Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

GM/T 0076-2019 English PDF (GMT0076-2019)

GM/T 0076-2019 English PDF (GMT0076-2019)

Regular price $495.00 USD
Regular price Sale price $495.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0076-2019 to get it for Purchase Approval, Bank TT...

GM/T 0076-2019: Cryptography technical requirements for banking card information systems

This standard is based on GM/T 0054-2018, JR/T 007-2012 and other standards, combined with the characteristics of the banking card system of banking financial institutions and the application needs of cryptographic technology in the classified protection of this type of information system, from three aspects of cryptographic security technical requirements, key security and management requirements, security management requirements, proposing specific requirements for the application of cryptographic technology in banking card systems with different security protection levels.
GM/T 0076-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Cryptography technical requirements for banking card
information system
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Bank card information system model ... 10
6 Basic requirements for cryptographic applications and functional
requirements for cryptographic applications ... 11
7 Level 2 requirements for the security protection of cryptographic technology of bank card information system) ... 11
7.1 Basic requirements... 11
7.2 Security requirements for cryptographic technology ... 12
7.2.1 Physical and environmental security ... 12
7.2.2 Network and communication security ... 13
7.2.3 Device and computing security ... 14
7.2.4 Application and data security ... 16
7.2.5 Requirements for cryptographic allocation policy ... 18
7.3 Key security and management requirements ... 21
7.3.1 General ... 21
7.3.2 Key Security ... 21
7.3.3 Key management ... 23
7.4 Security management requirements ... 27
7.4.1 Overview ... 27
7.4.2 Security management system ... 27
7.4.3 Personnel management requirements ... 28
7.4.4 Cryptographic device management ... 29
7.4.5 Requirements for business terminal using passwords ... 29
8 Three-level requirements of cryptographic technology security protection of bank card information system ... 30
8.1 Basic requirements... 30
8.2 Security requirements for cryptographic technology ... 30
8.2.1 Physical and environmental security ... 30
8.2.2 Network and communication security ... 31
8.2.3 Device and computing security ... 34
8.2.4 Application and data security ... 37
8.2.5 Requirements for cryptographic allocation policy ... 39
8.3 Key security and management requirements ... 42
8.3.1 General ... 42
8.3.2 Key security ... 42
8.3.3 Key management ... 44
8.4 Security management requirements ... 50
8.4.1 Overview ... 50
8.4.2 Security management system ... 50
8.4.3 Personnel management requirements ... 51
8.4.4 Cryptographic device management ... 52
8.4.5 Requirements for business terminal using passwords ... 52
9 Level-4 requirements for security protection of cryptographic technology of bank card information system ... 53
9.1 Basic requirements... 53
9.2 Cryptographic technology security requirements ... 53
9.2.1 Physical and environmental security ... 53
9.2.2 Network and communication security ... 55
9.2.3 Device and computing security ... 58
9.2.4 Application and data security ... 62
9.2.5 Requirements for cryptographic allocation policy ... 64
9.3 Key security and management requirements ... 67
9.3.1 General ... 67
9.3.2 Key security ... 67
9.3.3 Key management ... 70
9.4 Security management requirements ... 77
9.4.1 Overview ... 77
9.4.2 Security management system ... 77
9.4.3 Personnel management requirements ... 78
9.4.4 Cryptographic device management ... 79
9.4.5 Requirements for business terminal using passwords ... 80
Appendix A (Normative) Comparison of security requirements ... 81
References ... 83
Cryptography technical requirements for banking card
information system
1 Scope
This standard is based on GM/T 0054-2018, JR/T 007-2012 and other
standards, combined with the characteristics of the banking card system of banking financial institutions and the application needs of cryptographic technology in the classified protection of this type of information system, from three aspects of cryptographic security technical requirements, key security and management requirements, security management requirements, proposing
specific requirements for the application of cryptographic technology in banking card systems with different security protection levels.
This standard is applicable to the guidance, standardization and evaluation of commercial cryptographic applications in banking card information systems. 2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 20547.2-2006 Banking - Secure cryptographic devices (retail) - Part 2 : Security compliance checklists for devices used in financial transactions GB/T 21078.1 Banking - Personal identification number management and
security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
GB/T 21079.1 Banking - Secure cryptographic devices (retail) - Part 1:
Concepts, requirements and evaluation methods
GM/T 0024 SSL VPN specification
GM/T 0028 Security requirements for cryptographic modules
GM/T 0036-2014 Technical guidance of cryptographic application for access control systems based on contactless smart card
GM/T 0054-2018 General requirements for information system cryptography a) When authenticating users who log in to network device, in order to
prevent the authentication information from being reused and
counterfeited, it should use the authenticity service of cryptographic
technology to protect the authentication information from reuse and
counterfeiting; its cryptographic function shall be correct and effective; b) When performing remote network management, in order to prevent the
authentication information from being leaked during the transmission
process, it should use the confidentiality service of cryptographic
technology to protect the confidentiality of the authentication information; the cryptographic function shall be correct and effective;
c) The network device system?€?s management user ID shall have the
characteristics of not being easy to be fraudulently used; the static
