security guide of unionpay card personalization+service+provider

7/23/2019 Security Guide of UnionPay Card Personalization+Service+Provider

1/41

Security Management Guide ofUnionPay Card Personalization Service Provider

December 2010

Table of Contents

PREFACE ............................................................................................................................ 1

1 INTRODUCTION .............................................................................................................. 2


2/41

Security Management Guide of Card Personalization Service

ii

1.1SCOPE............................................................. ................................................................. ................ 2

1.2VERSION......................................................... ................................................................. ................ 2

2 PERSONNEL ORGANIZATIONAL MANAGEMENT ...................................................... 3

2.1ESTABLISHMENT AND RESPONSIBILITIES OF SECURITY MANAGEMENT ORGANIZATION.................. 3

2.1.1 Basic Requirements ...................................................................................... ........................... 3

2.1.2 Major Responsibilities ............................................................. ................................................ 3

2.2PERSONNEL MANAGEMENT............................................................. ................................................ 3

2.2.1 Personnel on Key Positions ............................................................... ...................................... 3

2.2.2 Security Auditing Personnel .............................................................. ...................................... 3

2.3KEY MANAGEMENT PERSONNEL..................................................................................................... 4

2.3.1 Work Responsibilities .............................................................. ................................................ 4

2.3.2 Security Requirements ............................................................. ................................................ 4

3 DATA SECURITY MANAGEMENT .................................................................................. 5

3.1SECURITY MANAGEMENT OF DATA TRANSMISSION......................................................................... 5

3.1.1 Dedicated Line Transmission .................................................................................................. 5

3.1.2 Mail Delivery of Data Disk and Personal Delivery ................................................................ 5

3.2DATA SECURITY............................................................................................................................... 6

3.2.1 Data Reception ............................................................. ........................................................... 6

3.2.2 Data Processing ..................................................................... ................................................. 6

3.3 Management of Data Storage Media.................... ................................................................. ..... 7

4 SECURITY MANAGEMENT OF NETWORK .................................................................. 8

4.1COMMUNICATION METHODS................................................................................ ........................... 8

4.2SECURITY OF PERSONALIZEDNETWORK.................................................................................... ..... 8

4.2.1 Firewall and Anti-invasion ................................................................ ...................................... 8

4.2.2 Anti-virus ................................................................................................................. .............. 11

4.2.3 Access Control on Customers and Third Party ........... .......................................................... 11

5 WORKSHOP AND SYSTEM SECURITY ...................................................................... 12

5.1BASIC CONTENT........................................................ ................................................................. ... 12

5.2ACCESS SECURITY CONTROL........................................................... .............................................. 12

5.3MAINFRAME SECURITY................................................................................................ ................. 12

5.4ENVIRONMENT FOR DATA WORKSHOP AND SECURITY REQUIREMENTS.......................... .............. 12

5.5DATA BACKUP AND DISASTER RECOVERY..................................................................................... 13

5.5.1 Data Backup ...................................................... ................................................................. ... 13

5.5.2 Disaster Recovery ................................................................................................................. 13

5.6SYSTEM MAINTENANCE AND ACCIDENT TREATMENT.......................................... ......................... 13

5.6.1 Routine Maintenance............................................................... .............................................. 13

5.6.2 Accident Treatment ................................................................................................................ 13

5.7PERSONALIZATION WORKSHOP SECURITY............................................................ ......................... 13

6 ACCESS CONTROL AND AUDIT ................................................................................. 15


3/41

Security Management Guide of Card Personalization

iii

6.1CONTROL ON USER AUTHORIZATION......................................................... .................................... 15

6.2USERNAME MANAGEMENT.................................................................................................... ...... 15

6.3LOGIN CONTROL....................................................................................... .................................... 15

6.4PASSWORD MANAGEMENT.............................................................................................. .............. 166.5SECURITY AUDIT............................................................................................................. .............. 16

6.6LOG MANAGEMENT...................................................................................................................... 17

7 PRODUCT PROCESSING AND SECURITY MANAGEMENT ..................................... 18

7.1PERSONALIZATION PROCESSING PROCESS..................................................................................... 18

7.2PERSONALIZATION OF MAGNETIC STRIPE CARD....................................... .................................... 18

7.2.1 Data Preparation ......................................................... ......................................................... 18

7.2.2 Personalization Processing ............................................................... .................................... 18

7.3INITIALIZATION OF ICCARD AND ITS SECURITY.............................................................. .............. 18

7.3.1 Initialization Description ................................. ............................................................... ...... 187.3.2 Security Requirements ............................................................. .............................................. 18

7.4PERSONALIZATION OF ICCARD................................................................. .................................... 19

7.4.1 Security Requirements for Data Preparation ........................................................................ 19

7.4.2 Security Requirements for Personalization Processing ......................................................... 19

7.4.3 Post-processing ............................................................................................ ......................... 19

7.5PROCESS SECURITY REQUIREMENTS............................................................................... .............. 20

7.5.1 Process Procedures ...................................................................................... ......................... 20

7.5.2 Control of Personalization Handling Process ......................................................... .............. 20

7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color Strip .......................... 21

7.5.4 Management of Personalization Cards ................................................................................. 21

8 KEY MANAGEMENT ..................................................................................................... 22

8.1KEY DESCRIPTION..................................................... ................................................................. ... 22

8.1.1 Personalization Key ..................................................... ......................................................... 22

8.1.2 Card Key ..................................................................... .......................................................... 22

8.1.3 Transmission Key ................................................................... ............................................... 24

8.2ENCRYPTION AND TRANSMISSION OF KEY AND DATA................................................................ .... 25

8.2.1 from the Issuer to the Personalization Provider ................................................................ .... 25

8.2.2 Security Requirements during the Personalization Process .................................................. 268.3KEY OPERATION........................................................ ................................................................. ... 26

8.3.1 Asymmetric (RSA) Key ................................................. ......................................................... 26

8.3.2 Symmetric Key (DES) .............................................................. .............................................. 27

8.4KEY STORAGE...................................................................................................... ......................... 29

8.5KEY BACKUP............................................................. ................................................................. ... 29

8.6KEY DESTRUCTION........................................................................................................................ 30

8.6.1 Keys to be Destroyed ............................................................... .............................................. 30

8.6.2 Destruction Methods ......................................................................... .................................... 30

8.6.3 Miscellaneous ............................................................... ......................................................... 30

9 HARDWARE SECURITY MACHINE (HSM) .................................................................. 32


4/41

Security Management Guide of Card Personalization Service

iv

9.1PHYSICAL CHARACTERISTICS SPECIFIED BY HSM ............................................... ......................... 32

9.2LOGIC CHARACTERISTICS SPECIFIED BY HSM .............................................................................. 32

9.3HSMMANAGEMENT............................................................ ......................................................... 32

9.3.1 HSM Operation ............................................................ ......................................................... 32

9.3.2 HSM Disuse ....................................................... ................................................................. ... 33

APPENDIX 1: VARIOUS EXISTING ACCESS METHODS .............................................. 34

APPENDIX 2: SECURITY RECOMMENDATIONS ON THE USE OF VPN ACCESS .... 35


5/41


1

Preface

In case of any discrepancy between terms and conditions of this Guide and state or

local laws, the legal official document shall prevail.

