Standard number: JR/T 0068-2020
Standard name: General specification of information security for internet banking system
English name: General specification of information security for internet banking system ||
tt||Standard format: PDF
Release time: 2020-02-05
Implementation time: 2020-02-05
Standard size: 2.16M
Standard introduction: This standard specifies the security technical requirements, security management requirements, and business operation security requirements for the internet banking system, and provides a basis for the construction, operation and evaluation of the internet banking system. This standard
applies to the internet banking system operated by commercial banks and other banking financial institutions established within the territory of the People's Republic of China. The business systems of other financial institutions providing online financial services should refer to this standard.
Note 1: This standard is divided into two levels: basic requirements and enhanced requirements. The basic requirements are the minimum security requirements, and the enhanced requirements are the requirements to further improve the security of the system. Each unit should follow the enhanced requirements while complying with the basic requirements, actively take improvement measures, and continuously improve security capabilities.
Note 2: If there is no special reference to "corporate online banking" in this standard, it applies to both personal online banking and corporate online banking.
This standard was drafted in accordance with the rules given in GB/T1.1-2009.
This standard replaces JR/T0068-2012 "General Specification for Information Security of Online Banking Systems"
Compared with R/T0068-2012, the main changes of this standard are as follows:
Added requirements related to SM series algorithms (see 5.4);
Except for the duplicated content with JR/T0071 "Guidelines for the Implementation of Information Security Level Protection of Information Systems in the Financial Industry" (6.1.4 and 6.2 of the 2012 edition);
Modified the description of client security, supplemented the security requirements such as self-protection and sensitive information protection (see 6.2.1.1, 6.1.1 of the 2012 edition);
Added requirements related to barcode payment (see 6.2.1.1, 6.2.4.3)
The security requirements for dedicated security equipment have been modified and renamed as "dedicated security mechanism" (see 6.2.2, 6.1.2 of the 2012 edition); the requirements for security units and trusted environments for mobile terminal payments have been added (see 6.2.2.1, 6.2.2.5); the requirements for biometrics have been added (see 6.2.2.5);
The requirements for cloud computing security have been added (see 6.2.4.1, 6.3.1);
This standard specifies the security technical requirements, security management requirements, and business operation security requirements for online banking systems, and provides a basis for the construction, operation, and evaluation of online banking systems. This standard applies to online banking systems operated by commercial banks and other banking financial institutions established within the territory of the People's Republic of China. The business systems of other financial institutions providing online financial services should refer to this standard. Note 1: This standard is divided into two levels: basic requirements and enhanced requirements. Basic requirements are the minimum security requirements, and enhanced requirements are requirements to further improve system security. Each unit should follow the basic requirements and take improvement measures according to the enhanced requirements to continuously improve security capabilities. Note 2: If there is no special reference to "corporate online banking" in the terms of this standard, it applies to both personal online banking and corporate online banking.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces JR/T 0068-2012 "General Specification for Information Security of Online Banking Systems".
Compared with JR/T 0068—2012, the main changes of this standard are as follows:
——Added requirements related to SM series algorithms (see 5.4);
——Deleted the content that is repeated with the requirements of JR/T 0071 "Guidelines for the Implementation of Information Security Level Protection of Information Systems in the Financial Industry" (6.1.4 and 6.2 of the 2012 edition);
——Modified the description of client security, and supplemented the security requirements such as self-protection and sensitive information protection (see 6.2.1.1, 6.1.1 of the 2012 edition);
——Added requirements related to barcode payment (see 6.2.1.1, 6.2.4.3);
——Modified the security requirements for dedicated security equipment and renamed it "dedicated security mechanism" (see 6.2.2, 6.1.2 of the 2012 edition);
——Added requirements related to security unit and trusted environment for mobile terminal payment (see 6.2.2.1 and 6.2.2.5);
——Added requirements related to biometrics (see 6.2.2.5);
——Added requirements related to cloud computing security (see 6.2.4.1 and 6.3.1);
——Added requirements related to IPv6 (see 6.2.4.3);
——Added requirements related to virtualization security (see 6.2.4.4);
——Added basic description and security requirements for the security of the connection between the online banking system and the external system (see 6.2.5);
——Modified the security requirements for business continuity and disaster recovery (see 6.3.7, k and l in 6.2.6 of the 2012 version);
——Modified the security requirements for security incidents and emergency response (see 6.3.8, 6.2.6 of the 2012 version m, n in );
—— Added requirements for Class II and Class III bank settlement accounts and transaction security locks (see 6.4.1);
—— Deleted the basic network protection architecture reference diagram, enhanced network protection architecture reference diagram and physical security in the appendix (Appendix A, Appendix B, Appendix C of the 2012 edition).
