|
US$549.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0185-2020: Commercial bank application programming interface secure management specification
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0185-2020 | English | 549 |
Add to Cart
|
4 days [Need to translate]
|
Commercial bank application programming interface secure management specification
| Valid |
JR/T 0185-2020
|
PDF similar to JR/T 0185-2020
Basic data | Standard ID | JR/T 0185-2020 (JR/T0185-2020) | | Description (Translated English) | Commercial bank application programming interface secure management specification | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Word Count Estimation | 22,286 | | Date of Issue | 2020-02-13 | | Date of Implementation | 2020-02-13 | | Regulation (derived from) | Bank Announcement (2020) No. 44 | | Issuing agency(ies) | People's Bank of China | JR/T 0185-2020: Commercial bank application programming interface secure management specification
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Commercial bank application programming interface secure management specification
ICS 35.240.40
A 11
JR
People's Republic of China Financial Industry Standards
Commercial Bank Application Program Interface Security Management Specification
2020-02-13 release
2020-02-13 implementation
Issued by the People's Bank of China
Table of contents
Foreword...II
1 Scope...1
2 Normative references...1
3 Terms and definitions...1
4 Abbreviations...3
5 Overview...3
6 Interface Type and Security Level...4
7 Safety design...5
8 Security deployment...7
9 Security Integration...9
10 Security Operation and Maintenance...11
11 Service termination and system offline...13
12 Security Management...13
Appendix A (Normative Appendix) Diagram of Commercial Bank Application Program Interface Relationship...15
Appendix B (Normative Appendix) Uniform Identification Code Coding Rules for Commercial Bank Application Program Interface...16
References...18
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this standard. Department of Science and Technology of the People’s Bank of China, China Financial Electronics Corporation, China UnionPay Co., Ltd., China Industry and Commerce
Bank Co., Ltd., Agricultural Bank of China Co., Ltd., Bank of China Co., Ltd., China Construction Bank Co., Ltd.,
China Postal Savings Bank Co., Ltd., China Merchants Bank Co., Ltd., Shanghai Pudong Development Bank Co., Ltd., China CITIC Bank
Co., Ltd., Industrial Bank Co., Ltd., China Minsheng Bank Co., Ltd., China Everbright Bank Co., Ltd., Ping An
Ann Bank Co., Ltd., China Guangfa Bank Co., Ltd., Bank of Beijing Co., Ltd., Huishang Bank Co., Ltd., Shandong
Provincial City Commercial Bank Cooperative Alliance Co., Ltd., Qilu Bank Co., Ltd., Zhejiang Internet Commercial Bank Co., Ltd., CITIC Baixin Bank
Bank Co., Ltd., Shandong Rural Credit Cooperatives Association, Beijing Zhongjin Guosheng Certification Co., Ltd., Beijing UnionPay Gold Card Technology Co., Ltd.,
CICC Financial Certification Center Co., Ltd., China Foreign Exchange Trading Center.
The main drafters of this standard. Li Wei, Li Xingfeng, Qu Weimin, Cheng Sheng, Guo Dong, Duan Libat, Guo Jingying, Liu Yun, Gao Qiangyi, Chen Cong,
Jiang Huike, Jiang Cheng, Meng Xianzhe, Zhuoyue, Wen Tao, Sun Yao, Kong Pengzhi, Zhao Siqi, Bai Fan, Li Peizhao, Li Yiqin, He Weiming, Zhao Peng,
Geng Li, Liu Huiming, Li Yanping, Jiang Xiangchao, Wang Jianhua, Zhang Peicheng, Liu Weiwei, Hu Linlong, Jia Haiming, Yun Jing, Liu Shuhong, Chen Miao,
Ye Liming, Fang Shaoquan, Xie Zhenzhe, Qiu Jiacheng, Jiang Hong, Shen Tianle, Quan Cheng, Liu Jiawen, Wang Xiaofei, Fu Kaizuo, Du Shouwei, Zuo Min,
Deng Xiang, Ding Peng, Liu Weiwei, Tu Ding.
Commercial Bank Application Program Interface Security Management Specification
1 Scope
This standard specifies the types and security levels, security design, security deployment, security integration, and security operation of commercial bank application program interfaces.
Security technology and security requirements such as maintenance, service termination, system offline, and security management.
This standard applies to the design and application of application program interfaces for external interconnection of commercial banks to guide the application of commercial banks.
Banking financial institutions that provide sequential interface services, and applications of integrated interface services carry out relevant work, and provide services for third-party security assessment agencies and other units
Carrying out safety inspection and evaluation work to provide reference (see Appendix A for the relationship of interface types). Design and application of other types of application program interfaces
Can refer to this standard for implementation.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated references, the latest version (including all amendments) applies to this document.
