|
STATE BANK
Number: 47 /2014/TT-NHNN
|
|
THE SOCIALIST REPUBLIC OF VIETNAM.
Independence-Freedom-Happiness
Hanoi, December 31, 2014
|
IT ' S SMART
Q Define security requirements for security.
Bank card payment service.
____________________
Vietnam State Bank Law School No. 46 /2010/QH12 June 16, 2010;
The Law base. - It ' s a digital credit organization. 47 /2010/QH12 June 16, 2010;
The Law base. G. Digital electronic translation. 51 /2005/QH11 November 29, 2005;
Base of Protocol 35 /2007/NĐ-CP March 8, 2007 of the Government on Electronic Exchange in Banking Activity;
Base of Protocol 101 /2012/NĐ-CP November 22, 2012 Government of the payment does not use cash;
Base of Protocol 156 /2013/NĐ-CP November 11, 2013 specifies the functions, duties, powers, and organizational structure of the State Bank of Vietnam;
On the recommendation of the Director of the Bureau of Information Technology;
The Governor-General of the State Bank of Vietnam issued a private security request for security security requirements for a bank card payment equipment.
GENERAL REGULATION
What? 1. The tuning range and subject apply
1. This information provides security requirements for security in Vietnam.
2. This information applies to the card activity organizations, including:
a) The organization of the card release (TCPHT);
b) Card payment organization (TCTTT);
c) The payment of payment intermediation service (abbreviated TCTGTT) has a bank card payment service.
In this Information, the words below are understood as follows:
1. The device for a card payment service includes devices, software used for the reception, processing of card transactions.
2. ATM (Automated Teller Machine) is located outside the ATM located in public and where there are no direct monitoring of the device.
3. The POS (Point Of Sale) is a card acceptance device used to perform card transactions at card acceptance units (abbreviated as DVCNT).
4. mPOS (Mobile Point Of Sale) is a POS machine that includes software and specialized equipment integrated with mobile information equipment.
5. The bank card (later called a card) includes a magnetic card and a chip card
a) The word card is the type of card that the card information and cardholder are encrypted and stored in the ribbon from the back of the card;
b) The chip card is the type of card that is attached to a computer circuit or integrated circuit for identification, information storage and transaction of the card holder, other microprocessors.
6. The card number is the number of numbers used to determine the release organization and cardholder.
7. Card data includes cardholder data and card authentication data.
a) The cardholder data includes the following main data: the number of tags; the name of the cardholder (for the identifier); the date of the validity of the card; the service code (3 (three) or 4 (four) number on the card surface to determine the permissions on the transaction (if any));
b) The card validation data includes the following data: the whole data on the magnetic band from the word card or data on the computer circuit, the integrated circuit of the chip card; the value sequence or the card authentication code printed on the card; the card code identifies the cardholder (PIN) or block. the number of the cardholder number (PIN block).
8. The cardholder data environment is the environment that includes equipment and process equipment, transmission, card data storage.
9. Strong coding is a method of coding based on tested algorithms, widely accepted in the world along with a minimum key length of 112 (one hundred twelve) bits and the appropriate key management techniques. Minimum algorithms include: AES (128 bits); TDES (112 bit); RSA (2048 bit); ECC (160 bits); ElGamal (2048 bit).
10. Journal data are data card payment systems or humans created to save the transaction processes, the operation of the system using electronic form, text to serve monitoring, control, complaints.
11. The person with authority at this text is understood to be the representative under the law of the organization or the person being represented by the law of the proxy organization.
12. The organization supports card activities as organizations, individuals whose expertise are held to serve as a leadcard or partnership in order to provide goods, technical services to the card payment system.
GENERAL TECHNICAL REQUIREMENTS
What? 3. Set up and manage network security device configuration
1. The requirements for setting up and managing the network security device configuration:
a) The establishment and change of the configuration of the network security device must be tested and approved by the authority before execution;
b) The schema that connects the network system must be designed to meet the requirements:
-Separation between the cardholder data area and other networks including the wireless network;
-Separate the functionality of the server by the principle of application server, database server, domain name management server to be on different servers (possibly virtual servers on a physical server);
-There are firewalls at connecting points between the regions of the network.