This Guide serves as the supplement to the UnionPay Card Manufacturer Security

Management Guidewith requirements related to personalization processing service

of magnetic stripe card and IC card mainly added. Those manufacturers engaged in

personalization processing service shall observe the regulations in the UnionPay

Card Manufacturer Security Management Guideas well.

Loss, theft, deterioration damage and leakage of the products, data and security

materials cannot be completely avoided by the implementation of this Guide, thus

the company shall assume the liability of such matters.

China UnionPay Co., Ltd. reserves the copyright and interpretation for this Guide.

Notification for any change will be given to issuers and manufacturers in writing.

The manufacturer can supplement additional measures to enhance security

management based on this Guide in accordance with its requirements towards

security management. China UnionPay Co., Ltd. will review the security system of

the manufacturer on a regular basis. Any deviation from this Guide shall be

approved by China UnionPay Co., Ltd.


6/41


2

1 Introduction

1.1 Scope

Based on the UnionPay Card Manufacturer Security Management Guide V3.0,

further requirements for security management that shall be observed by the

manufacturer engaged in personalization processing service of UnionPay logo

magnetic stripe card and integrated circuit (IC) card are stipulated in this Guide.

This Guide is applicable to the service provider of personalization processing

service of UnionPay logo magnetic stripe card and IC card, who shall observe the

regulations in the UnionPay Card Manufacturer Security Management Guide V3.0

as well in terms of personnel management, security facility management, storage

and transportation of products, manufacturing process, data security management,

etc.


7/41


3

2 Personnel Management

2.1 Responsibilities and Requirements

2.1.1 Basic Requirements

Appropriate security management organization shall be established as per the

requirements in theUnionPay Card Manufacturer Security Management Guide to

guarantee the security requirements for card personalization and ensure the

implementation of security measures.

Liaison with law enforcement department and business cooperation institution shall

be maintained by the security management organization to ensure timely notification

of and appropriate measures taken against the security accidents.

Security management organization shall be able to examine and manage securityimplementation of various departments independently, and ensure that the work of

security management organization could properly reflect security requirements that

are feasible and effective.

2.1.2 Major Responsibilities

To establish the security management system for UnionPay logo magnetic stripe

card and IC card personalization and the production process, security material

management, data transmission, key management and personnel security behavior.

To be responsible for examination on logic security within the manufacturers, whichincludes software design, network security, key generation, data management, card

personalization, security procedures adopted during the transmission and storage

process, etc..

To be responsible for remedying the processing behavior with defect in logic

security, and establish a whole set of concrete method to solve those problems that

have not been properly solved till it is resolved.

2.2 Personnel Management

2.2.1 Personnel on Key Positions

Strict selection process shall be carried out for selecting employees for key positions

such as security management personnel, workshop management personnel, treasury

operation personnel, key management personnel, personalization processing

personnel, etc., and guarantee that the part-time employees, temporary workers, etc.

cannot assume such positions.

2.2.2 Security Auditing Personnel

The manufacturers must ensure that the security auditing personnel will not directly

involve in the work content audited by the same person, while the Security Chiefshall examine the security auditing personnel on a yearly basis.


8/41


4

2.3 Key Management Personnel

2.3.1 Responsibilities

1. To receive and store safely key components and security medium;

2. To record or track the maintenance of visiting log and application of key data,

including the visiting time, date, personnel, purpose, return time and personnel,

etc.;

3. To be responsible for supervising the destruction of old and outdated key

components;

4. To input key to the security hardware security module (HSMbased on the

requirements.

2.3.2 Security Requirements

1. The key management personnel must be the permanent employee, not the

temporary worker, part-time employee or consultant;

2. Working behavior of the key management personnel must be monitored;

3. Enough control shall be implemented for the management control personnel

who are responsible for key data or its security medium to ensure that no

individual personnel (or unauthorized personnel) can access to the encryption

system key or security medium data.


9/41


5

3 Data Management

3.1 Security Management of Data Transmission

In order to prevent loss, modification or embezzlement of data informationtransmitted between organizations, transmission of data information between

organizations shall be controlled. The leased line (Please refer to Section 4.1

network security management), data disk mail delivery and personal delivery shall

be used in general case.

3.1.1 Leased Line Transmission

Separate data receiving server shall be installed for card personalization

manufacturer under leased line transmission. Safe transmission rules for

personalization data shall be defined through mutual coordination between

personalization provider and issuer. However, the following requirements must be

met:

1. Completeness and security of the personalization data shall be guaranteed

simultaneously. The completeness can be realized by adding check code to the

personalization data file, while the security is achieved via full-text encryption

for the data file; meanwhile; key and encryption data can not be transmitted at

the same time.

2. Hardware security module (HSM) shall be adopted for transmission of

personalization data between personalization provider and issuer in general case;if software security module is adopted, the key length shall be no less than 128

bit.

3. Symmetric cryptography system shall be adopted for data encryption protection,

while asymmetric cryptography system shall be used for signature and key

encryption based on the specific requirements.

4. The personalization manufacturers shall safely keep the communication log with

the card issuer and the third-party service provider (TPSP). If the

communication log (or message) has to be obtained from the production

environment because of the business needs, the review and approval process

shall be followed and conducted by at least two people. Whats more, the

communication log (or message) shall be used only in the designated security

environment. All communication logs (or message) shall not be taken away from

the workplace.

3.1.2 Mail Delivery and Express Delivery of Disks

Reliable mail delivery institution and transportation means shall be selected for

transmission via mail delivery or personal delivery of data disk with validation of

mail carriers identity.


10/41


6

Via mail delivery or express delivery of data disk, the stored data must be encrypted

with the encryption and decryption means through communication between the

personalization provider and issuer, and can validate the authenticity and

completeness of the data.

Package of the storage media shall be able to protect the content from any physical

damage that may arise out of transshipment. Dedicated measures can be adopted to

protect the data information from unauthorized publication or modification when

necessary, such as:

1. Using locked container;

2. Personal delivery;

3. Anti-disclosure package;

4. Divide the goods (data and keys) consigned into several parts under special

circumstance for consignment and delivery by different means.

3.2 Data Security

3.2.1 Data Reception

1. For the data transmission through the leased line, the manufacturers must

promptly transfer the encrypted data to the internal personalization processing

network, delete the data on the receiving device and take records.

2. For the data transmission through mail delivery of data disk, the manufacturersmust arrange two or more personnel to receive the packaging, check whether it

is damaged and confirm by signing. After receiving, the encrypted data shall be

timely transferred to the personalization processing network, delete the data on

the storage media or destruct the storage media, and record the storage

information.

3.2.2 Data Processing

1. When the manufacturers deal with the data transferred to the personalization

processing network, the plaintext data shall not appear in principle. In case the

plaintext data occurs because of the work needs, it must be handled under the

supervision of the security management staff on spot upon the written

permission of the card issuer. The recorded information shall be recorded for file,

including but not limited to the contents such as the operators name, processing

time, reasons for data-processing, name of the data-owning bank, finish time,

signature of the security administrator.

