Standard number: JR/T 0171-2020
Standard name: Personal financial information protection technical specification
English name: Personal financial information protection technical specification ||
tt||Standard format: PDF
Release time: 2020-02-13
Implementation time: 2020-02-13
Standard size: 1.03M
Standard introduction: This standard specifies the security protection requirements for personal financial information in each link of the life cycle, such as collection, transmission, storage, use, deletion, and destruction, and puts forward normative requirements for the protection of personal financial information from the two aspects of security technology and security management.
This standard applies to financial institutions that provide financial products and services, and provides a reference for security assessment institutions to carry out security inspections and assessments.
Personal financial information is the extension and refinement of personal information in the financial field around account information, identification information, financial transaction information, personal identity information, property information, loan information, etc. It is an important basic data accumulated by financial institutions in the process of providing financial products and services, and is also an important part of personal privacy. Once personal financial information is leaked, it will not only directly infringe upon the legitimate rights and interests of the subject of personal financial information and affect the normal operation of financial institutions, but may even bring about systemic financial risks. This standard is prepared to strengthen the security management of personal financial information, guide relevant institutions to handle personal financial information in a standardized manner, protect the legitimate rights and interests of the subject of personal financial information to the greatest extent, and maintain the stability of the financial market.
This standard specifies the security protection requirements for personal financial information in each link of the life cycle, such as collection, transmission, storage, use, deletion, and destruction, and puts forward normative requirements for the protection of personal financial information from the two aspects of security technology and security management. This standard is applicable to financial institutions that provide financial products and services, and provides a reference for security assessment institutions to carry out security inspections and assessments.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard is proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
The drafting units of this standard are: Technology Department of the People's Bank of China, Zhengzhou Central Branch of the People's Bank of China, Beijing UnionPay Gold Card Technology Co., Ltd., Bank of China Co., Ltd., China UnionPay Co., Ltd., China UnionPay Clearing Co., Ltd., Zhejiang Ant Small and Micro Financial Services Group Co., Ltd., Lakala Payment Co., Ltd., China Financial Electronicization Company, Wuhan Branch of the People's Bank of China, Industrial and Commercial Bank of China Co., Ltd., Agricultural Bank of China Co., Ltd., China Construction Bank Co., Ltd., China Ping An Insurance (Group) Co., Ltd., Beijing CICC Guosheng Certification Co., Ltd., Beijing Software Product Quality Testing and Inspection Center, CICC Financial Certification Center Co., Ltd., Information Industry Information Security Evaluation Center, Huatai Securities Co., Ltd., China People's Insurance Group Co., Ltd., Tenpay Payment Technology Co., Ltd., China Payment and Clearing Association, China Internet Finance Association, and Jianxin Financial Technology Co., Ltd.
The main drafters of this standard are Li Wei, Li Xingfeng, Zhang Hongji, Guan Xiaohui, Liu Yulu, Tang Qinying, Guo Linzheng, Zhao Zhanyong, Xiong Jicheng, Qu Shaoguang, Meng Feiyu, Gao Qiangyi, Chen Cong, Ju Kun, Chen Xuexiu, Gong Lili, Xu Yanjiao, Niu Xiaowei, Wang Huan, Zhan Zhao, Qiang Qunli, Guo Lin, Yang Meng, Chen Jun, Li Yi, Feng Jianjian, Tang Ling, Huang Bentao, Wei Meng, Liu Qiongyao, Zhao Xu, Sun Yao, Zhou Lihua, Mu Yanyan, Wang Jiawei, Zhang Yang, Cai Jiayong, Liu Yang, Sun Pengliang, Nie Liqin, Liu Likang, Niu Yuehua, Chen Wei, Wang Xiujun, Ren Fengli, Xie Zongxiao, Dong Yanan, Zhang Xugang, Liu Jian, Dong Jingjing, Zhang Song, Yu Xiaoxue, Wu Yongqiang, Lu Jiayou, Shi Zhujun, Yu Pei, Hou Xiaochen, Tian Ran, Wang Zehang, He Weiming, Liang Weitao.