password of the key network device shall be more than 6 digits and consist of a mixture of letters, numbers, symbols, etc. and be replaced regularly; d) The information system shall use cryptographic technology to generate unique random identifiers for entities that have passed identity
authentication; meanwhile ensure that the function is correct and effective. 7.2.3 Device and computing security
7.2.3.1 General
Refer to GM/T 0054-2018 General requirements for information system
cryptography application.
7.2.3.2 Audit records
"Audit records", "access control", "identity authentication", "verification code and dynamic password", "cryptographic module" are part of the "device and computing security" of the bank card information system. In the level 2 requirements for the security protection of the cryptographic technology of the bank card information system, the following requirements are made for the indicators of "device and computing security-audit records":
In order to prevent the audit record from being illegally modified, it should use the integrity service of cryptographic technology to protect the integrity of the audit record; its cryptographic function shall be correct and effective. 7.2.3.3 Access control
"Audit records", "access control", "identity authentication", "verification code and dynamic password", "cryptographic module" are part of the "device and computing security" of the bank card information system. In the level 2 password":
a) When sending the verification code by SMS or other channels, it shall use the correct cryptographic technology, to ensure that the dynamic
password sent is completely random and unpredictable;
b) When using SMS or other channels to send the verification code, it shall ensure that the content of the verification code is not disclosed;
c) If it uses OTP tokens for identity verification, it shall use correct cryptographic techniques, to ensure that OTP is completely random and
unpredictable.
7.2.3.6 Cryptographic module
"Audit records", "access control", "identity authentication", "verification code and dynamic password", "cryptographic module" are part of the "device and computing security" of the bank card information system. In the level 2 requirements for the security protection of the cryptographic technology of the bank card information system, the following requirements are made for the indicators of "device and computing security-cryptographic module":
It shall use the level 2 and above cryptographic modules which complies with GM/T 0028 or hardware cryptographic products approved by the national
cryptographic management department to realize the cryptographic
calculations and key management:
a) The system's dedicated hardware or firmware and cryptographic device shall implement security functions such as authorization control,
unauthorized access detection, operating status indication, etc., to ensure that the cryptographic module can operate correctly in the approved
working mode;
b) The system's dedicated hardware or firmware and cryptographic device shall be able to prevent unauthorized disclosure of the module's content or key security parameters;
c) The system's dedicated hardware or firmware and cryptographic device shall be able to prevent unauthorized or undetectable modifications to
cryptographic modules and cryptographic algorithms.
7.2.4 Application and data security
7.2.4.1 General
Refer to 0054-2018 General requirements for information system cryptography "application and data security-terminal application":
a) It should use the integrity service of cryptographic technology to verify the integrity of important programs; its cryptographic function shall be correct and effective;
b) Terminal applications shall not store sensitive information such as user passwords, payment passwords, PAC, CVV, etc. in plaintext or encoding;
c) When the terminal application processes sensitive data entered by the user, such as passwords, payment passwords, etc., it should use the
security measures to ensure the confidentiality of sensitive data and
ensure that it is not obtained by unauthorized access.
7.2.5 Requirements for cryptographic allocation policy
7.2.5.1 Cryptographic algorithm configuration
"Cryptographic algorithm allocation", "cryptographic protocol use", "application ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system?€?s "cryptographic allocation policy requirements". In the level 2 requirements for the cryptographic technology security protection of bank card information systems, the following requirements are set for the indicators of "cryptographic allocation strategy requirements-cryptographic algorithm allocation":
It shall use the algorithm approved by the national cryptographic management authority.
7.2.5.2 Use of cryptographic protocol
"Cryptographic algorithm allocation", "cryptographic protocol use", "application ciphertext generation", "bank card terminal", "password keyboard",
"cryptographic device use" are components of the bank card information
system?€?s "cryptographic allocation policy requirements". In the level 2 requirements for the security protection of the cryptographic technology of the bank card information system, the following requirements are made for the indicators of "cryptographic allocation strategy requirement-cryptographic protocol use":
It shall use the cryptographic protocol that has passed the security review of the national cryptographic administration department to realize the
cryptographic function.
7.2.5.3 Generation of application ciphertext
between the cryptographic devices;
- It shall use cryptographic device to transmit the private key between the device that generates the key and the device that uses the key;
- After importing the key to the target device, the key transfer device shall not retain any information that may reveal the key;
- When using a key transfer device, the key (if an explicit key identifier is used, also includes the key identifier) shall be transferred from the
cryptographic device that generated the key to the key transfer device; this device shall be physically transported to the location of the
cryptographic device that actually uses the key.
d) When using the key component, it shall confirm:
- The key components constituting the key shall be imported or exported to the device manually or by the key transmission device; the
transmission process of the key component shall not disclose any part
of the key component to any unauthorized individual;
- When the key components are distributed in a readable form, each key