-You must describe the entire path of the cardholder data.
c) The responsibility and authority to the department, the individual in management, the configuration of the network security devices in writing;
d) No network address (IP address) and routing information to other organizations when approved by the authority;
Regulation of gates, services, protocols used on network systems including gates, protocols, unsafe services. Full deployment of security solutions when the use of gates, services, and protocols is not safe;
e) Make a reassessment of established policies on a minimum network security device 02 times/year aimed at eliminating non-use policies, expiration or policy missetting, ensuring policy is set on the right device with policies and policies. The book has been approved by the authority.
2. The network security device configuration
a) Limit access to the cardholder data environment, only accept the necessary access and control;
b) Limit access to network equipment and network security devices that match the individual's responsibility, the department is regulated at Section 1 This Article;
c) The configuration files must be syncs with the active configuration of the device and are stored safely under the density mode to avoid unauthorized access;
d) Perform the design of the packet status monitor or filter the automatic data on a firewall device or route to detect unvalid packets.
3. Control of direct access from the Internet to the cardholder data environment
a) Set up the intermediation zone that provides services outside the Internet (the validation of the servers, services, IP addresses, gates, protocols that are allowed access). The connection comes, in the middle of the Internet and the cardholder data environment must connect through the service intermediation area;
b) Perform anti-forgery measures to prevent and remove the ability to forge the source IP address;
c) Do not allow access to a cardholder data environment outside the Internet when you have not been approved by the authority.
4. The request to establish a firewall software on all devices, personal computers that connect to the card data.
a) The security policies on the firewall software only allow for the implementation of sufficient activities to the need for the handling of the business processes;
b) Ensure that the settings on the firewall software are active;
c) Ensure that the user cannot change the configuration of the firewall software on the device.
What? 4. Change, remove or disable the parameters, the default function in the device page system that serves the card payment.
1. Change or disable the system parameters and default functions of the system (account, secret key code, operating system parameter, software, non-use application; parameter on the non-use POS machine; the default character string in the network monitoring protocol (delivery). SNMP).
2. Change the default parameters (encryption key in the wireless network; secret key codes; the default signature string in the SNMP protocol at wireless network environments that connect to the card data).
3. Turn on or install default functions (services, protocols, background programs) when there is a need to use.
4. Remove the functions, services, files, unneeded drives. Implementing additional safety measures (SSH technologies, S-FTP, SSL, IPSec VPN) when using services, the protocol is not safe to transmit data on the network (file Sharing), NetBIOS, Telnet, FTP).
What? 5. Secure security in development, maintenance of card payment equipment
1. Do the identification of security vulnerties with the scanning engine and information sources of external cyber security organizations to determine the extent of the impact of new security vulnerties to the card payment system, including the level of image levels of the network. The level is high; the level is high; the level is low; the level is low.
2. Make sure the entire card payment kit is updated with the security vulnerability patches that have been published from the manufacturers. For patches of high-level security loopholes that must be installed in the earliest time and no more than 01 months since the manufacturer announced the patch.
3. Development of application software in the field of card assurance of compliance with laws of law and application software development standards are widely applied in the field of information technology. In the software development cycle must be integrated with the information safety assurance requirements and the minimum response to the following requirements:
a) Separation of the development environment and testing with the operating environment;
b) Do not use the card data in the operating environment for the test environment;
c) Remove the entire data and test account before putting the software in use;
d) Comment, review the application software source code to detect, rectify the potential security vulnerability before entering the use. The assessment of the assessment must be independent of the development of the application code.
4. Make control procedures change when updating security vulnerability patches, changing application software:
a) Building the assessment document that affects the entire system and is approved by the authority before execution;
b) Do not affect the security safety of the system;
c) Perform backup, have a backup plan before making changes.
5. When developing the application source code to check, remove the security loopholes in the application, including:
a) The loophole inserts the database query code (SQL injection), the operating system command (OS injection), other data storage vehicles;
b) Cache overflow;
c) The encryption error is not safe in data storage;
d) The error was not safe in the media;
It leaks information through error handling;
e) The risk of inserting code, code javascript, jscript, DHTML, HTML tags;
g) Access controls are not correct;
h) The attack forms occupied the user's authentication on a website through a Cross Site Request Forgery;
i) Error in access ID (session ID);
) The specified security vulnerate has a high degree of regulation at 1 Article.