2. The processed personalized data must be promptly deleted or destructed under

the supervision of the security management personnel. If the data need to be

stored, the written permission of the card issuers must be obtained and the

storage information shall be recorded in detail.


11/41


7

3. Related information of the cardholder and the card issuer can only be accessed

by the staff based on work needs.

4. To modify the data of the cardholder, the prior written approval from the card

issuer must be obtained before, and the modification information must berecorded in detail.

3.3 Management of Data Storage Media

Comprehensive management system shall be established for mobile data storage

media, including tapes, disks, cassette, hard disks, compact disc, printed reports, etc.

The following management measures shall be adopted for storage media:

1. All the storage media shall be maintained in a safe environment, which shall

meet the maintenance environment requirements as proposed by the

manufacturer of such storage media;

2. All the storage media to be brought away from the manufacturing area shall be

approved with corresponding records taken, and such records shall be kept for at

least one year;

3. All the data must be deleted from the reusable storage media returned to the

customers;

4. Storage media carrying data information which will not be used any longer

should be burnt down or crushed under supervision of security personnel with

corresponding records taken, which shall be kept for at least a year.


12/41


8

4 Security Management of Network

4.1 Communication Methods

The applicable connections between the manufacturers and the data providers are

suggested as the following:

1. The recommended use of the access methods: the leased line (mainly ADSL,

SDH, frame relay, DDN, ATM, ISDN, telephone dial), MPLS based on the

private network (refer to Appendix 1 Current Access Methods List for the

definition of the access methods).

2. When using the IPSEC/SSL based on MPLS (Internet), MPLS based on the

Internet, relevant risks shall be fully taken into account and accepted and related

security recommendations shall be followed (please refer to Appendix 2: Thesecurity recommendations for using the VPN access).

3. When using the IPSEC/SSL based on the Internet, relevant risks shall be fully

taken into account and accepted and related security recommendations shall be

followed (refer to Annex 2: The security recommendations for using the VPN

access).

4. The prohibited access means: Internet.

4.2 Security of Personalized Network

The network used to link data reception processing, the encryption devices or

systems, the personalization preparing system, the database, the personalization

devices and the system must be an isolated and independent network. Connection

with the card issuers by means of communication methods in Section 4.1 must be

installed with two or more firewalls to carry out the network isolation.

The network used for card personalization must be isolated from devices irrelevant

with the personalization process physically or logically. Strict systems and processes

shall be stipulated to prevent any unauthorized individuals or devices from visiting

and accessing the personalized network.

4.2.1 Firewall and Anti-invasion

4.2.1.1 The manufacturers shall establish the firewall configuration standards,

including:

1. Stipulate standardized procedures to approve and test all external network

connections and the firewall configuration changes, and keep a detailed record

of configuration changes.

2. Describe the network topology in detail and mark all connections to the

personalization data (including all wireless network connections)


13/41


9

3. Firewalls shall be required to be configured between all external network

connections as well as the demilitarized zone (DMZ) and the internal network

area.

4. Clearly describe the groups, roles and duties of the logic management of thenetwork components.

5. Specify the services and ports list files required by the business.

6. Any adopted transport protocol must be approved and recorded. The transport

protocol is not limited to the Hypertext Transfer Protocol (HTTP), Secure

Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN)

protocol.

7. Any adopted high-risk protocol must be approved and recorded, and details shall

be given to describe the reason to use the protocol and the security measurestaken.

8. Rule settings of the firewall and router shall be investigated quarterly.

9. Standard configuration model of the router shall be established.

4.2.1.2 Establish a firewall configuration to refuse all communications from

suspicious networks and hosts, except the required protocol of the personalization

data environment.

4.2.1.3 A firewall configuration shall be built to restrict any connection (including

the wireless connection) between any system that store the cardholder data (or its

components) and the public server. The firewall configuration shall:

1. Restrict the Internet importation traffic to the Internet Protocol (IP) address in

the demilitarized zone (entering filter)

2. Not allow the internal address to visit DMZ through Internet.

3. Implement state testing (also known as dynamic packet filtering), and only allow

access to the network through established connections.

4. Place the data on the internal network area, and the data must be isolated fromDMZ.

5. Limit the inbound and outbound traffic flow of the cardholder data environment

and only allow necessary outward-inward traffic flow.

6. Protect and synchronize the router configuration files. For example, running

configuration files (the configuration files used when the router is under normal

operating state) and the initialization configuration files (used when the router is

restarted) shall have the same security configuration.

7. Reject all the inbound and outbound traffic that have not been definitelypermitted.


14/41


10

8. Any mobile computers directly connected to the Internet and also used in the

internal network and all employees computers (e.g. laptops used by the

employees) shall install personal firewall software.

4.2.1.4 Forbid any internal network that store cardholder data and systemcomponents (e.g. databases, logs, trace files) to be indirectly / directly accessed by

external network.

1. Establish a DMZ to filter and screen all traffic, and forbid to provide direct

inbound and outbound routing for the Internet traffic.

2. Restrict the outbound traffic derived from the personalization system whose

destination is the IP address of the DMZ.

3. Disguise the IP to prevent the internal address from being identified and exposed

to the Internet.

4.2.1.5 Maintenance Configuration

1. Regularly check the routing configurations and the firewall policies, and analyze

and deal with the event logs of the router and the firewall, the alarm event of the

intrusion detection (defensive) equipment

2. Establish the formal process to approve, test, and change all the routing

configurations and the firewall policies, which shall be timely filed after each

change.

3. Indentify the users who log on the network and the network security equipment,

and strictly control the account that can modify the configurations of the

network and the network security equipment.

4. Timely install the patch and upgrade the version of the network and the network

security equipment, and update the defensive knowledge base of the intrusion

detection (defense) system.

5. If there is a dial-up access to the network, the dial-up users shall be strictly

controlled, and each user shall set up the different password that shall not be less

than 8 digits and shall be regularly modified. Forbid the dial-up from theexternal companies or other forms of the remote maintenance connection.

6. Regularly or after significant changes in the network, carry out penetration

testing or vulnerability scanning on the security control measures, network

connection and restrictive measures, check system configuration, patch

configuration and the known vulnerabilities of the network and the network

security equipment, and shall confirm that no internal user is privately connected

to the external network and that the non-authorized external visit can not enter

the internal network.

7. The intrusion detection (defensive) equipment shall be deployed in the network


15/41


11

boundary to monitor possible attacks, record the invasion and give an alarm

when the ongoing invasion.

4.2.1.6 Backup and Recovery

The firewall (including system, software, configuration files and database files)

must be backed up, in order to timely recover the data and the configuration files

when the system collapses. The backup data and files must be properly kept to

ensure safety, and they are only allowed to be accessed by the authorized personnel.

Once the firewall is attacked, the firewall administrator must re-configure the

firewall against the detected attack. If the firewall level needs to be degraded, the

system must be disconnected with the external IP or the Internet, or the standby

firewall.

In the absence of the firewall protection, the personalization system can not beconnected to the external IP or the Internet.

4.2.2 Anti-virus

1. The manufacturers must use the anti-virus software to protect the whole

personalization network. Any file, software or data that access to the

personalization network must be tested by the anti-virus software before

entering.

