|
US$879.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0068-2020: General specification of information security for internet banking system
Status: Valid JR/T 0068: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0068-2020 | English | 879 |
Add to Cart
|
6 days [Need to translate]
|
General specification of information security for internet banking system
| Valid |
JR/T 0068-2020
|
| JR/T 0068-2012 | English | RFQ |
ASK
|
7 days [Need to translate]
|
General specification of information security for internet banking sysytem
| Obsolete |
JR/T 0068-2012
|
PDF similar to JR/T 0068-2020
Basic data | Standard ID | JR/T 0068-2020 (JR/T0068-2020) | | Description (Translated English) | General specification of information security for internet banking system | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Word Count Estimation | 37,357 | | Date of Issue | 2020-02-05 | | Date of Implementation | 2020-02-05 | | Older Standard (superseded by this standard) | JR/T 0068-2012 | | Regulation (derived from) | Bank-Announcement (2020) No. 35 | | Issuing agency(ies) | People's Bank of China | JR/T 0068-2020: General specification of information security for internet banking system---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
General specification of information security for internet banking system
ICS 35.240.40
A 11
People's Republic of China Financial Industry Standards
Replace JR/T 0068-2012
General Specification for Information Security of Online Banking System
2020-02-05 release
2020-02-05 Implementation
Issued by the People's Bank of China
Table of contents
Foreword...II
Introduction...III
1 Scope...1
2 Normative references...1
3 Terms and definitions...2
4 Abbreviations...3
5 Overview of Online Banking System...4
6 Safety regulations...7
References...32
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces JR/T 0068-2012 "General Specification for Internet Banking System Information Security".
Compared with JR/T 0068-2012, the main changes of this standard are as follows.
--Add the related requirements of SM series algorithms (see 5.4);
- Deleted content that overlapped with JR/T 0071 "Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry" (2012
6.1.4 and 6.2 of the annual version);
--Modified the description of client security and added security requirements such as self-protection and sensitive information protection (see 6.2.1.1,.2012
Version 6.1.1);
--Added barcode payment related requirements (see 6.2.1.1, 6.2.4.3);
--Modified the safety requirements of special safety equipment and renamed it "Special safety mechanism" (see 6.2.2, 6.1.2 of the.2012 edition);
---Added security unit and mobile terminal payment trusted environment related requirements (see 6.2.2.1, 6.2.2.5);
---Added biometric requirements (see 6.2.2.5);
--Added cloud computing security related requirements (see 6.2.4.1, 6.3.1);
--- Added IPv6 related requirements (see 6.2.4.3);
--Added virtualization security related requirements (see 6.2.4.4);
--Added the basic description and security requirements of the connection security between the online banking system and external systems (see 6.2.5);
--Modified business continuity and disaster recovery safety requirements (see 6.3.7, k and l in 6.2.6 of the.2012 edition);
--Modified the security requirements for security incidents and emergency response (see 6.3.8, m and n in 6.2.6 of the.2012 edition);
---Added the relevant requirements for bank settlement accounts and transaction security locks for types II and III (see 6.4.1);
- Deleted the basic network protection architecture reference diagram, enhanced network protection architecture reference diagram and physical security (2012
Appendix A, Appendix B, and Appendix C of the annual edition).
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this standard. Science and Technology Department of the People's Bank of China, China UnionPay Co., Ltd., Bank Card Testing Center, Industrial and Commercial Bank of China
Co., Ltd., China Construction Bank Co., Ltd., Agricultural Bank of China Co., Ltd., China Postal Savings Bank Co., Ltd.
Company, China Merchants Bank Co., Ltd., China Minsheng Bank Co., Ltd., National Information Technology Security Research Center, CICC
Certificate Center Co., Ltd.