6. Applications offering services on external network environments (internet networks, wireless networks, mobile communications networks and other networks) must take measures to handle security threats and holes, including:
a) Evaluation of minimum security at 1 time/the quarter or after a change with automatic or manual assessment tools;
b) Perform automatic detection of automatic detection and prevention techniques with web application firewall devices.
7. The card payment system software must have a filter feature, not accepting payment for transactions that are not allowed to follow the provisions of the law.
What? 6. Request for issuing and controlling account access to the card payment system.
1. Access to the card payment application must be authenticated by at least one of the following methods: secret key code, device, authentication card, and biometrics.
2. Remote access to the network system must be validated by a minimum of two methods of regulation at 1 Article.
3. encrypt the entire secret key code on the transmission line and when stored by strong encryption methods.
4. Do the operating account control measures and administrative accounts:
a) The issuer of a separate access account, the corresponding devolve to each individual to operate the operation and administration of the card payment service equipment;
b) Control of the new addition, delete, edit the identifier, the correct user account information;
c) Recover Access as soon as the user expires using or transferring other jobs or does not conduct operations, administration;
d) Examine, reconfirm the identity of the user when receiving an indirect request via email, telephone before the change, reinstate of the account secret key code;
The initial initial account must establish a secret key code and that secret key code on different accounts must be different. The account is operated only when a user changes the original secret key code;
e) Regulation and implementation of the recall, removal or disabling of non-use accounts, expiration of use or accounts in an inactivated state for a period of time;
g) The granting of a remote access account to the organization that supports the card operation must be limited to time, must be approved by the authority and supervised by the supervisor;
h) Do not share or use the same account to access the system;
i) The account must be changed to a minimum secret key code 1 times/quý; the secret key code must have a minimum length of 07 (seven) characters, including character letters and numbers (except for the PIN); the secret key code is not repeated in the last four times;
l) The maximum number of secret secret entries allowed to not be more than 03 (three) times. There is an automatic account key measure when entering a secret key key code of the specified number of times. The account recovery time is locked after entering the minimum secret key code of 30 minutes or as required;
l) The session with the card payment system in the state waits for more than 15 minutes the system must require authentication to enter the system;
m) Popular and training policies, access processes, and account authentication into the system, ensuring that organizations, individuals who are concerned with the right to be granted, are accountable when granted access to the account.
5. Board of policies and procedures that authenticate the access account, which must include the content:
a) Choice guide and protection of authentication information, secret key code;
b) The guide did not reuse the previously used secret key code;
c) The instructions to change the secret key code periodically or as soon as there is suspicion the secret key code is exposed.
6. Manage card payment database access
a) Only the database administrator is directly accessing the database;
b) Other users when accessing the database must pass through the control application programs that control view, enter, delete, change information;
c) Do not use the database access accounts of the application program to the individual or other processes;
d) The secret key code of the application's database access account must be encrypted on the application and in the database;
Every operation on the database must be filed and the log must be stored for a minimum of 1 years.
TECHNICAL REQUIREMENTS FOR ATP
What? 7. Technical requirements installation and safety of ATM physics
1. Request for ATM installation
a) A card activity organization that provides ATM services (later known collectively as an ATM service provider) must ensure requirements for installation of ATM under the provisions of the State Bank of Vietnam in terms of equipment, management, operation, and safety of operations. of an ATM.
b) For the external ATM
In addition to the requirements at Point 1 This Article, the organization provides an ATM service that adds additional security measures to the ATM placed outside of the risks of the following physical safety loss:
-There's an ATM to avoid being dragged to the unauthorized relocation.
-Cover the components, the ATM section is not needed to expose outside.
2. Request for alarm system
a) The organization provides ATM services equipped with sensors for ATM placed outside to warn of the heat impact from the welts and the recognition of the forces that affect the magnitude, or continuously from the outside on the body of the machine;
b) The organization provides ATM services equipped with alarm devices for ATM aimed at prevention:
-Open the unauthorized machine.