component shall be distributed through a key envelope that will not
reveal the value of the key component before opening;
- Before entering the key component, it shall check the key envelope or cryptographic device for signs of tampering. If one of the components is tampered with, this set of key components shall not be used and shall
be destroyed according to the procedures described in GB/T 21078.1;
- The key component shall be individually input by each holder of the key component and verify whether the input of the key component is correct. e) The key administrator shall be responsible for checking the consistency of the verification value generated when the key is imported and exported. f) After the key component is entered into the cryptographic device, the key envelope shall be destroyed or sealed in another tamper-proof key
envelope for possible future use.
g) After the key is injected, save the medium storing the backup key in a password envelope; after being supervised and confirmed by a special
person, lock it in the safe.
7.3.3.2 Key storage and custody
"Key import and export", "key storage and custody", "key use and replacement", corresponding emergency treatment and response measures;
f) Manage the system administrator password, user password, user authority of the cryptographic machine and cryptographic management device.
Once a leak occurs or the authority is out of control, it shall initiate an inspection and tracking program. Evaluate the incident level according to the situation of out of control of authority; meanwhile update the relevant key in due course.
7.3.3.4 Key backup and recovery
"Key import and export", "key storage and custody", "key use and replacement", "key backup and recovery" are part of the bank card information system?€?s "key management". In the level 2 requirements for the security protection of the cryptographic technology of the bank card information system, the following requirements are set for the indicator of "key management-key backup and recovery":
a) It shall establish the key recovery and correction workflow; clarify the situations to trigger the key replacement and correction; specify the
standard operating process for key replacement and correction; retain the operation records of key replacement and correction;
b) If it suspects that the key is leaked or the security of the device is threatened, the key shall be withdrawn or replaced (for example,
destroyed or revoked);
c) It shall formulate a clear key backup strategy; adopt a secure and reliable key backup and recovery mechanism, to backup and restore the key;
d) It shall record the key backup or restoration and generate the audit information. The audit information includes the subject of backup or
restoration, the time of backup or restoration, etc.;
e) There shall be security measures to prevent the leakage and replacement of keys;
f) It shall ensure the security of the storage location and form of the key; restrict the access rights of the key;
g) If, based on the information that the attacker has obtained, it can be confirmed that an unauthorized key replacement has occurred, then the
following steps shall be followed for key replacement:
- Erase any encrypted version of the storage key that has been confirmed to be replaced; confirm whether all the existing encrypted keys are legal; if there is an illegal key, it shall be deleted;
management system that has deficiencies or needs improvement shall be
revised.
f) The release process of relevant management systems should be clarified. 7.4.3 Personnel management requirements
"Security management system", "personnel management requirements",
"cryptographic device management", "password-using business terminal
requirements" are part of the "security management requirements" of the bank card information system. In the level 2 requirements for the security protection of the cryptographic technology of the bank card information system, the following requirements are set for the indicator of "security management requirements-personnel management requirements":
a) It shall understand and abide by laws and regulations related to passwords; b) It shall be able to use cryptographic products correctly;
c) A personnel training system shall be established to provide special training for personnel involved in the operation and management of passwords
and key management;
d) According to the requirements of the competent department and the actual situation of the organization, a certain number of key management
personnel, security auditors, cryptographic device operators and other
positions shall be assigned; the above-mentioned positions cannot be
concurrently held by each other;
e) It shall be equipped with full-time key management personnel; personnel in this position cannot be concurrently held by personnel in other positions; f) A post responsibility system shall be established to clarify the
responsibilities and authorities of relevant personnel in the management of cryptographic device and key system management; the management
of device and systems related to cryptographic management and the use
of accounts shall not be shared by many people;
g) The key management personnel shall be regular employees of the
organization; they shall be filed level by level, to standardize key
management;
h) It shall establish a personnel selection system and review system for cryptographic management and cryptographic device operation;
determine full-time personnel to undertake related tasks; implement
necessary review of relevant personnel;
b) In the process of establishing a secure access path, the integrity service of cryptographic technology shall be used to ensure the integrity of the routing control information in the secure access path; its cryptographic function shall be correct and effective.
8.2.2.5 Audit records
"Communication security", "identity authentication", "secure access path", "audit records" are the components of the "secure access path" of the bank card information system. In the level-3 requirements for cryptographic
technology security protection of bank card information systems, the following requirements are set for the indicator of "network and communication security- audit records":
The integrity service of cryptographic technology shall be used to protect the integrity of audit records; its cryptographic function shall be correct and effective. 8.2...

View full details