This standard is proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
The drafting units of this standard are: Science and Technology Department of the People's Bank of China, China UnionPay Co., Ltd., Bank Card Testing Center, Industrial and Commercial Bank of China Co., Ltd., China Construction Bank Co., Ltd., Agricultural Bank of China Co., Ltd., China Postal Savings Bank Co., Ltd., China Merchants Bank Co., Ltd., China Minsheng Bank Co., Ltd., National Information Technology Security Research Center, and China Financial Certification Center Co., Ltd.
The main drafters of this standard are: Li Wei, Chen Liwu, Che Zhen, Zhou Heng, Zan Xin, Xia Lei, Yan Jinguo, Qu Weimin, Shen Xiaoyan, Zhao Qiaowei, He Shuo, Hua Jinzhi, Yang Yang, Xu Yanjun, Zhang Ming, Tang Yang, Qu Shaoguang, Meng Feiyu, Zhang Zhibo, Gao Zhimin, Sun Maozeng, Gao Qiangyi, Ma Zhe, Li Bowen, Zhao Mengjie, Li Jingchun, Li Bing, Cao Yue, Su Jianming, Jiang Cheng, Wu Hongwei, Li Hui, Wang Ning, Yang Jie, Liao Minfei, Liu Hongbo, Liang Zhiyang, Liao Yuan, Xia Lei, Liang Jianfeng, Wu Xin, Li Xiao, Wu Degang, Li Qiang, Zeng Qingxiang, Ji Xiaojie, Li Chao, Ma Chunwang, Zhao Shengli, Huang Chunfang, Xue Jinchuan, Jiang Jianxiao, Li Wei, Hou Manli. The
previous versions of the standards replaced by this standard are:
——JR/T 0068—2012.
The following documents are essential for the application of this document. For any referenced document with a date, only the version with the date is applicable to this document. For any referenced document without a date, the latest version (including all amendments) is applicable to this document.
GB/T 25069—2010 Information Security Technical Terminology
GB/T 27912—2011 Biometric Identification Security Framework for Financial Services
GM/Z 0001—2013 Cryptographic Terminology
GM/T 0002—2012 SM4 Block Cipher Algorithm
GM/T 0003—2012 SM2 Elliptic Curve Public Key Cryptography Algorithm
GM/T 0004—2012 SM3 Cryptographic Hash Algorithm
GM/T 0021—2012 Technical Specification for Dynamic Password Application
JR/T 0071 Implementation Guidelines for Network Security Level Protection in the Financial Industry
JR/T 0098.5 China Financial Mobile Payment Testing Specification Part 5: Security Unit (SE) Embedded Software Security
JR/T 0118—2015 Financial Electronic Authentication Specification
JR/T 0149—2016 China Financial Mobile Payment Payment Tokenization Technical Specification
JR/T 0156—2017 Mobile Terminal Payment Trusted Environment Technical Specification
JR/T 0166—2018 Cloud Computing Technology Financial Application Specification Technical Architecture
JR/T 0167—2018 Cloud Computing Technology Financial Application Specification Security Technical Requirements
JR/T 0168—2018 Cloud Computing Technology Financial Application Specification Disaster Recovery
Notice of the People's Bank of China on Improving Personal Bank Account Services and Strengthening Account Management (Yinfa [2015] No. 392), 2015-12-25
Notice of the People's Bank of China on Further Strengthening Bank Card Risk Management (Yinfa [2016] No. 170), 2016-06-13
Notice of the People's Bank of China on Strengthening Payment and Settlement Management to Prevent New Types of Telecom Network Crimes (Yinfa [2016] No. 261), 2016-09-30
Notice of the People's Bank of China on Implementing the Classification Management System for Personal Bank Accounts (Yinfa [2016] No. 302), 2016-11-25
Notice of the General Office of the People's Bank of China on Strengthening the Security Management of Bank Card Magnetic Stripe Transactions (Yinbanfa [2017] No. 120), 2017-05-31