-Unauthorized relocation from the site.
-Smashing the unauthorized machine. The devices are alerted to the location of the alarm, which must be sent to the monitoring center.
3. Request for money safe
a) The organization provides ATM services equipped with ATM money made of materials that are under a large force, against corrosion, fast dissipation, or slow heat absorption, to minimize the level of damage to the safe shell, and the loss of money in the effects of the motivation, the chemical. substance and heat from the outside;
b) The ATM ' s money must be equipped with at least two keys, led by the two.
4. The PIN input keyboard must reach the requirements set out at Article 13 This message.
5. ATM must have a certificate of origin and have the quality certification of the manufacturer.
What? 8. Technical requirements for software, transmission lines, communications for ATMs
1. The organization that provides ATM services must ensure requirements for ATM software.
a) The ATM operating system must be copyrights, supported by the supplier and updated with a timely patch;
b) The operating system installed or established must ensure the separation of different rights: the right to use of external storage devices; the right to change configuration and run applications, services;
c) The transaction software on the ATM must be established with an image or audio message to alert the user to safety measures before entering the PIN number or to inform the user to receive the card, receive the money after the execution of the transaction;
d) The software that controls the device, the transaction software must be set up features against the route of card information, failure of money due to errors, fraud or due to the element of technical error, features including:
-When software that controls the cost of the money or the electronic transaction log software does not work, the ATM must automatically halt its withdrawal function and automatically inform the center;
-The transaction software on the ATM must set the mandatory feature to re-enter the PIN number when carrying out the next withdrawal transaction; there is a message that reminds users of the safety measures before entering the PIN and receiving the card after delivery. Translation.
2. Transfer for ATM
The organization provides an ATM service that establishes the transmission line for ATM to prevent Internet access except central connections to carry out the transaction. The update of the operating system patch, antivirus prevention software and other updates at the ATM must be made at the site or through the internal centralized system.
3. Request for connection card payment system connection
The contract, the agreement to connect the card payment system via ATM must specify the encrypted data and the responsibility of the parties in ensuring the secrecy of the key for the encryption. The key for coding must change a minimum of 1 time/year.
What? 9. The monitoring of surveillance, ATM system security
1. The organization provides ATM services to be equipped with centralized management software, fully monitoring the timing of ATM's status.
2. The organization provides an ATM service with technical, administrative measures to closely manage the ATM system, which finds out in time of illegal access, installing unauthorized equipment copying the card information or recording of user manipulable actions.
a) There is a transaction monitoring system on the card payment system, constantly tracking to detect suspicious card payment transactions, time-based fraud, geographic location, transaction frequency, transaction amount, the number of transactions in the wrong PIN and others. other unusual signs for timely processing and warning for cardholder;
b) The recording image of the camera must be sufficiently clear to serve a request for the control of the investigation, the complaint.
3. The log data on ATM must be ready for access for a minimum period of 3 months and a minimum storage of 01 years.
4. The organization provides an ATM service that ensures other requirements for an ATM operation safety according to the regulation of the State Bank of Vietnam on equipate, management, operation, and security assurance of ATM operations.
TECHNICAL REQUIREMENTS FOR PPOS
What? 10. The requirements for the POS machine
1. TCTTT, TCTGTT and DVCNT must have a clear agreement on the responsibility of the DVCNT, including:
a) Management, protection, installation of POS machines at safety. There is room defense against unauthorized use, POS machine theft, installation of card data theft devices on the POS machine;
b) Set up the power source, the correct transmission line according to the manufacturer's technical requirements;
c) The POS must have the name and logo of TCTTT.
2. The POS must have an export certificate and have the quality certification of the manufacturer.
3. On all POS machines must have the contact number of TCTTT and the organization providing support services (if available).
4. The PIN input keyboard must reach the requirements set out at Article 13 This message.
5. TCTTT, TCPHT must have a monitoring system, warning of abnormal transactions (quantity, value, time, transaction location).
What? 11. The requirements for mPOS machines
1. TCTTT, TCTGTT and DVCNT must have a clear agreement on the technical standard and responsibility for monitoring operational monitoring of the mPOS machine that meets the following minimum requirements:
a) Request for mobile information device installation of mPOS software.