The following documents are essential for the application of this document. For any referenced document with a date, only the version with the date is applicable to this document. For any referenced document without a date, the latest version (including all amendments) is applicable to this document.
GB/T 22239-2019 Information security technology - Basic requirements for network security level protection
GB/T 25069-2010 Information security technology terminology
GB/T 31186.2-2014 Bank customer basic information description specification Part 2: Name
GB/T 31186.3-2014 Bank customer basic information description specification Part 3: Identification
GB/T 35273-2017 Information security technology - Personal information security specification
JR/T 0068-2020 General specification for information security of online banking system
JR/T 0071 Implementation Guidelines for Information Security Level Protection of Information Systems in the Financial Industry
JR/T 0092-2019 Security Management Specification for Mobile Financial Client Application Software
JR/T 0149-2016 China Financial Mobile Payment Tokenization Technical Specifications
JR/T 0167-2018 Cloud Computing Technology Financial Application Specification Security Technical Requirements

ICS35.240.40
iiikAacJouakAa
People's Republic of China Financial Industry Standard JR/T 0171—2020
Personal financial information protection technical specification
Personal financial information protection technical specification2020-02-13 Issued
People's Bank of China
2020-02-13 Implementation
iiiKAa~cJouaKAa-
Foreword:
iiiKAa~cJouaKAa-
Normative references
Terms and definitions
4 Overview of personal financial information
5 Basic principles of security.| |tt||6 Security Technical Requirements
Security Management Requirements
Appendix A (Informative Appendix)
References
Information Shielding
JR/T0171-2020
JR/T0171-2020
iiiKAa~cJouaKAa
This standard was drafted in accordance with the rules given in GB/T1.1-2009. This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180). The drafting units of this standard are: Science and Technology Department of the People's Bank of China, Zhengzhou Branch of the People's Bank of China, Beijing UnionPay Gold Card Technology Co., Ltd., Bank of China Co., Ltd., China UnionPay Co., Ltd., China National Network Payment Corporation, Zhejiang Ant Small and Micro Financial Services Group Co., Ltd., Lakala Payment Co., Ltd., China Financial Electronicization Company, Wuhan Branch of the People's Bank of China, Industrial and Commercial Bank of China Co., Ltd., Agricultural Bank of China Co., Ltd., China Construction Bank Co., Ltd., Ping An Insurance (Group) Co., Ltd., Beijing CICC Guosheng Certification Co., Ltd., Beijing Software Product Quality Testing and Inspection Center, CICC Financial Certification Center Co., Ltd., Information Industry Information Security Evaluation Center, Huatai Securities Co., Ltd., China People's Insurance Group Co., Ltd., Tenpay Payment Technology Co., Ltd., China Payment and Clearing Association, China Internet Finance Association, and Jianxin Financial Technology Co., Ltd. The main drafters of this standard are: Li Wei, Li Xingfeng, Zhang Hongji, Guan Xiaohui, Liu Yulu, Tang Qinjin, Guo Linjing, Zhao Zhanyong, Xiong Jicheng, Qu Shaoguang, Meng Feiyu, Gao Qiangyi, Chen Cong, Ju, Chen Xuexiu, Gong Lili, Xu Yanjiao, Niu Xiaowei, Wang Huan, Zhan Zhao, Qiang Qunli, Guo Lin, Yang Meng, Chen Jun, Li Yi, Feng Jianjian, Tang Ling, Huang Bentao, Wei Meng, Liu Qiongyao, Zhao Xu, Sun Gui, Zhou Lihua, Mu Yanyan, Wang Jiawei, Zhang Yang, Cai Jiayong, Liu Yang, Sun Pengliang, Nie Liqin, Liu Likang, Niu Yuehua, Chen Wei, Wang Xiujun, Ren Fengli, Xie Zongxiao, Dong Yanan, Zhang Xugang, Liu Jian, Dong Jingjing, Zhang Song, Yu Xiaoxue, Wu Yongqiang, Lu Jiayou, Shi Zhujun, Yu Pei, Hou Xiaochen, Tian Ran, Wang Zehang, He Weiming, Liang Weitao.