2. Timely update the information such as the virus database in accordance with the

requirements of the anti-virus software suppliers, and generate auditing log.

3. Stipulate the necessary strategy to regularly scan the personalization network.

4.2.3 Access Control on Customers and Third Party

1. Access interface provided to the customers and third party shall be configured in

accordance with the permission scope. The third party and customers can only

view the contents that are available to them;

2. Only authorized communication protocol, instruction and channels can be used

for the access interface provided to outside;

3. Regular inspection on the account number of customers and third party with

access authorization shall be carried out at least once a week, with detailed

records taken.

4. Service provided by the network connection with access authorization shall be

strictly controlled and mutual communication between the customers and third

party via such network is not allowed.


16/41


12

5 Workshop and System Security

5.1 Basic Content

1. The servers, routers, switches, firewalls as well as the computer equipments used to

process sensitive data (such as the track information) shall be placed in the workshop.

2. When selecting the location of the workshop, the following shall be avoided: the

dangerous buildings, the interference of strong magnetic fields and strong noise sources.

Keep away from places such as the factories, warehouses, yards that can generate dust,

soot and harmful gases and that produce or store corrosive, flammable, explosive goods.

3. The workshop shall try to use the dual power supply or the single power supply

combined with the back-up power generator, and shall achieve automatically transfer

through ATS (Automatic Transfer Switch).

5.2 Access Security Control

1. Security requirements for high security area shall be implemented in the workshop;

2. All the accesses shall be controlled by access control system;

3. Any unauthorized working personnel or visitor who needs to access data workshop for

the job purpose shall be accompanied by the authorized personnel during the whole

course with registration and signature by himself on the registration form.

5.3 Mainframe Security

1. Any personnel entering the data workshop cannot handle any equipment in the

workshop without permission by the authorized personnel;

2. Any sensitive information related to personalization business shall be deleted under the

supervision of security personnel in case that the mainframe equipment is eliminated or

used for other purposes, with relevant records taken.

3. All the operation of every equipment in the workshop shall comply with the access

control requirements (please refer to 6 Access control and Audit).

5.4 Environment for Data Workshop and Security Requirements

1. No dangerous, flammable materials and chemicals can be stored in the workshop to

avoid jeopardy to the security of data in workshop due to fire or leakage of chemicals;2. Protection measures shall be taken for the cables in data workshop to avoid mutual

interference of electronic signals that may influence data security and smooth

connection;

3. Except for monitoring equipment, no recording equipment that is irrelevant to work like

photographing, video or audio recording can be used in the workshop;

4. Security monitoring alarm shall be installed in the data workshop to implement

monitoring on a 24-hour basis. Security alarm device in the data workshop shall be

started up for defense after work.


17/41


13

5.5 Data Backup and Disaster Recovery

5.5.1 Data Backup

1. Regular backup shall be conducted for ensuring recovery of system to the

updated status in case of disaster, and the backup data can be divided into

system status data, application software date, access log, etc.;

2. Various repair disks and startup disks of the system shall be updated on a regular

basis;

3. A set of complete backup strategy shall be developed to ensure the feasibility

and rapidness of disaster recovery;

4. Backup of personalization data must be conducted under the monitoring by the

security personnel after obtaining the customers written authorization.

5.5.2 Disaster Recovery

1. Complete disaster recovery strategy shall be developed;

2. Disaster recovery drill shall be carried out on a regular basis with detailed

records taken.

5.6 System Maintenance and Accident Treatment

5.6.1 Routine Maintenance

IT manager and security personnel shall inspect the system, network andenvironment on a daily basis with detailed records taken.

All operating system and application system shall timely install the latest version of

the security patch provided by the manufacturers, and the security patch shall be

installed within two months after the security vendors release the patch. Establish

and execute review and approval procedures in terms of such change operation as

system upgrade and version renewal. Besides, such information as the copyright,

source and version of software upgrade shall be registered in details.

5.6.2 Accident Treatment

1. In case of any accident that influences the routine business, IT manager shall

make preliminary judgment after observation and report to IT supervisor in a

timely manner. Relevant responsible person shall arrive at the workshop

immediately to analyze and decide the cause of such incident, and adopt further

handling measures to solve the problems;

2. After the cause of accident has been identified, it shall be handled as soon as

possible with corresponding records taken.

5.7 Personalization Workshop Security

1. The security requirements for high security area shall be implemented strictly


18/41


14

within the high security area;

2. All the accesses shall be controlled by access control system;

3. Any unauthorized working personnel or visitor who needs to access data

workshop for job purpose shall be accompanied by the authorized personnel

during the whole course and register and sign by himself on the registration

form;


19/41


15

6 Access Control and Audit

6.1 Control on User Authorization

6.1.1 Only allow the individual to access the network, system and data resource

because of work needs.

6.1.2Establish a set of a security user access management system, and access and

control according to the principle of obtaining information based on actual needs.

Except specially permitted, all access are refused. Including:

1. All users who want to obtain authority shall pass related process as application,

auditing and review, and must specify the authority and responsibility of all

levels of users.

2. Assign the unique user name to the user who has access authority, to ensure

that the key data and the system operation can be traced back to the known and

authorized users.

6.2 User Name Management

The user name is an identifier existing in the system for specific users to enter the

system and use the information resources. The users within the same system shall

comply with a unified naming rule according to the nature and the purpose,

including but not limited to administrator users, general users, application users and

auditing users.

1. Administrator users: the privilege users who are responsible for managing and

assigning all the system resources.

2. General users: the operating users who use some system resources and

implement specific business functions.

3. Application users: the interface users used when other application systems

exchange information or call the program mutually with the system.

4. Auditing users: the special users activated to implement certain auditing

functions.

6.3 Login Control

The system can be access only through verifying the user name as identification and

the password as authentication. The following control shall be made over the users

login:

1. The general users shall be locked after failure of three times of login

authentication.

2. The alarm prompting mechanism of the authentication failure shall be used.


20/41


16

3. The general users will automatically log off when their inactive duration is more

than 5 minutes.

4. Strictly limit operating range and the approval procedures of the telnet login

(remote dial-up or VPN).

6.4 Password Management

For those only using the static password to log in the system, the password strategy

shall comply with the following principles. For those that can not be applied for

special reasons, they shall be illustrated as exception.

1. The password is not less than 6 digits.

2. The password shall include at least one letter and one number.

3. The password shall include at least three different characters.

4. The password shall be changed each quarter.

5. The password that has been used in the latest four times shall be forbidden to be

used.

6. Security mechanism must be installed for the users to reset their password.

7. The initial password shall be force to be changed by the system. The password

shall not be displayed, stored and transmitted in the plaintext.

8. The default password generated by the installation of the system and productsshall not be used.

9. For the account that has not been used for 90 executive days, the authority of the

account shall be frozen. If the account is not used for 30 days after the freezing,

it shall be canceled.

6.5 Security Audit

The system must initiate necessary auditing function to record the following event

log:

1. The date and manner of the user logging on to the system.

2. The failure access tries.

3. Record of the access to the key directory or of the key operation implementation

(the event related to system security).

