1 Scope
This specification gives the description of Internet banking system, security specification, security management specification and business operation security specification.
It is applicable to regulating the building, operation and assessment for Internet banking systems.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security technology—Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions established in GB/T 25069 and the following apply.
3.1
Internet banking
enabling customers of a commercial bank or other financial institutions to conduct online financial transactions through Internet, mobile communication network and other open public network or private network infrastructure
3.2
Internet
Internet or other similar form of general-purpose public computer communication network
3.3
sensitive information
mainly referring to information such as passwords, keys and sensitive transaction data that affect the security of Internet banking. Passwords include but are not limited to transfer passwords, inquiry passwords, login passwords, PIN of certificates, etc. Keys include but are not limited to those used to ensure communication security, message integrity, etc. Sensitive transaction data include but are not limited to complete track information, validity period, CVN, CVN2, certificate number, etc.
3.4
client program
program that enables Internet banking customers to conduct human-machine interaction, and component that provides necessary functions, including but not limited to executables, controls, static link libraries and dynamic link libraries, excluding IE and other Generic Browsers
3.5
USB Key
hardware equipment with a USB interface. It has built-in single-chip or smart card chip, which has a certain storage space to store the user's private key and digital certificate.
3.6
USB Key firmware
built-in program code in USB Key that affects the security of USB Key
3.7
mobile terminal
specifically referring to mobile equipment such as mobile phones and tablet computers, different from the traditional PC mode, that access Internet banking through communication networks
3.8
strong encryption
general term used to describe an encryption algorithm that is considered highly resistant to cryptanalysis. The robustness of encryption depends on the cryptographic key used. The effective length of the key shall not be less than the minimum key length required for comparable strength recommendations
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviations
5 General
6 Security specification
Annex A (Informative) Reference map for basic network protection architecture
Annex B (Informative) Reference map for enhanced network protection architecture
Annex C (Normative) Physical security
Bibliography