iiiKAacJouakAa
JR/T 01712020
Personal financial information is the extension and refinement of personal information in the financial field around account information, identification information, financial transaction information, personal identity information, property information, loan information, etc. It is an important basic data accumulated by financial institutions in the process of providing financial products and services, and is also an important part of personal privacy. Once personal financial information is leaked, it will not only directly infringe on the legitimate rights and interests of the subject of personal financial information and affect the normal operation of financial institutions, but may even bring about systemic financial risks. This standard is compiled to strengthen the security management of personal financial information, guide relevant institutions to standardize the processing of personal financial information, protect the legitimate rights and interests of the subject of personal financial information to the greatest extent, and maintain the stability of the financial market.
iiiKAa~cJouaKAa=
Industry Standard Information Service Platform
1 Scope
iiiKAa~cJouaKAa=
Technical Specifications for Personal Financial Information Protection
JR/T0171-2020
This standard specifies the security protection requirements for personal financial information in each link of its life cycle, including collection, transmission, storage, use, deletion, and destruction, and puts forward normative requirements for the protection of personal financial information from the two aspects of security technology and security management. This standard applies to financial institutions that provide financial products and services, and provides a reference for security assessment institutions to carry out security inspections and assessments.
2 Normative References
The following documents are essential for the application of this document. For any dated referenced document, only the dated version applies to this document. For any undated referenced documents, the latest version (including all amendments) shall apply to this document GB/T22239-2019 Information Security Technology Basic Requirements for Network Security Level Protection GB/T25069-2010 Information Security Technology Terminology GB/T31186.2-2014 Bank Customer Basic Information Description Specification Part 2: Name GB/T31186.3-2014 Bank Customer Basic Information Description Specification Part 3: Identification GB/T35273-2017 Information Security Technology Personal Information Security Specification JR/T0068-202 0 General specification for information security of online banking system Guidelines for the implementation of information security level protection of financial industry information system JR/T0071
JR/T0092-2019 Mobile financial client application software security management specification JR/T0149-2016 China financial mobile payment payment tokenization technical specification JR/T0167-2018 Cloud computing technology financial application specification security technical requirements 3 Terms and definitions
GB/T25069-2010, GB/T35273--2017 and the following terms and definitions apply to this document. Recommended
financial industryinstitutions Financial industry institutions
Financial industry institutions in this standard refer to licensed financial institutions supervised by the national financial management department, as well as related institutions involved in the security and processing of personal financial information.
Personal financial informationpersonalfinancialinformationPersonal information obtained, processed and stored by financial institutions through the provision of financial products and services or other channels. Note 1: Personal financial information in this standard includes account information, identification information, financial transaction information, personal identity information, property information, loan information and other information reflecting certain circumstances of specific individuals. Note 2: Rewrite GB/T35273-2017, definition 3.1. 1
JR/T0171-2020
iiiKAacJouaKAa=
Payment sensitive informationpaymentsensitiveinformationImportant information in payment information involving the privacy and identity identification of the payment subject. Note: Payment sensitive information includes but is not limited to bank card magnetic track data or chip equivalent information, card verification code, card validity period, bank card password, online payment transaction password and other personal financial information used for payment authentication. 3.4
Personal financial information subjectpersonalfinancialinformation subjectThe natural person identified by personal financial information. Note: Rewrite GB/T35273-2017, definition 3.3. 3.5
personalfinancialinformationcontroller
An institution that has the right to decide the purpose and method of processing personal financial information. Note: Rewrite GB/T35273-2017, definition 3.4. 3.6
collectcollect
The act of obtaining control over personal financial information. Note 1: The act of collecting includes the act of actively providing by the subject of personal financial information, the act of automatically collecting through interaction with the subject of personal financial information or recording the behavior of the subject of personal financial information, and the act of indirectly obtaining personal financial information through sharing, transfer, and collection of public information. Note 2: If the provider of financial products or services provides tools for the subject of personal financial information to use, and the provider does not access personal financial information, it does not belong to the quasi-information service platform
collection referred to in this standard. For example, if the mobile banking client application software obtains the user's fingerprint feature information at the terminal for local authentication, but does not transmit the fingerprint feature information back to the provider, it does not constitute the collection of user fingerprint feature information. Note 3: Rewrite GB/T35273-2017, definition 3.5. 3.7
publicdisclosur
publicdisclosure
[GB/T35273—2017, definition 3.10]] 3.8
transfertransfer of control
The transfer of control over personal financial information from one controller to another Note: Rewritten from GB/T35273—2017, definition 3.11. 3.9
sharing
The process in which a controller of personal financial information provides personal financial information to other controllers and both parties have independent control over the personal financial information.