4. Regularly gather the statistics of the record information of the users accessing

the system resources and feedback to the users for confirmation and evaluation.

The resource items that need statistical analysis are determined according to the

users need.

5. For systems that do not have or do not suitable for initiating the auditing


21/41


17

function, the third-party auxiliary auditing tools can be selected.

6. Every year, at least one time of the internal or external auditing shall be carried

out on the network, the security equipment and the personalization system, so as

to validate whether the management, the configuration or the strategy are in linewith the security requirements, and make a detailed record of the auditing.

6.6 Log Management

1. The log files shall be kept for at least one year.

2. Except for the auditing users, other users shall not access or modify the auditing

log.

3. The manufacturers shall establish sound mechanisms for log recording and

review. The content of the log shall include the user ID, the operating date and

time, the operating content and whether the operating is successful.

The system shall record the log of the following events:

The users access to the sensitive information and the sensitive equipment

The method to log in the system

The failed access try

The operation of the system administrator

The access to the system log

Other system events involving logical security

4. The time of all important system clocks shall keep synchronous to truly record

the system access and the operation situation.


22/41


18

7 Product Processing and Security Management

7.1 Personalization Processing Process

Personalization processing process of magnetic stripe card and IC card has various

procedures like initialization, data preparation, processing of personalization

equipment, post-processing, etc.

7.2 Personalization of Magnetic Stripe Card

7.2.1 Data Preparation

During the personalization of magnetic stripe card, data preparation means that the

personalization provider conducts data processing (data decryption and format

conversion) on the personalization data transmitted by the issuer in order that the

data format that can be identified by the personalization equipment. It is

recommended that the data encryption and decryption process as well as the data

conversion process shall be conducted in the hardware security machine (HSM).

7.2.2 Personalization Processing

Personalization processing refers to the process that the magnetic stripe

reader/writer sends personalization data to the magnetic stripe card. Encryption and

format that can be identified by the personalization equipment must be adopted

when the personalization equipment writes data into the card, while the equipment

operator shall not be able to read text data on the equipment.

7.3 Initialization of IC Card and Its Security

7.3.1 Initialization Description

Initialization of IC card mainly means that IC card receives initialization instruction

and relevant data from the initialization equipment and creates relevant application,

necessary document structure and partial data as per the initialization instruction to

get prepared for the next-step personalization.

7.3.2 Security Requirements

When the initialization equipment of IC card sends initialization command and

direct to the IC card, encryption and decryption as well as MAC check must be

conducted on the instruction and data sent, while the encryption and decryption

process must be connected with the hardware security module (HSM);

Key value like KENC, KDEC, KMAC shall be unique for each card, and set for the

card with the generators key protection. If it cannot be set for the card, the physical

access must have strict restriction;

Access to the card must be protected by password of 16 digits or above;


23/41


19

It must locate within high security area of the plant, and meet all the security

requirements and procedures in order to comply with the requirements in Guide to

Security Management of UnionPay Card Product Manufacturer.

7.4 Personalization of IC Card

7.4.1 Security Requirements for Data Preparation

Data preparation is responsible for creating the procedures and data for application

of IC card, and the data mainly includes master key and relevant data, application

key and certificate as well as application data, etc. of the issuer. The steps are listed

below:

1. Create personalization data;

2. Integrate personalization data into data grouping;

3. Create personalization instruction and command;

4. Create data of log record for the application;

5. Create input document for the personalization equipment.

Security requirements for data preparation are as follows:

Whole process of data preparation must be conducted on the data processing

equipment connected with the hardware security module (HSM).

Leading in/out of key and data shall be conducted strictly in accordance with therequirements in the EMV 2000 Integrated Circuit Card Specification for Payment

Systems and China Financial Integrated Circuit Card Specifications to ensure key

and data security.

7.4.2 Security Requirements for Personalization Processing

Processing of personalization equipment refers to the process when the chip

reader/writer sends personalization data to the chip card. During data input process,

the personalization equipment must be connected with a hardware security module

(HSM) to ensure data encryption and decryption and MAC check while sending the

instruction;

Obtain KENC, KDEC and KMAC, and create one security channel via mutual

authentication;

It shall be located in high security area of the plant and comply with the

security requirements and procedures to meet requirements in the

UnionPay Card Manufacturer Securi ty Management Gu ide V3.07.4.3

Post-processing

Post-processing of IC card personalization refers to confirming acceptance of

personalization application data by IC card from the personalization equipment,


24/41


20

which is correctly stored for future use, and locking the IC card which has

completed personalization processing with the key before personalization.

7.5 Process Security Requirements

7.5.1 Process Procedures

Personalization processing procedures shall be kept as official document and any

modification shall be authorized by relevant managers. Detailed processes for

implementation of various jobs shall be indicated in these procedures, including:

1. Operation process of personalization equipment;

2. Handling and disposal process of data information;

3. Operation guidance for mistakes or other abnormal conditions occurred in the

handling process, including application restriction for system equipment, etc..

7.5.2 Control of Personalization Handling Process

1. Information of the card and cardholder shall not be disclosed to non-job-related

personnel during personalization handling process and it must be ensured that no

modification can be made to the personalization data;

2. During the handover at each step, the personnel responsible for counting the

cards and envelops shall not know the specific number in advance (blind

statistics);

3. Digital management shall be carried out strictly during personalization handling

process. Major examination control record for each work sheet / batch shall be

kept separately. The examination control record shall include work sheet No.,

name of issuer, type of card, etc. Every processing function shall include the

following record contents: quantity of initial issuance, quantity of remaining

cards in the previous phase, quantity of handed over cards, number of cards

returned to the warehouse, quantity of the abandoned cards, quantity of sample

cards / testing cards, personalization operating equipment and records, signature

of the operator, date, time, signature of the inspector, etc.;

4. Any failure of the personalization processing equipment shall be recorded and

the records shall be kept for at least three months, including the following

contents: operators name, signature of the inspector, equipment description /

equipment No., work sheet No., date, time, reason for failure, etc.;

5. During the card preparation process, it shall be ensured that more than two

people are at the card embossing and production site. Dual control shall be

carried out for system log-in and the relevant file on the personalization

equipment shall be deleted upon completion.


25/41


21

7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color

Strip

1. Foil inventory registration form is recommended to be used. The check and

verification shall be carried out based on the number of destroyed foils;

2. Used foils shall be stored in the dual-management area before being destroyed;

3. Embossing foil destroying log shall be established, including contents like roll

(barrel) number, date, double signature that used to testify destruction, etc.;

4. All the foils carrying the information of cardholder shall be destroyed in a

timely manner under dual supervision upon being removed from the card

machine;

5. Same security control shall be carried out for card mailing sheet and UG color

strip.

7.5.4 Management of Personalization Cards

1. Complete blank card archive and quantity management system shall be

established. Card type that have been in or out of the warehouse shall be verified

for quantity on the same day;

2. Ex-warehouse cards that have not been used shall be returned to the treasury for

storage before the completion of personalization processing.

3. Cards under processing shall be taken charge by the authorized employees /operators to ensure the security. It is not allowed that the card under processing

is not taken charge;

4. Cards without personalization processing (blank cards) shall be stored in the

treasury under dual control. The unauthorized employees must be kept away

from them;

5. Mailing of the personalized cards shall be conducted on a safe and traceable

basis.