The main drafters of this standard. Li Wei, Chen Liwu, Che Zhen, Zhou Heng, Zan Xin, Xia Lei, Yan Jinguo, Qu Weimin, Shen Xiaoyan, Zhao Qiaowei,
He Shuo, Hua Jinzhi, Yang Yang, Xu Yanjun, Zhang Ming, Tang Yang, Qu Shaoguang, Meng Feiyu, Zhang Zhibo, Gao Zhimin, Sun Maozeng, Gao Qiangyi, Ma
Zhe, Li Bowen, Zhao Mengjie, Li Jingchun, Li Bing, Cao Yue, Su Jianming, Jiang Cheng, Wu Hongwei, Li Hui, Wang Ning, Yang Jie, Liao Minfei, Liu
Hong Bo, Liang Zhiyang, Liao Yuan, Xia Lei, Liang Jianfeng, Wu Xin, Li Xiao, Wu Degang, Li Qiang, Zeng Qingxiang, Ji Xiaojie, Li Chao, Ma Chunwang,
Zhao Shengli, Huang Chunfang, Xue Jinchuan, Jiang Jianxiao, Li Wei, Hou Manli.
The previous versions of the standard replaced by this standard are as follows.
Introduction
This standard collects and analyzes the information security problems of the online banking system and the online banking cases that have occurred during the assessment and inspection.
Put forward safety requirements pertinently.
The purpose of this standard is to effectively enhance the security protection capabilities of the existing online banking system and promote the standardized and healthy development of online banking. This standard can either
As a security basis for the construction, transformation and upgrading of various units’ online banking systems, security inspections and internal audits, it can also be used as an industry leader
The basis for inspection, testing and certification by administrative departments and professional testing institutions.
General Specification for Information Security of Online Banking System
1 Scope
This standard specifies the security technical requirements, security management requirements, and business operation security requirements of the online banking system, and provides
Design, operation and evaluation provided the basis.
This standard applies to the online banking system operated by commercial banks and other banking financial institutions established within the territory of the People’s Republic of China. Other
The business system of financial institutions providing online financial services should refer to this standard.
Note 1.This standard is divided into two levels. basic requirements and enhanced requirements. The basic requirements are the minimum security requirements, and the enhanced requirements are to further enhance the security of the system.
Claim. All units shall, while complying with the basic requirements for implementation, actively take improvement measures in accordance with the enhanced requirements to continuously improve their safety assurance capabilities.
Note 2.If there is no “corporate online banking” specified in the terms of this standard, it applies to both personal online banking and corporate online banking.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated references, the latest version (including all amendments) applies to this document.
GB/T 25069-2010 Information Security Technical Terms
GB/T 27912-2011 Financial Services Biometrics Security Framework
GM/Z 0001-2013 Cryptographic terms
GM/T 0002-2012 SM4 block cipher algorithm
GM/T 0003-2012 SM2 Elliptic Curve Public Key Cryptographic Algorithm
GM/T 0004-2012 SM3 cryptographic hash algorithm
GM/T 0021-2012 Dynamic Password Password Application Technical Specification
JR/T 0071 Implementation Guidelines for the Cyber Security Level Protection of the Financial Industry
JR/T 0098.5 China Financial Mobile Payment Testing Specification Part 5.Security Unit (SE) Embedded Software Security
JR/T 0118-2015 Financial Electronics Certification Specification
JR/T 0149-2016 China Financial Mobile Payment Tokenization Technical Specification
JR/T 0156-2017 Technical Specification for Trusted Environment of Mobile Terminal Payment
JR/T 0166-2018 Cloud Computing Technology Financial Application Specification Technical Architecture
JR/T 0167-2018 Cloud Computing Technology Financial Application Specification Security Technical Requirements
JR/T 0168-2018 Cloud Computing Technology Financial Application Specification Disaster Recovery
Notice of the People's Bank of China on Improving Personal Bank Account Services and Strengthening Account Management (Yinfa [2015] No. 392),.2015-12-25
Notice of the People’s Bank of China on Further Strengthening Bank Card Risk Management (Yinfa [2016] No. 170),.2016-06-13
Notice of the People’s Bank of China on Strengthening the Management of Payment and Settlement and Preventing New Types of Illegal Crimes in Telecommunications Networks
261),.2016-09-30
Notice of the People's Bank of China on Implementing the Classification Management System for Personal Bank Accounts (Yinfa [2016] No. 302),.2016-11-25
Notice of the General Office of the People's Bank of China on Strengthening the Security Management of Bank Card Magnetic Strip Transactions (Yinbanfa [2017] No. 120),.2017-05-31
Barcode Payment Security Technical Specifications (for Trial Implementation) (Yinbanfa [2017] No. 242 issued),.2017-12-22
Notice of the People's Bank of China on Issues Concerning the Improvement of Classified Management of Personal Bank Accounts (Yinfa [2018] No. 16),.2018-01-10
Notice of the People’s Bank of China on Further Strengthening the Administration of Payment and Settlement and Preventing New Types of Illegal Crimes in Telecommunications Networks
[2019] No. 85),.2019-03-22
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GM/Z 0001-2013 apply to this document. For ease of use,
Some terms and definitions in GM/Z 0001-2013 are repeated below.
