1
/
of
12
PayPal, credit cards. Download editable-PDF & invoice in 1 second!
GM/T 0076-2019 English PDF (GMT0076-2019)
GM/T 0076-2019 English PDF (GMT0076-2019)
Regular price
$500.00 USD
Regular price
Sale price
$500.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0076-2019
Historical versions: GM/T 0076-2019
Preview True-PDF (Reload/Scroll if blank)
GM/T 0076-2019: Cryptography technical requirements for banking card information systems
GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology
of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of
bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of
bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of
banking financial institutions and the application needs of cryptographic
technology in the classified protection of this type of information system, from
three aspects of cryptographic security technical requirements, key security and
management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking
card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of
commercial cryptographic applications in banking card information systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 :
Security compliance checklists for devices used in financial transactions
GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling
in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective;
b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information;
the cryptographic function shall be correct and effective;
c) The network device system’s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist
of a mixture of letters, numbers, symbols, etc. and be replaced regularly;
d) The information system shall use cryptographic technology to generate
unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective.
7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module"...
Get QUOTATION in 1-minute: Click GM/T 0076-2019
Historical versions: GM/T 0076-2019
Preview True-PDF (Reload/Scroll if blank)
GM/T 0076-2019: Cryptography technical requirements for banking card information systems
GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology
of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of
bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of
bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of
banking financial institutions and the application needs of cryptographic
technology in the classified protection of this type of information system, from
three aspects of cryptographic security technical requirements, key security and
management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking
card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of
commercial cryptographic applications in banking card information systems.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 :
Security compliance checklists for devices used in financial transactions
GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling
in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access
control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography
a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective;
b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information;
the cryptographic function shall be correct and effective;
c) The network device system’s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist
of a mixture of letters, numbers, symbols, etc. and be replaced regularly;
d) The information system shall use cryptographic technology to generate
unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective.
7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module" are part of the "device and
computing security" of the bank card information system. In the level 2
requirements for the security protection of the cryptographic technology of the
bank card information system, the following requirements are made for the
indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use
the integrity service of cryptographic technology to protect the integrity of the
audit record; its cryptographic function shall be correct and effective.
7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code
and dynamic password", "cryptographic module"...
Share