Barcode Payment Security Technical Specifications (Trial) (Yinbanfa [2017] No. 242), 2017-12-22
Notice of the People's Bank of China on Improving the Classification Management of Personal Bank Accounts (Yinfa [2018] No. 16), 2018-01-10
Notice of the People's Bank of China on Further Strengthening Payment and Settlement Management and Preventing New Types of Telecom Network Crimes (Yinfa [2019] No. 85), 2019-03-22Foreword
II
Introduction III
1 Scope 1
2 Normative References 1
3 Terms and Definitions 2
4 Abbreviations 3
5 Overview of Internet Banking System 4
6 Security Specifications 7
References 32

ICS35.240.40
iiiKAa~cJouakAa
Financial Industry Standard of the People's Republic of China
JR/T0068—2020
Replaces JR/T0068—2012
General specification of information security for internet banking system2020-02-05 Issued
People's Bank of China
2020-02-05 Implementation
1 Scope
2 Normative References
3 Terms and Definitions
4 Abbreviations
5 Overview of Internet Banking System
6 Security Specifications
References
iiikAa~cJouakAa-
JR/T0068—2020
JR/T00682020
iiiKAa~cJouaKAa
This standard was drafted in accordance with the rules given in GB/T1.1-2009. This standard replaces JR/T0068—2012 "General Specification for Information Security of Internet Banking System". Compared with JR/T0068-2012, this standard has the following major changes: - Added requirements for SM series algorithms (see 5.4); - Deleted the content that is repeated with the requirements of JR/T0071 "Guidelines for the Implementation of Information Security Level Protection of Information Systems in the Financial Industry" (6.1.4 and 6.2 of the 2012 edition);
- Modified the description of client security, supplemented the security requirements such as self-protection and sensitive information protection (see 6.2.1.1, 6.1.1 of the 2012 edition);
- Added requirements for barcode payment (see 6.2.1.1, 6.2.4.3); - Modified the security requirements for dedicated security equipment and renamed it "dedicated security mechanism" (see 6.2.2, 6.1.2 of the 2012 edition); - Added requirements for security units and trusted environments for mobile terminal payments (see 6.2.2.1, 6.2.2.5); - Added biometrics - Added cloud computing security requirements (see 6.2.4.1, 6.3.1); - Added IPv6 related requirements (see 6.2.4.3); - Added virtualization security requirements (see 6.2.4.4); - Added basic description and security requirements for the connection between online banking system and external system (see 6.2.5); - Modified business continuity and disaster recovery security requirements (see 6.3.7, k, 1 in 6.2.6 of the 2012 edition); - Modified security requirements for security incidents and emergency response (see 6.3.8, m, n in 6.2.6 of the 2012 edition); - Added II, IIII bank settlement accounts and transaction security lock related requirements (see 6.4.1); - Deleted the basic network protection architecture reference diagram, enhanced network protection architecture reference diagram and physical security in the appendix (Appendix A, Appendix B, Appendix C of the 2012 edition). This standard is proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180). The drafting units of this standard are: Technology Department of the People's Bank of China, China UnionPay Co., Ltd., Bank Card Testing Center, Industrial and Commercial Bank of China, China Construction Bank, Agricultural Bank of China, Postal Savings Bank of China, China Merchants Bank, China Minsheng Bank, National Information Technology Security Research Center, and China Financial Certification Center Co., Ltd.