26/41


22

8 Key Management

The principle for key security management is that all the encryption and decryption

operation outside the IC card shall be conducted on the hardware security module(HSM).

8.1 Key Description

8.1.1 Personalization Key

Corresponding encryption key shall be created before personalization of IC card,

mainly including the following:

KMC (personalization master key): version number for personalization master key

shall exist on the IC card, which is used to generate initial personalization key

(KENC, KMAC and KDEK) for every application. KMC is unique to every issuer.

KENC (encryption dispersion key): one KENC shall be generated for every piece of

IC card and written into the corresponding application. Such key shall be used to

generate IC cipher text of IC card and verify cipher text of mainframe. If it is

requested by the security level of cipher text that data field of STORE DATA

command is encrypted, such dispersion key can also be used to decrypt data filed of

such command under CBC mode. KENC is a 16-byte (112-bit plus parity check bit)

DES key, which is unique to every piece of card.

KMAC (check code dispersion key): one KMAC shall be generated for every pieceof IC card and written into the corresponding application. Such key shall be used to

verify C-MAC used by the EXTERNAL AUTHENTICATE command. Meanwhile

when MAC is adopted by the command required by the cipher text security level in

the STORE DATA command, such key can also be used to verify C-MAC used by

the STORE DATA command. KMAC is a 16-byte (112-bit plus parity check bit)

DES key, which is unique to every piece of card.

KDEK (key encryption dispersion key): one (KDEK) shall be generated for every

piece of IC card and written into the corresponding IC card. Such key shall be used

to decrypt the confidential data received by the STORE DATA command underECB mode. KDEK is a 16-byte (112-bit plus parity check bit) DES key, which is

unique to every piece of card.

8.1.2 Card Key

Public key/private key pair of the issuer: usually generated by the issuer. The public

key shall be transmitted to the certification institution for financial integrated circuit

(IC) card in China to create certificate for the issuers public key, while the private

key shall be stored in the issuers HSM (mainframe encryption module).

If the key is processed by the personalization provider for the issuer, the key pairshall be managed as per this Guide.


27/41


23

The following optional keys can also be generated:

Public key pair of IC card: such key pair is adopted by the card which generates

algorithm by the implementation of DDA and CDDA/AC or card with PIN

encrypted. The public key shall be signed by the issuers private key for establishingIC card public key certificate. Public key pair of IC card shall be unique for every

piece of card;

MDK ENC: used to lead out UDK ENC

UDK ENC: used to encrypt the issuers script confidential information

MDK MAC: used to lead out UDK MAC

UDK MAC: usually used to confirm the manuscript information.

MDK ENC and MDK MAC shall be unique to every issuer. UDK ENC and UDKMAC shall be unique to every piece of card.

Please refer to the following table:

Key Name Key Share Purpose Master

Key

Card

Key

Dialogue Key

Online verification

key of financial

integrated circuit

(IC) card in China

Issuer and card The Master key is used to generate

the unique card key, used for online

verification for the card and issuer.

MDK UDK SUDK (used

for universal

password)

Message

certification key of

financial integrated

circuit (IC) card in

China

Issuer and card The master key is used to generate

the unique card key, and such card

key is used to generate the key for

message certification dialogue

required for data update after card

issuance.

MAC

MDK

MAC

UDK

SUDK MAC

Data encryption key

of financial

integrated circuit

(IC) card in China

Issuer and card The master key is used to generate

the unique card key, and such card

key is used to generate the dialogue

key for encryption of the updated

confidential data (offline PIN) after

card issuance.

ENC

MDK

ENC

UDK

SUDK ENC

ICC private key Issuer and card Generated by the issuer and safely

stored on the card. During the offline

data authentication (DDA)

processing, this private key is used

for digital signature of the dynamic

data. Upon completion of

personalization, the issuer usuallydoes not hold such key.


28/41


24

8.1.3 Transmission Key

The following keys are mainly used for transmission of data and key during various

stages of card personalization.

Key exchange key (KEK): establish key exchange key for the channel between the

issuer and data preparation system, which is used to encrypt the confidential data

transmitted between the issuer and the personalization data preparation equipment.

KEK shall be unique to every issuer, which shall be modified on a regular basis.

Data encryption key (DEK) / transmission key (TK): one special transmission key

used to encrypt PIN and other confidential data between the data preparation

equipment and personalization equipment.

Message authentication code key (MAC KEY): one special transmission key used to

guarantee completeness of personalization document between the data preparationsystem and personalization system.

Please refer to the following table:

Key Name Key Share Purpose Master

Key

Card

Key

Dialogue

Key

Issuers Master

key

Issuer, IC card

manufacturer and

personalization

equipment

IC card manufacturer uses this

KMC to generate card-level

key (KENC, KMAC, KDEK) and

write them onto the card.

KMC

Used to create one dialogue

key, which can be used to

create cipher text and encrypt

confidential data under CBC

mode.

KENC SK

UENC



create C-MAC in the command

processing process.

KMA

C

SK

UMAC



encrypt DES key or flexibly

encrypt other confidential data

under ECB mode.

KDEK

data

encryp

tion

key

SK

UDEK

Issuers key

exchange key

issuer and data

preparation

equipment

Protect the offline PIN and

other confidential data between

the issuer and data preparation

equipment.

KEKISS


29/41


25

Data encryption

key/transmission

key

Data preparation

equipment and

personalization

equipment

Protect the offline PIN and

other confidential data between

the data preparation equipment

and personalization equipment.

Date transmission keys in the

following special types might

be used:

PEK/TKPIN encryption key,

used to protect PIN data.

KEK/TK key exchange key,

used to protect DES key.

DEK /

TK

MAC key

(message

authentication

code key)

Provided by the data

preparation

equipment to the

personalization

equipment in the

personalization data

document

Used to guarantee

completeness of the application

data provided to the

personalization equipment in

the personalization data

document.

MAC

key

N/A N/A

8.2 Encryption and Transmission of Key and Data

8.2.1 from the Issuer to the Personalization Service Provider

While receiving the personalization document from the issuer, the document

information:

1. Must be safely stored, while the right for accessing such information must be

KMC

KDEK

Encryption

Personalization Manufacturer

TK Encryption

KMAC (for card lock)

KDEK (for data encryption)

KEK

KEK Encryption

HSM

Issuer

HSM

Data reparation

Equipment

HSM

Personalization

Equipment

HSM

Certification Center

Card

Personalization Card


30/41


26

strictly assessed;

2. Upon completion of personalization, the data within the system shall be cleaned

in a safe way;

3. Decrypt KEK into TK on the hardware security module (HSM) in order to

transmit the confidential information to the personalization equipment.

4. The data preparation system shall have at least one medium security area that

can control data access, and the data access right shall be limited to those with

business requirements.

Security requirements for encryption process shall be applicable to the given data

group and IC card purpose, and shall be consistent with the corresponding

encryption process no matter in the process of data preparation or during the process

of machine processing which is related to the personalization equipment.