-The device is unlockable (jailbreaking or rooting), shutting down the necessary connections for the use of payment;
-Set up additional defense security features lost, theft (GPS tracking feature, storage disk encryption). At the same time, the DVCNT must manage the serial number information, the software version of the device.
b) Required for mPOs;
-The mPOS software is installed under the instruction of the solution provider or TCTTT;
-MPOS software is not allowed to pay when the mPOS device is not connected to the card payment center and is not stored card transactions;
-The mPOS display must show a readiness service for the user to know;
-The invoice bill is sent to the customer via email, SMS or printed out (when required), where the number of cards must be concealed (only the maximum 6 (six) number and 4 (four) of the end).
2. TCTTT must publish a list of registered companies using mPOS to accept payment on the website of the unit or other media (if available).
PROTECT CARD DATA
What? 12. Security policy security policy
1. The Card Activity Organization must create and update the list of equipment that serves the card payment and description of the function in relation to the card payment system.
2. The card activities organization must establish, publish, maintain and dissemate security safety policies in the entire unit. A security policy assessment is at least 01 times a year and updates the policy when a card payment service is changed.
3. The card operation organization must perform a risk assessment process at least 01 times a year and as soon as the system has changes in network diagonation, security security, addition of service server system or addition, job modification.
4. The card activities organization must build and implement regulations on the use of high-risk technologies (remote access, wireless networks, mobile devices, email and Internet). The specified content includes the following requirements:
a) must be approved by the authority before the use;
b) Must be authenticated by an account and a secret key code or other authentication method before use;
c) Listing and monitoring operations of the entire list of devices, technologies and users granted use;
d) There is a method for easy identification and convenience of the owner, contact information and the use purpose of the device (by labeling, bar code writing or inventory of devices);
) Determining the scope of the risk of technology at high risk;
e) Identilocate network system positions using highly risky technology;
g) For remote access must automatically disconnect the session session for a specific time when the system does not work;
h) Only trigger remote access to the organization that supports the card operation when it is required to be required and simultaneously disable access immediately after the end of the session;
i) When a remote access to the cardholder data must implement the method of banning replication, moving, and storing cardholder data into hard drives, media, devices, periphers. For the special case to do replication, move, store cardholder data by remote access, must explicitly specify the responsibility for protection of the cardholder data in accordance with the regulations at this message.
5. The card operation organization must explicitly specify the security protection of the card data to organizations, individuals of their units, and stakeholders.
6. Division assignments in management ensure safety of card information
a) Monitoring and analyzing information, warning of information security risk and transfer of information to the responsible department for coordination of the settlement;
b) There is an attempt to control the situation in time to control any situation;
c) User account management on the system;
d) Monitoring and control of all access to the data;
The distribution is established in writing.
7. The card operation organization must carry out cognitive training on the security security card for employees when the new recruits and periodically at least 01 times a year for the entire staff; must check, control ensuring employees in the unit are aware of their own policies. Security card security.
8. The card activity organization must establish and maintain the process, the organization management policy supports the card activity that shares data or has an effect on the security of the card data security. The process, the management policy meets the minimum requirements of the following requirements:
a) Update the list of the card support organization;
b) The card activity organization must implement the selection of organizations that support the card activity prior to the signing, the contract agreement. The selection process must show a unit's request for the card operation support organization, the request response organization's request to support the card operation must meet the card information security safety;
c) Contract with card operations support organizations must specify the responsibility of the organization to support card activities that comply with the relevant regulations at this level. There must be a written commitment to the terms and responsibilities of which the organization supports the service of a service provider that is responsible for ensuring the security of the card information in the services that you provide or store, process, exchange information. The commitment must specify the scope of supply and service to be held in support of supply card operations;
d) The organization of the card operation must hold management, update information about organizations that support the card operation in accordance with this Information requirements.