Note: Rewrite GB/T35273-2017, definition 3.12. 2
iiiKAa~cJouaKAa=
JR/T0171-2020
Personal financial information security impact assessmentpersonalfinancialinformation security impact assessmentThe process of examining the legality and compliance of personal financial information processing activities, judging the various risks of damage to the legitimate rights and interests of personal financial information subjects, and evaluating the effectiveness of various measures used to protect personal financial information subjects. Note: Rewrite GB/T35273-2017, definition 3.8. 3.11
Payment accountpaymentaccount
Bank account with financial transaction function, payment account of non-bank payment institution and bank card number. Note: Rewrite JR/T0149-2016, definition 3.1. 3.12
Payment token (Token) is used as a substitute value for original transaction elements such as payment account, and is used to complete payment transactions in specific scenarios. [JR/T0149-2016, definition 3.2]
Track data trackdata
Required or optional data element defined by magnetic, two-magnetic and three-magnetic. Note: Track data can be on the magnetic stripe of a physical card, or included in an integrated circuit or other media. [JR/T0061-2011, definition 3.20]
card verification number;cvN card verification code
Code to verify the legitimacy of the magnetic stripe information. Chinese
[JR/T0061—2011 definition 8.7]
Card verification code 2cardverifica+icnnumber2; cvN2A code to verify the legitimacy of a Goodline card in non-face-to-face transactions such as mail order or telephone order. Chinese
[JR/T0061—2011, definition 8.8]
A one-time password dynamically generated based on time, events, etc. [GM/Z0001—2013, definition 2.15]
SMS dynamic passwordSMSdynamiccode
SMS verification codeSMS code
A random number sent by the backend system to the user's bound mobile phone in the form of a mobile phone text message, and the user authenticates his identity by replying to the random number. [JR/T0088.1—2012, definition 2.44]3
JR/T0171-2020
iiiKAacJouaKAa=
Customer legal namecustomerslegalnameThe legally recognized customer name.
Note 1: The customer legal name is generally recorded on the certificate issued to the customer by the national authorized department. The customer in this standard mainly refers to the natural person customer. Note 2: Rewrite GB/T31186.2—2014, definition 3.23.19
Certificate identification marklegal discriminatingIDIssued by the national legally authorized department, which can uniquely identify the customer and has legal effect. Note 1: Certificate identification mark is exogenous data. Exogenous data means that the user of the data is not the owner of the data, and the data may not be known to the user after it is generated, changed, or abolished. Note 2: The internal certificate identification generated by the users of this standard due to their own business needs should not be used outside the users and has no legal effect. Note 3: Rewrite GB/T31186.3-2014, define 3.23.20
Unauthorized reading unauthorized reading without the authorization of the owner of the information or the authorized person. Note 1: Unauthorized reading may be well-intentioned or malicious: unauthorized reading that is accidentally leaked by the information processor is an information leakage incident; unauthorized reading that is intentionally obtained by the attacker through measures that invalidate the relevant security measures is an information theft incident. Note 2: Illegal viewing is an imprecise term for unauthorized viewing, but it has no ambiguity in a specific context. 3.21
Unauthorized altering unauthorized altering of information without the authorization of the owner of the information or the authorized person. Note 1: Unauthorized changes are typically divided into three categories: unauthorized addition (i.e., adding new content), unauthorized modification (i.e., modifying existing content), or unauthorized deletion (i.e., deleting original content). It may also be a combination of the three. Note 2: Unauthorized changes may be made in good faith or in bad faith; they are often manifested as information tampering, information forgery, information loss, etc.