The main drafters of this standard are: Li Wei, Chen Liwu, Che Zhen, Zhou Heng, Zhi Xin, Xia Lei, Yan Jinguo, Qu Weimin, Shen Xiaoyan, Zhao Qiaowei, He Shuo, Hua Jinzhi, Yang Yang, Xu Yanjun, Zhang Ming, Tang Yang, Qu Shaoguang, Meng Feiyu, Zhang Zhibo, Gao Zhimin, Sun Maozeng, Gao Qiangyi, Ma Zhe, Li Bowen, Zhao Mengjie, Li Jingchun, Li Bing, Cao Yue, Su Jianming, Jiang Cheng, Wu Hongwei, Li Hui, Wang Ning, Yang Jie, Liao Minfei, Liu Hongbo, Liang Zhiyang, Liao Yuan, Xia Lei, Liang Jianfeng, Wu Xin, Li Xiao, Wu Degang, Li Qiang, Zeng Qingxiang, Ji Xiaojie, Li Chao, Ma Chunwang, Zhao Shengli, Huang Chunfang, Xue Jinchuan, Jiang Jianxiao, Li Wei, Hou Manli. The previous versions of the standards replaced by this standard are: JR/T0068—2012.
iiiKAa~cJouaKAa
JR/T00682020
This standard collects and analyzes the information security issues of online banking systems found in the assessment and inspection and the online banking cases that have occurred, and puts forward targeted security requirements.
This standard aims to effectively enhance the security prevention capabilities of the existing online banking system and promote the standardized and healthy development of online banking. This standard can be used as the security basis for the construction, transformation and upgrading of online banking systems of various units, as well as for the security inspection and internal audit, and can also be used as the basis for inspection, testing and certification by industry authorities and professional testing institutions. III
1 Scope
iiiKAa~cJouaKAa
General Specification for Information Security of Online Banking Systems JR/T00682020
This standard specifies the security technical requirements, security management requirements, and business operation security requirements of online banking systems, and provides a basis for the construction, operation and evaluation of online banking systems.
This standard applies to online banking systems operated by commercial banks and other banking financial institutions established within the territory of the People's Republic of China. The business systems of other financial institutions providing online financial services should refer to this standard. Note 1: This standard is divided into two levels: basic requirements and enhanced requirements. Basic requirements are the minimum security requirements, and enhanced requirements are requirements for further improving system security. All units should actively take improvement measures in accordance with enhanced requirements while complying with basic requirements to continuously improve security assurance capabilities. Note 2: If "corporate online banking" is not specifically specified in the terms of this standard, it applies to both personal online banking and corporate online banking. Normative references
The following documents are indispensable for the application of this document. For all dated references, only the dated version applies to this document. For all undated references, the latest version (including all amendments) applies to this document. GB/T25069—2010
GB/T27912—2011
GM/Z0001—2013
GM/T 0002—2012
GM/T 0003—2012
GM/T 0004—2012
Technical Terminology of Information Security
Biometric Identification for Financial Services
Security Framework
Cryptographic Terminology
SM4 Block Cipher Algorithm
SM2 Elliptic Curve Public Key Cryptography Algorithm
SM3 Cryptographic Hash Algorithm
GM/T0021—2012
Technical Specification for Dynamic Password Application
JR/T0071
Guidelines for the Implementation of Cybersecurity Level Protection in the Financial IndustryJR/T 0098.5
China Financial Mobile Payment Testing Specification Part 5: Security Unit (SE) Embedded Software Security JR/T0118—2015
Financial Electronic Authentication Specification
JR/T0149—2016
China Financial Mobile Payment Payment Tokenization Technical Specification JR/T0156—2017
Mobile Terminal Payment Trusted Environment Technical Specification JR/T0166—2018
Cloud Computing Technology Financial Application Specification Technical Architecture JR/T0167—2018