GB/T 25069 Information Security Technical Terms
JR/T 0071 Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry
JR/T 0124-2014 Financial institution coding standard
3 Terms and definitions
The following terms and definitions defined in GB/T 25069 apply to this document.
3.1
Application programming interface
A set of pre-defined functions, through which developers can easily access related services without paying attention
Design and implementation of services.
3.2
Application agency
The institution that calls the commercial bank application program interface.
3.3
Application programming interface unique ID
It is defined by the commercial bank and is used to distinguish the unique identifier of the commercial bank application program interface function.
3.4
Uniform application programming interface ID
The unified identification code of the commercial bank application program interface generated by the commercial bank in accordance with the coding rules issued by the competent department of the industry.
Note. It is used to identify the commercial bank institution code, interface type, service category, interface sequence number, etc.
3.5
Application software development kit software development kit
A collection of software development tools used when building applications based on specific software packages, software frameworks, hardware platforms, operating systems, etc.
3.6
Application unique ID
After the application party's identity is verified, it is a unique identifier granted by the commercial bank according to the type of financial products and services it calls.
Note. Including server-side application identification and mobile terminal application software identification.
3.7
Application secret
The application legitimacy authentication certificate is used in conjunction with the application’s unique identifier to verify the legitimacy of the application accessed through the API, and the access verification
After passing the certificate, you can complete the system docking, call the application program interface or use the functions and data provided by the application program interface.
3.8
Financial mobile application software
Application software that provides users with financial transaction services on mobile terminals.
Note. Including but not limited to executable files, components, etc.
3.9
Personal financial information
Personal information obtained, processed and stored by financial institutions through the provision of financial products and services or other channels.
Note 1.Including account information, identification information, financial transaction information, personal identification information, property information, loan information, and other information that reflect certain situations of specific individuals.
Situation information.
Note 2.Rewrite GB/T 35273-2017, definition 3.1.
3.10
Payment sensitive information
The payment information involves important information about the privacy and identification of the payment subject.
Note. Including but not limited to bank card track or chip information, card verification code, card validity period, bank card password, online payment transaction password, etc.
3.11
Payment account
The code and bank card number of bank accounts with financial transaction functions and payment accounts of non-bank payment institutions.
[JR/T 0149-2016, definition 3.1]
3.12
Explicit consent
The subject of personal financial information clarifies the specific processing of his personal financial information through a written statement or proactive affirmative action
Authorized behavior.
Note. Affirmative actions include the personal information subject actively making a statement (electronic or paper format), actively checking, and actively clicking "agree", "register", and "send"
Send" "Dial" etc.
[GB/T 35273-2017, definition 3.6]
4 Abbreviations
The following abbreviations apply to this document.
5 overview
Commercial bank application program interface service is a financial service model that relies on API technology to realize internal and external interconnection. Commercial Bank Link
By providing partners with an application program interface for interconnection, exporting their own financial service capabilities and information technology capabilities, in order to increase the financial ecosystem
Viscosity provides a useful supplement. External institutions can call commercial bank application program interfaces through Internet channels (external API, see appendix for details)
A) To obtain various services provided by commercial banks, the logical structure is shown in Figure 1.
Participants of commercial bank application program interface services mainly include users, application parties and commercial banks. Commercial banks directly
The connection or SDK indirect connection provides application program interface services to application parties and users to realize the external output of commercial banking services.
The user initiates a commercial bank application program interface application request, and receives the processing result returned by the application party or the commercial bank.
The application party is responsible for receiving and processing user requests, submitting relevant requests to the commercial bank through the application program interface, and receiving the returned results, according to
Follow the process for service request processing or feedback to users.
Commercial banks construct commercial bank application program interfaces, application program interface service layers and banking business systems to provide commercial banking applications
Sequence interface service. The commercial bank application program interface service layer forwards the application request to the banking system for processing, and feeds back the processing result
Application party or user, including functions such as authentication and authorization, flow control, monitoring and analysis, message exchange, service combination, etc., and does not involve specific business logic
Edit processing, realize the management of commercial bank application program interface and application side.
Figure 1 Logic structure diagram of commercial bank application program interface
6 Interface type and security level
6.1 Interface type
Commercial bank application program interfaces are divided into server-to-server integration and mobile terminal-to-server integration according to application integration methods.
There are two ways.
For server-to-server integration, there are mainly two implementation forms.
--The application side server directly calls the commercial bank application program interface (such as REST, SOAP protocol).
--The application side server uses the server SDK provided by the commercial bank to indirectly access the commercial bank application program interface.