Your accurate information
Note 3: Illegal changes are an imprecise but unambiguous term for unauthorized changes in a specific context. 3.22
explicit consent
Explicit consent
The act by which the subject of personal financial information explicitly authorizes the specific processing of his or her personal financial information through a written statement or an affirmative action.
Note 1: Affirmative actions include the subject of personal financial information actively making a statement (electronic or paper form), actively selecting, actively clicking "agree", "register", "send", "dial", actively filling in or providing, etc. Note 2: Rewrite GB/T35273-2017, definition 3.6. 3.23
anonymization
The process of technically processing personal financial information so that the subject of personal financial information cannot be identified and the processed information cannot be restored.
iiiKAa~cJouaKAa=
Note 1: The information obtained after anonymization of personal financial information does not belong to personal financial information. Note 2: Rewrite GB/T35273-2017, definition 3.13. 3.24
de-identification
JR/T0171-2020
The process of technically processing personal financial information so that the subject of personal financial information cannot be identified without the help of additional information.
Note 1: De-identification is still based on individuals, retaining individual granularity, and using pseudonyms, encryption, salted hash functions and other technical means to replace the identification of personal financial information.
Note 2: Rewrite GB/T35273-2017, definition 3.14. 3.25
Delete delete
The act of removing personal financial information from the systems involved in financial products and services so that it remains in an inaccessible and unretrievable state. Note: Rewrite GB/T35273-2017, definition 3.9. 4 Overview of Personal Financial Information
4.1 Contents of Personal Financial Information
Personal financial information includes account information, identification information, financial transaction information, personal identity information, property information, loan information and other information reflecting certain situations of specific personal financial information subjects, as follows: a) Account information refers to account and account-related information, including but not limited to payment account number, bank card magnetic track data (or chip equivalent information), bank card validity period, securities account, insurance account, account opening time, account opening institution, account balance and payment tag information generated based on the above information.
Identification information refers to information used to verify whether the subject has access or use rights, including but not limited to bank card password, prepaid card b)
Payment password: personal financial information subject login password, account query password, transaction password: card verification code (CVN and CVN2), dynamic password, SMS verification code, password hint question answer, etc. c)
Financial transaction information refers to various types of information generated by the personal account and financial information subject during the transaction process, including but not limited to transaction amount, payment record, overdraft record, transaction log, transaction voucher: securities entrustment, transaction, position information: insurance policy information, claim information, etc.
d) Personal identity information refers to basic personal information, personal biometric information, etc.: Basic personal information includes but is not limited to the customer's legal name, gender, nationality, ethnicity, occupation, marital status, family status, income, ID card and passport and other documents, mobile phone number, landline number, email address, work and home address, and photos, audio and video information collected in the process of providing products and services; Personal biometric information includes but is not limited to fingerprints, faces, irises, ear prints, palm prints, veins, voice prints, eye prints, gait, handwriting and other biometric sample data, feature values ​​and templates. Property information refers to the property information of the personal financial information subject collected or generated by the financial industry in the process of providing financial products and services, including but not limited to personal income status, real estate status, vehicle status, payment amount, provident fund deposit amount, etc.