3.1
Internet banking
Commercial banks and other banking financial institutions use the Internet, mobile communication networks, other open public networks or private network infrastructure
Online financial services provided to its customers.
3.2
Personal internet banking
Online financial services provided by banking financial institutions such as commercial banks to individual users.
3.3
Corporate internet banking
Commercial banks and other banking financial institutions provide online financial services to enterprises, institutions and other organizations.
3.4
Payment sensitive information
Passwords, keys, and sensitive transaction data that affect the security of online banking.
Note. Passwords include but are not limited to transfer passwords, query passwords, login passwords, certificate PINs, etc. Keys include but are not limited to ensure communication security, report
Symmetric keys, private keys, etc. for document integrity, transaction sensitive data include but are not limited to complete track information, validity period, CVN, CVN2, etc.
3.5
Mobile terminal
Different from the PC method, mobile devices such as mobile phones, tablets, and wearable devices are used to access online banking.
3.6
Client program
Programs that provide online banking customers with human-computer interaction functions, as well as components that provide necessary functions.
Note. Including but not limited to executable files, controls, static link libraries, dynamic link libraries, etc. In this standard, client programs include those running on mobile terminals
Application software does not include general-purpose browsers such as IE.
3.7
Cryptographic smart token
Terminal cryptographic devices that provide cryptographic operations, key management, and other cryptographic services generally use USB, Bluetooth, audio, SD and other interface forms.
3.8
Cryptographic smart token firmware
The program code that affects the security of the smart password key is built in the smart password key.
3.9
Dynamic password one-time-password (OTP), dynamic password
A one-time password dynamically generated based on time, events, etc.
[GM/Z 0001-2013, definition 2.15]
3.10
Dynamic password token one time password token
A device used to generate dynamic passwords.
[GM/Z 0001-2013, definition 2.16]
3.11
Biometric
Human physiological or behavioral measurable characteristics, which can reliably distinguish a person from others in order to identify and register
The identity of the person or confirm the registered identity as claimed by him.
[GM/Z 0001-2013, definition 4.4]
3.12
Funds transaction
Fund operation transactions through online banking.
Note. For example, transfer, order payment, payment, etc. Investment and wealth management, escrow account under my name, and entrusted withholding for signing an entrusted withholding agreement
Risk-controllable capital changes do not fall into this category.
3.13
Information and business changing transaction
Change customer-related information or open or cancel business transactions through online banking.
Note. For example, customers modify basic information, adjust transaction limits, authorize entrusted transactions, modify transaction orders, open (sign) a new business, cancel a certain business
Services, electronic contract signing, electronic insurance policies, etc.
4 Abbreviations
The following abbreviations apply to this document.
5 Overview of Online Banking System
5.1 System identification
The following should be indicated in the system logo.
--Owned bank.