8.2.2 Security Requirements during the Personalization Process

During the personalization processing stage, the personalization equipment:

1. Implement KDEK calculation process for IC card on the hardware security

module (HSM);

2. Decrypt the confidential information in the personalization document from

transmission key TK to KDEK for convenient transmission to the card, and such

decryption process shall be implemented on HSM;

3. The personalization equipment must be installed on high security area in the

plant and comply with all the security requirements and procedure requirements

as stipulated by the security standards for production of financial integrated

circuit (IC) card in China.

8.3 Key Operation

8.3.1 Asymmetric (RSA) Key

Security of IC card depends on the protection of private (signature) key. Failure in

guaranteeing security of private key used for signing the static or dynamic dataelements will impose the risk for falsification of IC card. Major risks confronted by

the private key include:

1. Successfully decompose RSA modulus;

2. Disclosure of private key itself.

In order to restrict disclosure problem represented by these risks, we recommend

application of the following requirements:

1. Length of RSA key modulus bit; e.g., 768, 896, 1024 and 1152 constituting

public/private key modulus;


31/41


27

2. Guarantee that the private (signature) key is free of unauthorized access on a

physical basis.

8.3.1.1 Generation of Asymmetric Key

1. Generation of RSA public/private key pair shall be completed in the completely

protected hardware security machine (HSM). Such equipment shall include one

random or pseudo-random digital generator, implement the original

authentication process and support distortion of response mechanism;

2. RSA private (signature) key might be temporary to the physical security

equipment. Key generation will utilize one random or pseudo-random process to

ensure impossibility for predicting any key or it is more possible to determine

some key in the key space than other random key;

3. Personal computer or other similar unsafe equipment, i.e., the equipment thatcannot be fully trusted cannot be used to generate RSA public/private key pair.

8.3.1.2 Transmission of Asymmetric Key

In order to protect completeness and security of public/private key pair during the

transmission process, the following steps shall be ensured:

1. One mode that can ensure completeness shall be used for the public key to

guarantee security and transmission. It is recommended that the public key shall

be transmitted in one data structure like certificate, or utilize one algorithm

defined by ISO 9807 and one key only for this purpose to use the messageauthentication code for public key and relevant data, or use dual control to

ensure that recipient of the public key is able to verify its sender and

completeness, i.e., realized by separate or independent transmission of one

authentication value;

2. One mode that can ensure completeness and privacy of the private key shall be

used to guarantee the security and transmission. The transmission mechanism

includes the following modes:

The encryption and decryption operation shall be conducted on one unit of safe

hardware security machine;

Use symmetric algorithm at least equivalent to encryption to encrypt the private key

of protection key as several parts (guaranteeing security on IC card) and use one

symmetric algorithm for decryption.

8.3.2 Symmetric Key (DES)

DES key is used for special affair functions. DES key is lead out from one master

derivation key during the personalization duration, and the final card-level key is

unique.

1. Issuers master derivation key (IDKAC)used to lead out the card key for


32/41


28

generating MAC named application context (AC);

2. Issuers security message master key (IMKSMC IMKSMI)used to lead out

card keys, which are used in the security message between the card and

authentication system, i.e., card lock-in, application lock-in/unlock, updatingspecific card data and PIN modification.

8.3.2.1 Generation of Symmetric Key

The key generator shall use the following principles to minimize disclosure

opportunity for key data during the creation period.

1. DES key shall be generated in the physically safe equipment protected by the

distortion response mechanism, or shall be generated part by by the authorized

working staff. The security equipment shall include one random or pseudo

random digital generator;

2. Unprotected key cannot exist outside the protection of one unit of physically

safe equipment at any time. The physically safe equipment cannot lead out plain

text key at any time, unless lead out as the password or in two or more parts;

3. When the key is generated by the authorized working staff via a process for

combining various parts, every party is requested to generate one part with the

same length to be generated. The key shall be combined within one physically

safe equipment, and ensure that key value cannot be identified despite that any

one subset can be known. The separated key shall be mastered by one

management institution, and at least holder of one part shall be one employee of

the issuer;

4. Check digit shall be calculated for all the actual key;

5. Personal computer or other similar unsafe equipment cannot be used to generate

key material;

6. If any key is found to exist outside one physically safe equipment, or every part

of the key is suspected to be known by some people or mastered by single

person, such key shall be deemed as having been disclosed, and one new key

shall be required for replacement.

8.3.2.2 Transmission of Symmetric Key

During the process of transmission or storage of DES key, the following measures

will restrict potential risk for data disclosure.

1. DES key can be safely transferred to one piece of security equipment or smart

card for transmission and storage;

2. Transmission of DES key shall be in the principle of dual control and separate

holding.


33/41


29

8.4 Key Storage

The key shall be stored to prevent key disclosure, modification or substitution in

principle, with major security requirements detailed as follows:

1. The general text private key and secret key shall be stored in the hardware

security machine (HSM);

2. Private and secret key and its components shall be stored in the principle of dual

control and separate hold. Effective implementation of these principles needs

procedure control to prevent any administrator (or non-administrator of any

individual component) from accessing sufficient components constituting actual

key;

3. Private and secret key components shall be stored on the medium (e.g., soft disk,

PC card, smart card, etc.), which shall be safely stored to prevent anyunauthorized individual from obtaining the key components;

4. If the private and secrete key components can be stored on the medium, and

have one personal identification number (PIN) medium, then only the medium

owner shall have the medium and its corresponding PIN at the same time;

5. Private or secret key components stored in the key transfer equipment shall be

controlled by sufficient access control like password, etc.

6. When the private key or key encryption key and its components is stored or

loaded onto one security equipment at any time, the record shall be kept, whichshall at least include the date and access time, visit purpose, signature of

administrator accessing such component and other information; the record shall

be clearly maintained till termination or destruction of the key.

8.5 Key Backup

Key backup and duplicate shall exist in only one allowable storage form. All the

backups shall be protected by the same security control level or the level higher than

the key under use. Upon completion of storage, the backup shall be safely stored

under correct access control and at least dual control.

Backup and duplicate of private key in the hardware security machine shall be

controlled via actual user identification (e.g., access identification tag, password or

other methods) to prevent use of unauthorized key.

Key backup must be operated by two authorized management staff, while the

private key and its components shall be output from the hardware security machine

as the cipher text; additionally, all the backup and recovery procedures shall be filed

with access to all the keys recorded.


34/41


30

8.6 Key Destruction

8.6.1 Keys to be Destroyed

The unused or replaced key shall be destroyed

1. All the key of which the use is terminated shall be destroyed, including all the

used, stored, backup and duplicated key;

2. All the key termination procedures shall be filed with all the key termination

activities recorded;

3. One non-key administrator, e.g., one external (issuers representative) or internal

(security management personnel) personnel shall witness the whole course of

key destruction and sign on the destruction record form.

8.6.2 Destruction Methods

All the private and secret keys shall be destroyed safely in the following methods:

1. Key components maintained on the paper shall be destroyed via burning or

cutting.

2. Key stored on one EEPROM shall be completely written with binary 0 with

the length in three times longer.