Among them, the server-side SDK mainly implements the encapsulation of the general access algorithm of commercial banks, in order to reduce the difficulty of application side access development, generally
The SDK does not contain business logic.
For the mobile terminal-to-server integration method, there are mainly two implementation forms.
--The mobile terminal application software of the application party directly calls the application program interface of the commercial bank.
--The mobile terminal application software of the application party uses the mobile terminal application SDK provided by the commercial bank to indirectly access the commercial bank application
interface.
Among them, the mobile terminal application software of the application party directly calls the application program interface of the commercial bank, mainly because it has no direct relationship with the individual user.
Mainly related financial services, such as providing public information query and public service query of commercial banks.
In addition to encapsulating general access algorithms for commercial banks, the mobile terminal application SDK can also encapsulate business logic and personal financial information security protection (examples
Such as the security reinforcement of password data) and other functions.
In the mobile terminal-to-server mode, only H5 (Hypertext Markup Language Version 5.0) technology is used to provide banking financial products
In the case of links to service access, since the H5 page itself does not directly call (or encapsulate) the commercial bank application program interface, it will not be single
Separately listed as a type of commercial bank application program interface.
6.2 Security level
According to the service type, the security level of commercial bank application program interface is divided into two levels, and the security protection requirements are decreasing from A2 to A1.
--A2.Fund transactions and account information query applications, such financial products and services are directly related to individual users, implementing high-level
Security protection strength, such commercial bank application program interfaces include but not limited to.
Commercial banks provide financial transaction services through SDK, such as payment, transfer, and purchase of financial products and services;
Commercial banks provide user account information query services through SDK, such as account balance, transaction history, account limit,
Payment time, financial products and service holdings, etc.;
For the above-mentioned services, if it is necessary to use API direct connection method for service invocation, commercial banks shall deal with the access risk
Evaluate and formulate a special interface for docking with the application side, and implement high-level security protection strength requirements.
--A1.Financial products and service information query applications. Such financial products and services are not directly related to individual users.
The security protection strength of such commercial banks includes but not limited to. commercial banks provide banking financial products and
"Read-only" query service for service details.
7 Safety design
7.1 Basic design requirements
The basic requirements for security design of commercial bank application program interface are as follows.
--The cryptographic algorithms, technologies and products used should comply with the requirements of the national cryptographic management department and the industry competent department.
--Should develop safe coding standards.
--Developers should be trained in safe coding and develop in accordance with safe coding specifications.
--If third-party application components need to be used in development, the security of the components should be verified, and the information disclosure of relevant platforms should be continuously paid attention to
And update status, update relevant components in due course.
--A special code security audit should be conducted on the application program interface of commercial banks. The audit work can be carried out manually or by tool automation.
exhibition.
--Should formulate source code and commercial bank application program interface version management and control procedures, and standardize source code and commercial bank applications
Interface version management, and maintain information synchronization with the application side regarding interface revocation, change, etc.
--The exception and debugging information provided by commercial banks to the application party shall not leak software and hardware information such as servers, middleware, databases, etc.
Internal network information.
7.2 Interface security design
7.2.1 Identity authentication security
a) The security requirements for interface authentication are as follows.
b) The security requirements for user identity authentication are as follows.
1) Commercial banks should combine financial service scenarios to design different levels of commercial bank application program interfaces with different security levels.
User identity authentication mechanism.
2) User identity authentication should be performed in a commercial bank. For fund transaction services in the A2 level interface, the user’s login identity
Authentication should at least use two-factor authentication to protect account property security.
7.2.2 Interface Interaction Security
The security requirements of commercial bank application program interface interaction are as follows.
--Commercial bank application program interface shall verify the validity of connectivity, such as whether the interface version, parameter format and other elements are compatible with the platform design
Keep the plan consistent.
--The integrity of the data interacted through the commercial bank application program interface should be protected. For the A2 level interface, the commercial
Banks and applications should use digital signatures to ensure data integrity and non-repudiation.
--For personal financial information such as sensitive payment information, the following measures should be taken to conduct safe interaction.
Payment sensitive information such as login password and payment password should be used in the data exchange process, including but not limited to replacing the original input box.
Security measures such as text, custom soft keyboard, anti-keyboard eavesdropping, and anti-screen capture ensure that the plaintext of sensitive payment information cannot be obtained;
Personal financial information such as account number, card number, card validity period, name, certificate number, mobile phone number, etc. should be used during transmission
The encryption component integrated in the SDK performs encryption, or performs overall encryption processing on related messages; if it is necessary to use commercial banking
The bank application program interface will feedback the account number, card number, and name to the application side, which should be desensitized or de-identified.