Lending information refers to the information generated by the personal financial information subject in the lending business of the financial industry, including but not limited to credit, credit card and loan issuance and repayment, guarantee status, etc. g) Other information:
JR/T0171-2020
iiiKAacJouaKAa=
· Information that is formed by processing and analyzing raw data and can reflect certain circumstances of a specific individual, including but not limited to the consumption intention, payment habits and other derivative information of the subject of specific personal financial information;. Other personal information obtained and stored in the process of providing financial products and services. 4.2 Categories of personal financial information
Based on the impact and harm caused by unauthorized viewing or unauthorized changes to the information, personal financial information is divided into three categories from high to low sensitivity: C3, C2, and C1. The details are as follows: a) Information in category C3 is mainly user identification information. Once such information is viewed or altered without authorization, it will cause serious harm to the information security and property security of the subject of personal financial information, including but not limited to: bank card magnetic track data (or chip equivalent information), card verification code (CVN and CVN2), card validity period, bank card·
password, online payment transaction password
account (including but not limited to payment account, securities account, insurance account) login password, transaction password, query password;·
·Personal biometric information used for user identification. b) C2 category information mainly refers to personal financial information that can identify the identity and financial status of a specific personal financial information subject, as well as key information used for financial products and services. Once such information is viewed or altered without authorization, it will cause certain harm to the information security and property security of the subject of personal financial information, including but not limited to: payment account and its equivalent information, such as payment account, certificate identification mark and certificate information (ID card, passport, etc.), mobile phone number.
account (including but not limited to payment account, securities account, insurance account) login user name. ·
User identification auxiliary information, such as dynamic passwords, SMS verification codes, answers to password reminder questions, and dynamic voiceprint passwords: If the user identification auxiliary information is used in combination with the account to directly complete user identification, it belongs to C3 category information. Information that directly reflects the financial status of the subject of personal financial information, such as personal property information (including online payment account balances) and loan information.
Key information used for financial products and services, such as transaction information (such as transaction instructions, transaction flows, securities entrustment, insurance claims), etc.
·Photos, audio and video and other image information of the subject of personal financial information collected in the process of providing products and services to fulfill the requirements of knowing your customer (KYC) and to meet the needs of evidence storage and preservation by the competent industry department. ·Other information that can identify a specific subject, such as home address, etc. c) C1 category information is mainly information assets within the machine, mainly referring to personal financial information used within financial institutions. Once such information is viewed or changed without authorization, it may have a certain impact on the information security and property security of the subject of personal financial information, including but not limited to the account opening time and account opening institution:
· Payment tag information generated based on account information; other personal financial information not included in the C2 and C3 category information! Information about family members (such as ID card number, mobile phone number, property information, etc.) actively provided by the subject of personal financial information due to business needs (such as loans) should be classified according to the C3, C2, and C1 sensitivity categories, and targeted protection measures should be implemented. Two or more low-sensitivity category information may generate high-sensitivity information after combination, association and analysis. The same information may be in different categories in different service scenarios. The category of information should be identified based on the service scenario and the role of the information in it, and targeted protection measures should be implemented. 4.3 Personal Financial Information Life Cycle
The personal financial information life cycle refers to the entire process of collecting, transmitting, storing, using, deleting, and destroying personal financial information. The description of each link is as follows:2 Categories of Personal Financial Information
Based on the impact and harm caused by unauthorized viewing or unauthorized changes to the information, personal financial information is divided into three categories from high to low sensitivity: C3, C2, and C1. The details are as follows: a) Information in category C3 is mainly user identification information. Once such information is viewed or changed without authorization, it will cause serious harm to the information security and property security of the subject of personal financial information, including but not limited to: bank card track data (or chip equivalent information), card verification code (CVN and CVN2), card validity period, bank card password, online payment transaction password, account (including but not limited to payment account, securities account, insurance account), login password, transaction password, query password; ·
·Personal biometric information used for user identification. b) Information in category C2 is mainly personal financial information that can identify the identity and financial status of a specific subject of personal financial information, as well as key information used for financial products and services. Once such information is viewed or altered without authorization, it will cause certain harm to the information security and property security of the subject of personal financial information, including but not limited to: payment account and its equivalent information, such as payment account, document identification mark and document information (ID card, passport, etc.), mobile phone number.
User name for logging into an account (including but not limited to payment account, securities account, insurance account). ·
User identification auxiliary information, such as dynamic password, SMS verification code, answer to password hint question, dynamic voiceprint password: If the user identification auxiliary information is used in combination with the account to directly complete the user identification, it belongs to C3 category information. Information that directly reflects the financial status of the subject of personal financial information, such as personal property information (including online payment account balance) and loan information.
Key information used for financial products and services, such as transaction information (such as transaction instructions, transaction flow, securities entrustment, insurance·
claims), etc.