8.6.3 Miscellaneous

1. Components of encryption key used for key transfer shall be destroyed afterbeing loaded successfully.

2. When one hardware security machine is abandoned, all the keys stored in this

equipment shall be physically deleted before destruction of equipment itself.


35/41


31

THIS PAGE INTENTIONALLY LEFT BLANK.


36/41


32

9 Hardware Security Machine (HSM)

Hardware security machine used by the personalization providers inside Mainland

of China shall be certified by the State Encryption Administration; hardwaresecurity machine used by personalization providers outside Mainland of China shall

pass the certification by the State Encryption Administration or other international

authority, and comply with relevant requirements of local management institutions.

9.1 Physical Characteristics Specified by HSM

1. One HSM must be qualified as a physical security equipment, ensuring to be

free from distortion or other risks as mentioned by physical or logic

characteristics in ISO 9564-1;

2. Separate physical ports shall be maintained for data input, data output, inputcontrol and output status of all HSMs;

3. All the HSM shall ensure that all the keys and other sensitive data as well as all

the useful residue information of sensitive data shall be immediately and

automatically eliminated for the attempted or recognized disclosure of the

equipment;

4. All the HSM shall be designed for spying into and responding to any

unauthorized modification, while all the keys and other sensitive data as well as

all the useful remaining information of sensitive data shall be immediately and

automatically eliminated.

9.2 Logic Characteristics Specified by HSM

1. Separate logic ports shall be maintained for data input, data output, input control

and output status of all HSMs;

2. All the HSMs that support sensitive or unauthorized status shall be allowed only

to visit those authenticated persons by the basic operator, while such

authentication shall be authorized;

3. If one HSM is capable of loading software or hardware after equipmentconfiguration (e.g., ex-factory from the manufacturer), one basic authentication

plan for encryption system shall be used to confirm such software or hardware.

9.3 HSM Management

9.3.1 HSM Operation

Equipment under operation status shall be conducted as per the following

requirements:

1. Auditing and control log shall maintain all the record of application activities;

2. For any security encryption system and equipment capable of encrypting one


37/41


33

key as well as cipher text generated by such key, encryption protections from

unauthorized application encryption knowing the key or key components should

be used. Such protection shall adopt one or two modes as follows:

Dual access control to enable key encryption function.

Physical protection of equipment under dual control (e.g., lock the access).

9.3.2 HSM Disuse

When one unit of equipment is permanently disused or destroyed, the following is

required:

1. All the encryption system keys, key materials and sensitive data shall be cleared

from the equipment;

2. Any encryption system key, key materials and sensitive data shall be cleared incompliance with the requirements for key management in this Guide;

3. If safe clearance of encryption system key, key materials and sensitive data

cannot be guaranteed, it shall be physically destroyed to prevent acquisition and

application again, and ensure that the secret data or key will not be disclosed.


38/41


34

Appendix 1: Various Existing Access Methods

The private lines: mainly ADSL, SDH, frame relay, DDN, ATM. including dial-up.

Internet-based MPLS: MPLS network established on the Internet network, which is

physically the same as the Internet. There are both label switching and traditional IP

message switching in this network. This access method is called Internet - based

MPLS in this Guideline.

Private-network-based MPLS: Some operators build independent MPLS networks

in the backbone network or metropolitan area, which only provides enterprises with

the access of the MPLS type. There is only label switching in this network and it

lacks traditional IP message switching. This access method is called

Private-network-based MPLS in this Guideline.

IPSEC VPN and SSL VPN are chosen and built by the users, which ensure data

security through the encryption mechanism. IPSEC VPNSSL VPN can be built on

the private line, Internet and MPLS VPN, thus forming four access schemes: IPSEC,

SSL Over private line, IPSEC, SSL Over Internet, IPSEC, SSL Over MPLS

Internet, IPSEC, SSL Over MPLS ( private network).

Wireless access method: CDMA 2000 1x, GPRS.


39/41


35

Appendix 2: Security Recommendations on the Use of VPN Access

1. The security recommendations on the use of scheme of MPLS over Internet

(1) Select the communication operator with qualifications and good technology.

(2) Sign the service-level agreements with the communication operator to ensure

data availability.

(3) Firewall shall be deployed at the entrance of the interior network of the

enterprise, and access control shall be carried out to the message from the VPN.

(4) If the conditions permit, the IPSECSSL Over MPLS scheme shall be deployed

to build up the IPSEC, SSL tunnel to ensure the confidentiality and integrality of the

data transmission.

(5) When the schemes of IPSEC and SSL over MPLS are adopted, please refer to

the security recommendations of using the IPSEC, SSL VPN equipments in this

section.

2. The security recommendations on the use of the IPSEC VPN equipments

2.1 Recommendations of the IPSEC VPN equipment model selection

(1) Select the hardware to implement the VPN gateway.

(2) Select the access in the VPN client hardware, and avoid selecting the access in

the VPN client software.

(3) Select the products that provide the VPN client access control.

(4) Select the products that support key encryption of more than 128 bits.

(5)Select the products that provide the two-factor verification, such as adding the

dynamic password verification.

(6) Select the products that can check whether the client has installed the firewall

and anti-virus software.

(7) Select the products that provide the functions of statistic and audit access at the

usersend.

2.2 Recommendations on the security operation and maintenance of IPSEC

VPN equipment

(1) Strictly restrict the user with VPN administration authority, record the operation

of adding, modifying and deleting the VPN legal users, and regularly consult the

relevant record.


40/41


36

(2) Set up the password strategy. Control the password, and set the minimum length

and complexity of the password. The password is required to be regularly replaced.

(3)Adopt the two-factor verification. Set the updating period of such verification

methods as token and certificate.

(4) Strictly control the access to the VPN client in the principle of minimum

authority, and regularly review the VPN client authority.

(5) If the VPN products can not implement the access control, it is recommended to

use the firewall in tandem with the VPN gateway.

(6) Regularly consult the records of statistical and auditing events, so as to know

whether there are any violation and insecurity issues.

(7) The VPN client is required to install the personal firewall and anti-virus

software.

(8) If the VPN client is not used for a some time, it shall be disconnected with the

VPN, and it is better to disconnect the Internet at the same time.

(9) Keep close contact with the VPN manufacturer or buy the maintenance service

to timely upgrade the security patches.

3. The security recommendations on the use of the SSL VPN equipment

3.1 Recommendations of the SSL VPN equipment model selection

(1) Select the hardware to implement the VPN gateway.

(2) Select the products that support key encryption of more than 128 bits.

(3)Select the products that provide the two-factor verification, such as adding the

dynamic password verification.

(4Select the products that can check whether the client has installed the firewall

and anti-virus software.

(5) Select the products that provide the functions of statistic and audit access at the

usersend.

(6) Select the products that provide the data protection function at the usersend.

3.2 Security operation and maintenance recommendations of SSL VPN equipment

(1) Strictly restrict the user with VPN administration authority, record the operation

of adding, modifying and deleting the VPN legal users, and regularly consult the

relevant record.

(2) Set up the password strategy. Control the password, and set the minimum lengthand complexity of the password. The password is required to be regularly replaced.


41/41


(3) Adopt the two-factor verification. Set t

security guide of unionpay card personalization+service+provider

Documents