Cloud Computing Technology Financial Application Specification Security Technical Requirements JR/T0168—2018 Cloud Computing Technology Financial Application Specification Disaster Recovery The People's Bank of China on Improving Personal Bank Account Services and Strengthening Account Notice on Strengthening the Management of Bank Card Risks (Yinfa (2015) No. 392), 2015-12-25 Notice of the People's Bank of China on Further Strengthening Bank Card Risk Management (Yinfa (2016) No. 170), 2016-06-13 Notice of the People's Bank of China on Strengthening Payment and Settlement Management and Preventing New Types of Telecom Network Crimes (Yinfa (2016261), 2016-09-30 Notice of the People's Bank of China on Implementing the Classification Management System for Personal Bank Accounts (Yinfa (2016) No. 302), 2016-11-25 Notice of the General Office of the People's Bank of China on Strengthening the Security Management of Bank Card Magnetic Stripe Transactions (Yinbanfa (2017) No. 120), 2017-05-31 Technical Specifications for Barcode Payment Security (Trial Implementation) ) (Yinbanfa (2017) No. 242), 2017-12-22 Notice of the People's Bank of China on Improving the Classification Management of Personal Bank Accounts (Yinfa (2018) No. 16), 2018-01-101
JR/T0068—2020
iiiKAa~cJouaKAa
Notice of the People's Bank of China on Further Strengthening Payment and Settlement Management and Preventing New Types of Telecom Network Crimes (Yinfa (2019) No. 85), 2019-03-22
3 Terms and Definitions
GB/T25069-2010, GM/Z0001-2013 and the following terms and definitions apply to this document. For the convenience of Some terms and definitions in GM/Z0001-2013 are repeated below. 3.1
Internet bankinginternet banking
Online financial services provided by commercial banks and other banking financial institutions to their customers through the Internet, mobile communication networks, other open public networks or dedicated network infrastructure. 3.2
Personal internet bankingpersonal internet bankingOnline financial services provided by commercial banks and other banking financial institutions to individual users. 3.3
Corporate internet bankingcorporate internet bankingOnline financial services provided by commercial banks and other banking financial institutions to enterprises, institutions and other organizations. 3.4
Payment sensitive informationpayment sensitive informationPasswords, keys and transaction sensitive data that affect the security of online banking. Note: Passwords include but are not limited to transfer passwords, query passwords, login passwords, certificate PINs, etc. Keys include but are not limited to symmetric keys and private keys used to ensure communication security and message integrity, etc. Transaction sensitive data include but are not limited to complete track information, validity period, CVN, CVN2, etc. 3.5
Mobile terminalmobile terminal
Mobile device that accesses online banking through mobile phones, tablet computers, wearable devices, etc., as opposed to PCs. 3.6
Client programclientprogram
Program that provides human-computer interaction functions for online banking customers, as well as components that provide necessary functions. Note: Including but not limited to executable files, controls, static link libraries, dynamic link libraries, etc. In this standard, client programs include application software running on mobile terminals, but do not include general browsers such as IE. 3.7
Smart password keycryptographicsmarttokenTerminal password device that provides password services such as cryptographic operations and key management, generally using USB, Bluetooth, audio, SD, etc.3.8
Smart password key firmwarecryptographicsmarttokenfirmware2
iiiKAa~cJouaKAa
Program code built into the smart password key that affects the security of the smart password keydynamic commandone-time-password (oTP), dynamicpasswordOne-time password dynamically generated based on time, events, etc. [GM/Z0001—2013, definition 2.15]
Dynamic password token onetimepasswordtoken A device used to generate dynamic passwords.
[GM/Z0001—2013, definition 2.16]
Biometric
JR/T00682020
A measurable physiological or behavioral characteristic of a person that can reliably distinguish a person from others, so as to identify the identity of the registrant or confirm the registered identity claimed by the registrant. [GM/Z0001—2013, definition 4.4]
Fundstransaction
Funds operation transaction conducted through online banking. Note: For example, transfer, order payment, payment, etc. Investment and financial management under one's name, custodial accounts, and entrusted withholding agreements signed by oneself, etc., which are risk-controlled fund changes, do not fall into this category. 3.13
Information and business changing transactionInformation and business changing transactionTransactions that change customer-related information or open or cancel business through online banking. Note: For example, customers modify basic information, adjust transaction limits, authorize transactions, modify transaction orders, open (sign) new business, cancel a certain business, sign electronic contracts, and electronic insurance policies. 4 Abbreviations
The following abbreviations apply to this document.
