browser
conduct online shopping (see ISO 9564-4 for this environment);
---Prevent customers from losing or intentionally using wrong PIN;
---Confidentiality of non-PIN transaction data;
---Protect transaction information from being altered or replaced;
---Prevent replaying of PINs or transactions;
---Specific key management technology;
--- Offline PIN verification used in contactless devices;
--- Special PIN management requirements involving integrated circuit card (IC card) multi-application functions:
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references
For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to
this document:
GB/T 21078:4-2023 Financial Services Personal Identification Number Management and Security Part 4: Approved PIN Encryption Algorithm
(ISO 9564-2:2014, MOD)
Note: GB/T 27909 (all parts) Banking key management (retail) [ISO 11568 (all parts)]
ISO 13491-1 Secure cryptographic devices for financial services (retail) Part 1: Concepts, requirements and evaluation methods [Financial
ods]
Note: GB/T 21079:1-2022 Financial Services Security Encryption Equipment (Retail) Part 1: Concepts, Requirements and Assessment Methods (ISO 13491-1:
2016, MOD)
ISO 13491-2:2017 Security encryption equipment for financial services (retail) Part 2: Equipment security compliance inspection for financial transactions
......
GB/T 21078.1-2007
Banking Personal Identification Number management and security Part 1. Basic principles and requirements for online PIN handling in ATM and POS systems
ICS 35.240.40
A11
National Standards of People's Republic of China
Banking - Personal Identification Number management and security
Part 1. ATM and POS systems online PIN
The basic principles and requirements for processing
(ISO 9564-1.2002, MOD)
Posted 2007-09-05
2007-12-01 implementation
Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
Standardization Administration of China released
Table of Contents
Introduction Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions
The basic principles of management 4 4 PIN
5 PIN input device 4
6 PIN security issues 5
Managed 7 PIN associated with the account functions/protection technology 7
8 PIN transaction management/protection technology 9
General principles of Annex A (informative) key management 13
Appendix B (Informative Appendix) PIN verification technology 15
PIN input device 16 Appendix C (informative) for online PIN encryption
Annex D (informative) Examples 18 to generate a pseudo-random PIN
Annex E (informative) design PIN input device design guidelines 19
Removal and destruction Guide Appendix F (informative) sensitive data 22
Annex G (informative) provide information to customers 24
Foreword
GB/T 21078 "Banking - Personal Identification Number management and security" is divided into three parts.
--- The first part 1. ATM and POS systems basic principles and requirements for online PIN processing;
Part --- Article 2. ATM and POS systems offline PIN processing requirements;
--- Part 3. Guidelines for PIN handling in open networks.
This section GB/T 21078 Part 1.
The partial modification of the use of ISO 9564-1.2002 "Banking - Personal Identification Number management and security - Part 1. ATM and
POS system online PIN processing of basic principles and requirements "(in English).
For ease of use, this partial deletion of the ISO foreword.
For actual use of financial services cryptographic algorithm, delete the original international standard encryption algorithm in Chapter 9 of the approval process.
Appendix A to this part of Appendix G are informative appendices.
This section proposed by the People's Bank of China.
This part of the National Standardization Technical Committee centralized finance.
This section is responsible for drafting units. China Financial Computerization Corporation.
Participated in the drafting of this section. People's Bank of China, Bank of China, China Construction Bank, China UnionPay Co., Ltd., China Everbright
Bank of Beijing Venus company.
The main drafters of this section. Tan Guoan, Yang , Lushu Chun, Li Shuguang, Liu Yun, Du Ning, Liu Zhijun, Zhang Yan, Zhang Dedong, Davey, Zhang Xiaodong,
Ma, Li Jian, Wang Wei, Wang Qin, Sun Weidong, Li Huan.
This section first formulated.
Banking - Personal Identification Number management and security
Part 1. ATM and POS systems online PIN
The basic principles and requirements for processing
1 Scope
This section sets out to provide the minimum security measures required for the effective management of the basic principles and PIN technology. These measures apply
Those agencies responsible for the management and implementation of PIN protection technology.
This section also provides a standard way for the online environment, applied financial transaction card PIN PIN protection technology and data exchange. This
These techniques apply to those agencies responsible for the implementation of ATM and POS terminals PIN management and protection technology.
Provisions of this section does not include.
a) an offline PIN Environment PIN management and security, ISO 9564-3.2003 contains the contents;
b) Electronic Commerce PIN management and security, ISO 9564 will be included in subsequent portions of the content;
c) to prevent the customer or issuer authorized employees lost or intentionally misuse PIN;
d) Confidentiality of non-PIN transactions;
e) transaction messages protection against modification or replacement. Such as PIN verification authorization response;
f) prevent replay PIN or transaction;
g) specific key management techniques.
2 Normative references
The following documents contain provisions which, through reference GB/T 21078 in this section constitute provisions of this section. For dated reference documents
Member, all subsequent amendments (not including errata content) or revisions do not apply to this section, however, encouraged to reach under this section
Parties to research agreement to use the latest versions of these documents. For undated reference documents, the latest versions apply to this
standard.
GB/T 15694.1-1995 Identification cards issuers identification - Part 1. Numbering System (idt ISO /IEC 7812-1.1993)
GB/T 16649 (all parts) Identification cards contact IC card (ISO /IEC 7816 (all parts), MOD)
GB/T 17552-1998 identification card financial transaction cards (idt ISO /IEC 7813.1995)
ISO /IEC 7812-2 Identification card issuers identification - Part 2. Application and registration procedures
ISO 9564-2.1991 Banking Personal Identification Number management and security - Part 2 Business. Approved PIN encryption algorithm
ISO 9564-3.2003 Banking - Personal Identification Number management and security - Part 3. ATM and POS systems offline PIN
Processing requirements
ISO 11568 (all parts), Banking - Key management (retail)
ISO 13491 (all parts) banking security cryptographic devices (retail)
3 Terms and Definitions
The following terms and definitions apply to this part of the GB/T 21078 of.
3.1
Introducing means switching systems or their agents by the card acceptance by transaction-related data and data from.
......
|