For clearing, error reconciliation and other requirements, when it is necessary to transmit the payment account number such as the card number to the application party, the encrypted channel should be used
Transmission and take measures to ensure the integrity of the information;
For A2 read-only information query of financial product holding shares, user points, etc., you can use API direct connection to perform
For query request connection, encryption and other measures should be taken to ensure the integrity and confidentiality of the query information, and the query results are in the application side
The land shall not be preserved.
--Should promptly clear user payment sensitive information after transaction authentication is completed to prevent attackers from reading temporary files, memory data, etc.
Ways to obtain all or part of user information.
7.3 Service security design
7.3.1 Authorization management
Commercial banks shall authorize and manage their corresponding interface permissions according to the service requirements of different application parties and in accordance with the principle of minimum authorization.
When service requirements change, the interface authority needs to be evaluated and adjusted in time.
7.3.2 Attack protection
The service security design should have the following attack protection capabilities.
--API and SDK have security protection capabilities against common network attacks.
--Mobile terminal application SDK should have static reverse analysis and protection capabilities to prevent attackers from static disassembly, string analysis,
Import and export function recognition, configuration file analysis and other means to obtain technical details about SDK implementation.
--Mobile terminal application SDK should have dynamic debugging and protection capabilities, including but not limited to. preventing attackers from dynamically adjusting
The ability to control program behavior by means of testers and dynamic tracking programs; it can prevent attackers from tampering with files and dynamically modifying internal
The ability to control program behavior by storing code, etc.
7.3.3 Security monitoring
The security requirements for security monitoring are as follows.
--Commercial banks shall monitor the usage of the interface and record the interface access log completely.
--The log should meet the following requirements.
The relevant log of the commercial bank shall include at least transaction serial number, application unique identifier, interface unique identifier, call time, time-consuming
Time stamp, return result (success or failure), etc.;
Due to business needs such as sorting and clearing, error reconciliation, etc., the payment account should be recorded in the application-side interface log in a partially shielded manner
(Or its equivalent information), other personal financial information should not be recorded in the application side interface log.
7.3.4 Key Management
The key management security requirements are as follows.
--Encryption and signature should be assigned different keys and be separated from each other.
--Should not write the private key plaintext (or ciphertext) in the relevant code of the commercial bank application in an encoded manner, App_Secret
Or the private key should not be stored in the local configuration file of the commercial bank and the application party to prevent the key from being leaked due to code leaks.
-Different key validity periods should be set according to the level of commercial bank application program interface, and the keys should be updated regularly.
8 Security deployment
Commercial banks and application parties should follow the schematic diagram of the logical structure of commercial bank application program interface network deployment, as shown in Figure 2.
Secure deployment of application program interfaces. Commercial banks and applications should deploy firewalls, IDS/IPS, DDoS protection, etc. at the Internet boundary
Network security protection measures with access control and intrusion prevention related security protection capabilities.
9 Security integration
9.1 Approval by the application party
9.1.1 Applicant access
Commercial banks shall review the application parties applying for access to the commercial bank application program interface, and formulate and sign relevant cooperation agreements.
-Applicants should conduct an admission review, such as in terms of service customer groups, service scenarios, market share, operational capabilities, risk control capabilities, etc.
Investigate the intended application party.
--When the application party applies for access, the application party’s technical capabilities and management level should be thoroughly and carefully inspected and evaluated, and user information should be protected
Capability is an important evaluation index. If necessary, the application party’s security protection capabilities should be evaluated technically. The scope of the evaluation includes but
It is not limited to content such as the level of application side information security construction.
--A commercial bank application program interface cooperation agreement should be formulated, and the cooperation business scenarios, interface application scope and transaction volume expectations and applications
Program interface integration mode, no access to unauthorized information, user information security responsibility, transaction security responsibility, etc.
Agreement with the application party.
--The cross-institution clearing business should not be carried out in disguise through open application program interfaces.
9.1.2 Applicant identity verification
Commercial banks shall verify and manage the identity of the application party through online or offline means during the registration and approval stage of the application party’s access.
--The application party shall submit the necessary identity verification materials in accordance with the requirements of the commercial bank, including operating qualifications, legal person information materials, main
Application developers’ personal information, identity materials, etc.
--The validity, completeness and authenticity of the materials submitted by the application party shall be reviewed, and the application party’s identity shall be checked for compliance.
9.2 Access Secu...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of JR/T 0185-2020_English be delivered?Answer: Upon your order, we will start to translate JR/T 0185-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of JR/T 0185-2020_English with my colleagues?Answer: Yes. The purchased PDF of JR/T 0185-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|