9. The card operation organization must build the process and perform the application of the incidents to ensure the execution as soon as the incident occurs. The application of the application of the incident meets the minimum requirements of the following requirements:
a) the role, responsibility, media and communications of individuals, organizations in the event of a systematic breach of the system;
b) There is a specific scenario to apply the incident;
c) There is a recovery scenario and continuous operation;
d) There is a backup script;
Testing the minimum process 01 times a year;
e) Specific personnel to be ready to respond to incident 24/7;
g) execute training programs for employees to respond to the job of the application of the card security incident;
h) The incident application process includes warnings from the security monitoring system (detection systems, intrusion prevention, firewall equipment, and the integrity monitoring system of data files);
i) Make the revision and complete the process of the incident application process through the lesson of experience and to respond to the development of information technology.
What? 13. The requirements for the PIN import keyboard
1. The keyboard used to enter the PIN must self-destruct the stored sensitive information which includes encryption keys, PIN, the secret key code and cannot restore this information when it is subject to physical intrusion.
2. Sound when typing a key does not distinguish it from the sound when typing another key. In addition, it is not possible to determine which PIN characters are entered by tracking the electromagnetic, electrical power.
3. The PIN number must be encrypted immediately after the entry (enter by Press Enter). The automatic cache is deleted after the transaction ends or expires.
4. The safety features of the keyboard are not changed by environmental conditions, operating conditions.
What? 14. Secure card data storage area
1. Store, recovery, cancel information, card data
a) Implemulation of the policy, procedure, process of storage and cancelation of cardholder data; limiting the amount of data, the time required for storage to respond to a career requirement and the regulation of the law on storage; quarterly implementation of the implementation and deletion of the excess card data. Too time to store; comply with the rules on the card holder data, including regulations on case preservation, storage materials in the banking industry;
b) The card authentication data must ensure: Keep a secret in print operation, issue a card; individual or organization when processing the card validation data must commit not to disclose information; do not store the card authentication data after authenticated, including encrypted information. In the coming transaction, log data files, historical files, tracking files, data charts and database contents;
c) The number of cards must be concealed when displayed and only fully displayed when required by the competent authorities or the legitimate owner of the card; the number of cards must be unreadable at the storage places;
d) Ensure that the number of cards is not readable at the storage places using one of the following methods:
-The method of using a one-dimensional hash function (hash function) based on strong coding algorithm;
-The separable method, which cuts off the data ensures that the entire data is not readable when stored on files, databases, log data;
-Use a one-time system of cryptography, which ensures that the identifier must be kept secret;
-Strong encryption method with the process and procedure management procedure must be complied;
-Use the drive encryption method which ensures the implementation of the code of files through separate and independent mechanisms with the mechanism of access control and authentication on the available operating system.
2. Regulation of data encryption in the card data storage area
a) The courses used in the encryption must be stored and have a safety guarantee to avoid the risk of information exposure:
-Limit the number of people with access to encryption key;
-Save the individual keys used to encrypt, decrypt the cardholder data in all times according to one of the following methods:
+ Storage in the dedicated device or PIN security device in the transaction;
+ Save the key to a separate two-part minimum.
+ The implementation of the lock code using the algorithm must be stronger or stronger than the algorithm used to encrypt the data. The key to the lock code must be stored separately with the key to encrypt the data;
b) The process of implementation of all work related to key management and encryption procedure to encrypt the cardholder data includes:
-The process of creating encryption keys;
-Coding distribution;
-Save the encryption key;
-periodically changing the locks at the end of the life cycle.
-Replace or revoking the key when there is suspicion of being exposed, modified.
c) The encryption key management must meet the following minimum requirements:
-If you use encryption keys in a clear form (clear text) must ensure that this key is divided into multiple management sections by a minimum of two people, each holding a coding part;
-preventing replacement of encryption keys when not allowed;
-You must specify the responsibility of the holder of the encryption key.
What? 15. encrypt card data on the way through the internet outside
1. Use coding methods and appropriate security protocols (minimizing SSL/TLS protocols, SSH, IPSEC) to protect card authentication data in the communications transmission process via network connected to the outside (internet network, wireless network, media network, etc.). Mobility and other networks.
2. When sending the card number to the user via the electronic message, the number must be encoded using a strong encryption method.
What? 16. Limit access to card data
1. The access and processing on the card data must ensure that the devolve is correct and at a minimum sufficient level to perform individual tasks.