5.2 System description
The online banking system integrates traditional banking services with resources and technologies such as the Internet, and integrates traditional counters through the Internet and mobile
Communication networks, other open public networks or private networks extend to customers, which is the role of commercial banks and other banking financial institutions in the network economy
In the current environment, important measures such as opening up new business, facilitating customer operations, improving service quality, and promoting production relations, have improved business
The social and economic benefits of banks and other banking financial institutions. The online banking system mainly includes PC, mobile phone, tablet, smart
Internet banking systems accessed by terminals such as TVs and wearable devices, such as mobile banking, WeChat banking, direct banking, bank-enterprise direct connection, small
Micro-enterprise banking and other systems. The online banking system covers both personal online banking systems and corporate online banking systems.
5.3 System components
5.3.1 Overview
The online banking system is mainly composed of client, communication network and server, and can be connected to the outside through different types of communication networks
System to carry out various cooperative services, including the server side including online banking access subnet, online banking business system, intermediate isolation equipment and
Bank processing system, etc., as shown in Figure 1.
5.3.2 Client
The client of the online banking system mainly includes the client program and the client environment. The client environment refers to the hardware terminal where the client program is located.
Terminal (Currently, it mainly includes terminals such as PCs, mobile phones, tablets, smart TVs, wearable devices, etc., and may include other forms of terminals in the future)
And the overall operating environment composed of the operating system, browser and other programs on the terminal. The client environment is usually not or not fully equipped
Provide trusted input capabilities, trusted output capabilities, trusted communication capabilities, trusted storage capabilities, and trusted computing capabilities of dedicated financial transaction equipment,
Therefore, it is necessary to use a dedicated security mechanism and deal with transaction risks through the strategies of acceptance, mitigation, evasion and transfer. Financial institutions should start from
Software and hardware legality verification, program integrity protection, data access control, data input security, data transmission security, and data storage security
And trusted execution environment to ensure the security of the client.
5.3.3 Communication network
Online banking uses technologies such as the Internet and mobile communication networks to provide customers with financial services, which are vulnerable to security threats at the communication level.
Financial institutions should take measures to effectively deal with related risks from the aspects of communication protocol, safety certification, and communication link security.
5.3.4 Server side
The server side of the online banking system provides online banking application services and core business processing functions. Financial institutions should make full use of the physical environment.
Protection technologies in the fields of environment, communication network, computing environment, etc., establish multiple tight security lines of defense between attackers and protected resources.
5.3.5 Connection with external systems
In addition to providing financial services directly to users, online banking may also conduct business cooperation with external institutions. In the online banking system design,
In the process of development, deployment, and operation, the possible security risks of external organizations’ systems should be fully considered, and various risks should be effectively addressed.
Protection.
5.4 System security description
The online banking system should divide the security domains according to the application system, customer target, data sensitivity, etc. Through the description and boundary of the security domain
It can better describe the information security of the online banking system.
Financial institutions should adopt special security mechanisms, including digital certificates, dynamic passwords, SMS verification codes, biometrics, etc., to protect online banking
Line system security. Financial institutions should follow their credible communication capabilities, credible input capabilities, credible output capabilities, and credible storage capabilities in transactions.
The combination of the five capabilities of storage capability and trusted computing capability classifies and manages security mechanisms, and formulates corresponding transaction security risk prevention
Strategy.
Before applying cloud computing technology to the online banking system, financial institutions should combine the business importance and data sensitivity of the online banking system,
The degree of damage caused by security incidents, etc., fully evaluate the scientificity, security and reliability of the application of cloud computing technology, and ensure the
Under the premise of continuity, data and fund security, uphold the principle of security first and be responsible to users, and fully evaluate possible hidden risks.
Carefully select the cloud computing deployment model in the financial sector that is compatible with the business system. Online banking systems should follow when adopting cloud computing technology
Technical standards such as JR/T 0166-2018, JR/T 0167-2018, JR/T 0168-2018 and relevant requirements of industry authorities.
The online banking system shall comply with the requirements of the national cryptography authority when using cryptographic algorithms, and shall be
It is advisable to support and preferentially use SM series cryptographic algorithms (GM/T 0002-2012, GM/T 0003-2012, GM/T
0004-2012).