CDN: Content Delivery NetworkCoS: Chip Operating SystemDHCP: Dynamic Host Configuration ProtocolDNS: Domain Name SystemDoS/DDoS: Denial of Service/Distributed Denial of ServiceESN: Electronic Serial NumberIDS/IPS: Intrusion Detection System/Intrusion Prevention System ionSystem/IntrusionPreventiorSystem)
IMEI: International Mobile Equipment IdentityIMSI: International Mobile Subscriber Identification Number3
JR/T00682020
iiiKAa~cJouaKAa
IPSec: Internet Protocol SecurityIPv4: Internet Protocol Version 4 n4) IPv6: Internet Protocol Version 6 MAC: Message Authentication Code MEID: Mobile Equipment Identifier NTP: Network Time Protocol SD: Secure Digital SDK: Software Development Kit SE: Secure Element SEMA/DEMA: Simple Electromagnetism Analysis/Differential Electromagnetism Analysis s/DifferentialElectromagnetismAnalysis)
SPA/DPA: Simple Power Analysis/Differential Power AnalysisTEE: Trusted Execution EnvironmentUSB: Universal Serial BusVPN: Virtual Private Network5Overview of Online Banking System
5.1System Identification
The following contents shall be indicated in the system identification:--Name: Online Banking System of ×× Bank:--Affiliated Bank.
5.2System Description
The online banking system integrates traditional banking business with resources and technologies such as the Internet, and extends traditional counters to customers through the Internet, mobile communication networks, other open public networks or private networks. It is an important measure for commercial banks and other banking financial institutions to develop new businesses, facilitate customer operations, improve service quality, and promote changes in production relations in the network economy environment, thereby improving the social and economic benefits of commercial banks and other banking financial institutions. The online banking system mainly includes the online banking system accessed through terminals such as PC, mobile phone, tablet computer, smart TV, wearable device, etc., such as mobile banking, WeChat banking, direct banking, bank-enterprise direct connection, small and micro enterprise banking, etc. The online banking system covers personal online banking system and enterprise online banking system. 5.3 System components
5.3.1 Overview
The online banking system mainly consists of client, communication network and server, and can be connected to external systems through different types of communication networks to carry out various cooperative businesses. The server includes online banking access subnet, online banking business system, intermediate isolation equipment and bank processing system, as shown in Figure 1.
Client
Specialized security
Communication network
Server
ikAa~cJouakAa
External area
Internet
Security area
Security area 2
Bank internal system
Isolation equipment
External system
Online banking access subnet
Isolation equipment
Online banking business system
Isolation equipment
Bank processing system
Online banking system composition diagram
JR/T00682020
Evaluation boundary 1
Evaluation boundary 2
Evaluation Estimated Boundary 3
JR/T00682020
iiiKAa~cJouaKAa
Note 1: External area: Internet banking users or external institutions use Internet banking clients to access Internet banking business systems through the Internet, mobile communication networks, other open public or private networks: Note 2: Security Area 1: Internet banking access subnet, providing WEB, client-based access or jump services Note 3: Security Area 2: Internet banking business system, mainly for Internet banking business processing; Note 4: Bank internal system: Bank processing system, mainly for bank internal data processing: Note 5: Isolation equipment: not limited to specific forms such as hardware or software, mainly plays the role of isolating different security areas. 5.3.2 ClientbzxZ.net
The client of the Internet banking system mainly includes the client program and the client environment. The client environment refers to the hardware terminal where the client program is located (currently mainly including PCs, mobile phones, tablets, smart TVs, wearable devices and other terminals, and may include other forms of terminals in the future) and the overall operating environment composed of the operating system, browser and other programs on the terminal. The client environment usually does not have or does not fully have the trusted input capability, trusted output capability, trusted communication capability, trusted storage capability and trusted computing capability of dedicated financial transaction equipment. Therefore, it is necessary to use a dedicated security mechanism and respond to transaction risks through strategies of acceptance, mitigation, avoidance and transfer. Financial institutions should ensure the security of the client from aspects such as software and hardware legitimacy verification, program integrity protection, data access control, data input security, data transmission security, data storage security and trusted execution environment. 5.3.3 Communication network
Online banking provides financial services to customers with the help of technologies such as the Internet and mobile communication networks. It is vulnerable to security threats at the communication level. Financial institutions should take measures to effectively respond to related risks from aspects such as communication protocols, security authentication and communication link security. 5.3.4 Server side
The server side of the online banking system provides online banking application services and core business processing functions. Financial institutions should make full use of protection technologies in the fields of physical environment, communication network, computing environment, etc. to establish multiple strict security lines between attackers and protected resources. 5.3.5 Connection with external systems
In addition to providing financial services directly to users, online banking may also cooperate with external institutions. In the process of designing, developing, deploying and operating online banking systems, full consideration should be given to the security risks that may exist in the systems of external institutions, and effective protection should be provided against various risks.