· Photo, audio and video and other image information of personal financial information subjects collected in the process of providing products and services for fulfilling the requirements of Know Your Customer (KYC) and for the needs of evidence storage and preservation by the competent industry departments. · Other information that can identify specific subjects, such as home addresses, etc. c) Information in category C1 is mainly information assets within the machine, mainly referring to personal financial information used within financial institutions. Once such information is viewed or changed without authorization, it may have a certain impact on the information security and property security of the personal financial information subject, including but not limited to the account opening time and account opening institution:
· Payment tag information generated based on account information; other personal financial information not included in C2 and C3 category information! Information about family members (such as ID card number, mobile phone number, property information, etc.) actively provided by the personal financial information subject for business needs (such as loans) should be classified according to the C3, C2, and C1 sensitivity categories, and targeted protection measures should be implemented. Two or more low-sensitivity category information may generate high-level information after combination, association and analysis. The same information may be in different categories in different service scenarios. The category of information should be identified according to the service scenario and the role of the information therein, and targeted protection measures should be implemented. 4.3 Personal financial information life cycle
Personal financial information life cycle refers to the entire process of collecting, transmitting, storing, using, deleting, and destroying personal financial information. Each link is described as follows:2 Categories of Personal Financial Information
Based on the impact and harm caused by unauthorized viewing or unauthorized changes to the information, personal financial information is divided into three categories from high to low sensitivity: C3, C2, and C1. The details are as follows: a) Information in category C3 is mainly user identification information. Once such information is viewed or changed without authorization, it will cause serious harm to the information security and property security of the subject of personal financial information, including but not limited to: bank card track data (or chip equivalent information), card verification code (CVN and CVN2), card validity period, bank card password, online payment transaction password, account (including but not limited to payment account, securities account, insurance account), login password, transaction password, query password; ·
·Personal biometric information used for user identification. b) Information in category C2 is mainly personal financial information that can identify the identity and financial status of a specific subject of personal financial information, as well as key information used for financial products and services. Once such information is viewed or altered without authorization, it will cause certain harm to the information security and property security of the subject of personal financial information, including but not limited to: payment account and its equivalent information, such as payment account, document identification mark and document information (ID card, passport, etc.), mobile phone number.
User name for logging into an account (including but not limited to payment account, securities account, insurance account). ·
User identification auxiliary information, such as dynamic password, SMS verification code, answer to password hint question, dynamic voiceprint password: If the user identification auxiliary information is used in combination with the account to directly complete the user identification, it belongs to C3 category information. Information that directly reflects the financial status of the subject of personal financial information, such as personal property information (including online payment account balance) and loan information.
Key information used for financial products and services, such as transaction information (such as transaction instructions, transaction flow, securities entrustment, insurance·bZxz.net
claims), etc.
· Photo, audio and video and other image information of personal financial information subjects collected in the process of providing products and services for fulfilling the requirements of Know Your Customer (KYC) and for the needs of evidence storage and preservation by the competent industry departments. · Other information that can identify specific subjects, such as home addresses, etc. c) Information in category C1 is mainly information assets within the machine, mainly referring to personal financial information used within financial institutions. Once such information is viewed or changed without authorization, it may have a certain impact on the information security and property security of the personal financial information subject, including but not limited to the account opening time and account opening institution:
· Payment tag information generated based on account information; other personal financial information not included in C2 and C3 category information! Information about family members (such as ID card number, mobile phone number, property information, etc.) actively provided by the personal financial information subject for business needs (such as loans) should be classified according to the C3, C2, and C1 sensitivity categories, and targeted protection measures should be implemented. Two or more low-sensitivity category information may generate high-level information after combination, association and analysis. The same information may be in different categories in different service scenarios. The category of information should be identified according to the service scenario and the role of the information therein, and targeted protection measures should be implemented. 4.3 Personal financial information life cycle
Personal financial information life cycle refers to the entire process of collecting, transmitting, storing, using, deleting, and destroying personal financial information. Each link is described as follows:
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.