本规范适用于所有银联卡受理商户信息系统,凡是涉及存储、处理、传输持卡人数据的所有商户、服务提供商必须满足准入的基本安全要求。
1 范围 ...........................................................................................................................................................1
2 规范性引用文件........................................................................................................................................1
3 术语、定义和缩略语................................................................................................................................1
3.1 访问控制 Access Control...................................................................................................................1
3.2 物理访问控制 Physical Access Control.............................................................................................1
3.3 逻辑访问控制 Logical Access Control...............................................................................................1
3.4 账户信息 Account Information.........................................................................................................2
3.5 主账号 Primary Account Number; PAN ............................................................................................2
3.6 身份鉴别 Authentication ..................................................................................................................2
3.7 生物识别 Biometrics.........................................................................................................................2
3.8 密码鉴定 Cryptographic Authentication ..........................................................................................2
3.9 信息 Information...............................................................................................................................2
3.10 不可逆加密 Irreversible Encryption..................................................................................................2
3.11 公共网络 Public Network..................................................................................................................2
3.12 静态密码 Static Password.................................................................................................................3
3.13 动态密码 Dynamic Password............................................................................................................3
3.14 保密性 Confidentiality ......................................................................................................................3
3.15 完整性 Integrity ................................................................................................................................3
3.16 敏感数据(信息) Sensitive Data(Information) ........................................................................3
3.17 可用性 Availability ............................................................................................................................3
3.18 敏感性 Sensitivity..............................................................................................................................3
3.19 个人标识代码 Personal Identification Number; PIN ........................................................................3
3.20 卡片有效期 Expiration Date .............................................................................................................3
3.21 卡片验证码 Card Verification Number.............................................................................................4
3.22 双因素验证 Two-factor Authentication ...........................................................................................4
3.23 双重控制 Dual Control......................................................................................................................4
3.24 支付标记 payment token..................................................................................................................4
3.25 TR Token Requestor...........................................................................................................................4
3.26 DMZ 隔离区 Demilitarized Zone .......................................................................................................4
3.27 安全审计 Security Audit....................................................................................................................4
3.28 威胁 Threat........................................................................................................................................4
3.29 授权 Authorization ............................................................................................................................4
3.30 银行卡 Bank Card..............................................................................................................................4
3.31 密钥加密密钥 Key Encryption Key; KEK ...........................................................................................5
3.32 工作密钥 Working Key; WK ..............................................................................................................5
4 系统架构 ...................................................................................................................................................5
4.1 独立客户端模式 ...............................................................................................................................5
4.2 集成SDK模式.....................................................................................................................................6
4.3 调用DLL链接库模式 .........................................................................................................................6
4.4 基于浏览器HTML5模式....................................................................................................................7
5 通用安全要求............................................................................................................................................7
5.1 数据安全 ...........................................................................................................................................7
5.2 访问控制安全 ...................................................................................................................................9
5.3 密钥安全 .........................................................................................................................................10
6 组件安全要求..........................................................................................................................................11
6.1 应用系统安全 .................................................................................................................................11
6.2 客户端安全 .....................................................................................................................................12
6.3 通信安全 .........................................................................................................................................13
7 管理要求 .................................................................................................................................................13
7.1 系统开发安全 .................................................................................................................................13
7.2 系统发布与变更安全 .....................................................................................................................14
7.3 人员安全培训 .................................................................................................................................15
7.4 实施准则更新 .................................................................................................................................15
附录:《实施准则》 ......................................................................................................................................15
展开全文