5.4 System security description
The online banking system should be divided into security domains according to the application system, customer objects, data sensitivity, etc. The description and definition of security domains can better describe the information security protection of the online banking system. Financial institutions should adopt special security mechanisms, including digital certificates, dynamic passwords, SMS verification codes, biometrics, etc., to ensure the security of online banking systems. Financial institutions should classify and manage security mechanisms according to the combination of five capabilities in transactions: trusted communication capability, trusted input capability, trusted output capability, trusted storage capability, and trusted computing capability, and formulate transaction security risk prevention strategies that are suitable for them.
Before financial institutions apply cloud computing technology in online banking systems, they should fully evaluate the scientificity, security, and reliability of the application of cloud computing technology in combination with the business importance and data sensitivity of the online banking system, the degree of harm caused by security incidents, etc. On the premise of ensuring the continuity of system business, data and fund security, they should adhere to the principle of security first and user responsibility, fully evaluate the possible risks and hidden benefits, and carefully select the cloud computing deployment model in the financial field that is suitable for the business system. When adopting cloud computing technology, the online banking system should comply with the technical standards such as JR/T0166-2018, JR/T0167-2018, and JR/T0168-2018 and the relevant requirements of the industry authorities. 6
iiiKAa~cJouaKAa
JR/T0068-2020
When using cryptographic algorithms, the online banking system should comply with the requirements of the national cryptographic authorities. In the encryption and transmission of payment sensitive information, digital certificate signature and signature verification, it is advisable to support and give priority to the use of SM series cryptographic algorithms (GM/T0002-2012, GM/T0003-2012, GM/T0004-2012).
6 Security Specifications
6.1 Overview
This specification is divided into three parts: security technical specifications, security management specifications, and business operation security specifications. Financial institutions should take corresponding levels of security measures for different business types. Considering the business relevance, this specification also includes security requirements for external connections of the online banking system. The online banking system should be constructed and operated and maintained in accordance with the third-level security requirements of network security protection. 6.2 Security Technical Specifications
6.2.1 Client Security
6.2.1.1 Client Program
Basic Requirements
a) During the development and design of the client program, attention should be paid to avoiding the security risks of various system components, third-party components, and SDKs. The development framework and technical route should be strictly demonstrated, and selection security testing should be carried out when necessary. b)
The client program should have a clear application identifier and version number, and a reasonably designed update interface. When a certain version is proven to have major security risks, it should prompt and force users to update the client. Each update and upgrade of the client program should be subject to source code audit, security activity review and strict archiving to ensure that the client program does not have hidden illegal functions and backdoors. The client program should be signed in a secure manner to identify the source and publisher of the client program to ensure that the client program downloaded by the customer comes from a trusted institution. The client program should be verified for authenticity and integrity (e.g., online dynamic verification, etc.) when it is started and updated to prevent the client program from being tampered with or replaced. The client program should adopt security mechanisms such as code obfuscation and shelling to prevent the client program from being reverse analyzed and ensure the confidentiality and integrity of the client's sensitive logic and data. The client program should ensure its own security and avoid vulnerabilities such as code injection, buffer overflow, and illegal privilege escalation. The client program should take process protection measures to prevent illegal programs from obtaining access rights to the process, scanning sensitive data in memory, or replacing client pages, etc. The client program should adopt anti-screen recording and other technologies for key interfaces to prevent illegal programs from obtaining sensitive payment information through screen copying and other methods. The client program should provide customers with instant protection functions for entering sensitive payment information and protect sensitive payment information in memory, for example, by taking measures such as character-by-character encryption, customizing soft keyboards, and preventing keyboard eavesdropping technologies. k)
Client software should not store the user's sensitive payment information locally in any form, and the storage location includes but is not limited to Cookies, local temporary files and mobile database files. The client program should take effective measures to ensure the confidentiality and integrity of the keys involved. The client program should take measures to verify the complexity of the password to ensure that the password set by the user reaches a certain strength. The password box of the client program should not display the password in plain text, and should use the same special character (for example, * or ·) instead. After the client program logs in, if there is no operation for a period of time, it should automatically log out and re-login to continue using it. 7
JR/T00682020
iiiKAa~cJouaKAa