6 Safety regulations
6.1 Overview
This specification is divided into three parts. safety technical specifications, safety management specifications and business operation safety specifications. Financial institutions should target different industries
The corresponding level of security measures shall be adopted for the service type. Taking into account the business relevance, this specification also includes the external connection of the online banking system
Security requirements. The online banking system shall be constructed and operated and maintained in accordance with the third-level security requirements of the network security level protection.
6.2 Safety technical specifications
6.2.1 Client Security
6.2.1.1 Client Program
basic requirements.
a) In the process of client program development and design, attention should be paid to avoid the security risks of various system components, third-party components, and SDKs, and deal with
The development framework and technical route shall be rigorously demonstrated, and type selection safety tests shall be carried out when necessary.
b) The client program should have a clear application identifier and version serial number, and a reasonably designed update interface. When a certain version is proven to exist
In the event of major security risks, prompt and force users to update the client.
c) For each update and upgrade of the client program, source code audit, security activity review and strict filing shall be carried out to ensure that the client
There are no hidden illegal functions and backdoors in the program.
d) The client program should be signed in a secure way to identify the source and publisher of the client program and ensure that the client downloads
The client program comes from trusted institutions.
e) The client program should be verified for authenticity and integrity (for example, online dynamic verification, etc.) during startup and update to prevent customers
The end program is tampered with or replaced.
f) The client program should adopt security mechanisms such as code obfuscation and shelling to prevent the client program from being reversely analyzed and ensure the sensitivity of the client
Sense the confidentiality and integrity of logic and data.
g) The client program should ensure its own security and avoid loopholes such as code injection, buffer overflow, and illegal privilege escalation.
h) The client program should take process protection measures to prevent illegal programs from gaining access to the process, and scan sensitive data in the memory.
Data or replace the client page, etc.
i) The client program should adopt technologies such as reverse screen recording on the key interface to prevent illegal programs from obtaining sensitive payment information by copying the screen, etc.
interest.
j) The client program should provide instant protection for customers to input sensitive payment information, and protect the sensitive payment information in the memory.
For example, take measures such as character-by-character encryption, custom soft keyboards, and prevention of keyboard eavesdropping technology.
k) The client software should not store the user’s payment sensitive information locally in any form. The storage location includes but is not limited to
Cookies, local temporary files and mobile database files, etc.
l) The client program should take effective measures to ensure the confidentiality and integrity of the keys involved.
m) The client program should take measures to verify the complexity of the password to ensure that the password set by the user reaches a certain strength.
n) The password box of the client program should prohibit the display of the password in plain text, and the same special character (for example, * or •) should be used instead.
o) After the client program logs in, if there is no operation for a period of time, it should automatically log out and log in again to continue using it.
p) The client program should cooperate with the server to take effective measures to consume resources such as login requests, service requests, and database queries
The frequency of higher behaviors is reasonably limited.
q) When the client program has barcode generation, display or reading analysis functions, it should comply with the "Barcode Payment Security Technical Specification (Trial)"
(Yinbanfa [2017] No. 242 issued) requirements.
r) The client program should be able to effectively shield the system technical error information, and not directly feedback the error information generated by the system to the customer.
s) The client program should support access to network services through connection. In the case of dual-stack support, priority is adopted
Connect access.
t) The client program should have a privacy policy.
u) Before the client program collects and uses customer information, it should clearly indicate the purpose, method and scope of the collection and use of information, and disclose its
Collection and use rules, and obtain express consent from customers. Deal with the purpose and necessity of the collection before collecting sensitive personal information of customers
Sexually reminded.
v) The client program should prohibit access to files and data not necessary for business in the terminal. Apply for system permissions based on the principle of least privilege
(For example, apply for permission to read the address book, geographic location, etc.), and obtain the user's express consent.
w) The client should keep the minimum customer information, and limit the amount of data storage and retention time.
x) When the client program exits, the business data that must be retained for the operation of non-business functions should be cleared to ensure the security of customer information.
y) Measures such as channel monitoring should be taken to monitor counterfeit client programs.
6.2.1.2 Client environment
basic requirements.
a) The security status of the client's operating environment s...
|