The client program should cooperate with the server to take effective measures to reasonably limit the frequency of login requests, service requests, database queries and other resource-consuming behaviors. q) When the client program has the functions of barcode generation, display or reading and parsing, it shall comply with the requirements of the Technical Specifications for Barcode Payment Security (Trial) (Yinbanfa (2017) No. 242). r) The client program should be able to effectively shield the system technical error information and not directly feedback the error information generated by the system to the customer. The client program should support access to network services through IPv6 connection. In the case of IPv4/IPv6 dual stack support, s
IPv6 connection access is preferred. The client program should have a privacy policy. Before collecting and using customer information, the client program should clearly state the purpose, method and scope of collecting and using information, disclose its collection and use rules, and obtain the customer's explicit consent. Before collecting customer personal sensitive information, the purpose and necessity of the collection should be reminded. The client program should prohibit access to files and data in the terminal that are not necessary for the business. System permissions (e.g., permissions to read address books, geographic locations, etc.) should be applied for according to the principle of least privilege, and the user's explicit consent should be obtained. w)
The client should retain the least amount of customer information and limit the amount of data stored and the retention time. x)
When the client program exits, the business data that must be retained for the operation of non-business functions should be cleared to ensure the security of customer information. y)
Measures such as channel monitoring should be taken to monitor counterfeit client programs. 6.2.1.2 Client environment
Basic requirements:
The security status of the client operating environment should be detected and feedback should be provided to the backend system, and this should be used as the basis for risk control strategies. Effective measures should be taken to improve the security level of the client environment, and corresponding risk control measures should be taken for different security levels. b)
Reminders on the security of the client environment should be published on channels such as portal sites. c
When a major security defect or security threat is found in the client environment, necessary measures should be taken to warn the user or refuse to hand over d)
6.2.2 Special security mechanism
6.2.2.1 Smart password key
The smart password keys involved in this standard include hardware-based key products such as USBKey, Bluetooth Key, Audio Key, SDKey, etc. that are currently commonly used in online banking systems, and also include other hardware-based key products that may appear in the future. Basic requirements:
a) Financial institutions should use smart password keys that have been tested and passed by third-party professional evaluation institutions recognized by the national or industry competent authorities. The personalization process of smart password keys should be completed in a secure environment. b)
Smart password keys should use smart card chips with key generation and digital signature computing capabilities to ensure that sensitive operations are performed in the smart password key.
The master file (MasterFile) of the smart password key should be protected by the CoS security mechanism to prevent unauthorized deletion and reconstruction. The key file should be closed during the activation period.
The security of private keys should be ensured during the generation, storage and use stages:
The signature private key should be generated inside the smart password key, and the key pair and the prime numbers used to generate the key pair should not be solidified. The uniqueness of the private key should be ensured.
It is prohibited to read the private key from the smart password key or write the signature private key in any form. The private key file should be different from the ordinary file type and should be the same or similar to the key file type. Before performing each sensitive operation such as signing, authentication should be performed first.1 Intelligent Password Key
The intelligent password keys involved in this standard include hardware-based Key products such as USBKey, Bluetooth Key, Audio Key, SDKey, etc., which are currently widely used in online banking systems, and also include other hardware-based Key products that may appear in the future. Basic requirements:
a) Financial institutions should use intelligent password keys that have been tested and approved by third-party professional evaluation institutions recognized by the national or industry competent authorities. The personalization process of intelligent password keys should be completed in a safe environment. b)
Intelligent password keys should use smart card chips with key generation and digital signature computing capabilities to ensure that sensitive operations are performed inside the intelligent password key.
The master file (MasterFile) of the intelligent password key should be protected by the CoS security mechanism to prevent unauthorized deletion and reconstruction. The key file should be closed during the activation period.
The security of the private key in the generation, storage and use stages should be guaranteed: ·
The signature private key should be generated inside the intelligent password key, and the key pair and the prime number used to generate the key pair shall not be solidified. The uniqueness of the private key should be guaranteed.
It is forbidden to read the private key from the smart password key or write the signature private key in any form. The private key file should be different from the ordinary file type and should be the same or similar to the key file type. Before performing each sensitive operation such as signing, authentication should be performed first.
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.