2. Build a policy that restricts remote access, from the external network to the system. Operational surveillance, time log access to the system.
3. The granting of access to the card payment system must be approved by the authority in writing.
4. Set the measure, the access control system for all devices that serve the card payment, ensure the limit of the access to the right authorities, the task assigned; the non-valid access must be removed.
What? 17. Limit the physical access to card data
1. Make out the controls, enter the area of the card payment system, the card data center, the physical environment with the card data:
a) Set up control of wired and wireless network connection points in public areas that guarantee access to access rights. Control of physical access to mobile devices, media devices, network equipment, and telephone lines, telecommunications;
b) Use cameras or other measures to monitor physical access to the server room area, the print release area, where storage, process card data processing. Monitoring data must be stored for a minimum of 3 months.
2. Building the procedure for the recognition of employees and external individuals (the organization that supports card activities, guests) to work including:
a) The procedure to recognize new employees, individuals outside;
b) The procedure for changing the access requirements and the recovery of the employee's access to the job, the external individuals at the end of the term.
3. Control the physical access to the employee when it comes to the server room, the printing press release of the card, where storage, processing the cardholder data that meets the following request:
a) Access must be granted based on the work requirements of each individual;
b) Access to access must be revoked as soon as the job ends, all tools used for access (keys, access cards) must be revoked or disabled.
4. Implementers the procedures for identification and licensing for external individuals when entering the storage area, processing cardholder data, and other items.
a) The external individuals must be allowed before entering and being monitored full-time at the storage area, processing the cardholder data;
b) external individuals must be identified with a card or other method with a valid deadline and must be identified with the naked eye;
c) The external individuals must be required to revoking the card or other identification method before leaving the unit or when the time expires;
d) Japan signed, into the external individual must be kept by the minimum form of text or electronic forms of 1 year.
5. The method contains the backup data of the card payment system to be preserved in the safe place. The site of the preservation must be checked for safe conditions of at least 01 times per year.
6. Secure the safety of physical assets, information, vital records related to card activities, media coverage. Control the transport of vehicles bearing the safety of the card data. Must be approved by the authority before handing over, moving, distributing media.
7. Practice tightly controlled storage and access to the media. Conduct the asset inventory, the means of bringing the news to a minimum of 1 time per year.
8. Devices that read the card data must be monitored to ensure the following requirements:
a) Regular updates of the list of devices, manufacturer information, device samples, device booking, device code (serial, product number);
b) periodically testing the surfaces of the device to detect forgery or additional components attached by examining the characteristics for identification or serial number of the device;
c) The manager, using the device must be trained to recognize the risk of forgery or replacement on the device in order to steal the card information. Training content included:
-Verify that the organizational identity supports the card operation before allowing participation in the process of repair, maintenance, correction of the device;
-Check, verify the device before allowing the installation, replacement or return of the device;
-Identify the risk, the suspicious behavior around the device;
-Report the risks, forgery behavior or the unauthorized substitution of the device to the competent person.
9. Destroy the profile, document containing card data by cutting into small pieces, burning, or crushing to ensure that the card data cannot be read or reproduced. Electronic media contains cardholder information that is destroyed by specialized data deleting programs or by physical cancelation measures, reducing from ensuring that the cardholder data cannot be read and restored.
What? 18. Monitor, protect and inspect the equipment that serves the card payment.
1. Track and monitor all access to the resource and cardholder data.
a) The implementation of the full log data log access to the card payment server to save all the behavior of the user;
b) Perform automatic log of access to the entire device that serves the card payment to redefine the following events:
-All user access to cardholder data;
-All users ' actions have a privileged account;
-Access to the entire log data;
-Access attempts are not allowed into the system;
-Manage users (including new generation of accounts that account and raise governance, changes, or deleting the account of the administrative account);
-Initiate, terminate or suspend the logging of log data;
-Initiate or deleting the data, resources, functions, services on the device that serves the card payment.
c) The log data of each event (regulation at Point 1 This Article) includes the minimum of the following information:
-In the name of the man who uses it.
-Kind of event.
-Day, month and time;
-Status of success or failure;
-The source of the event;
-The name or identifier of the data, resources or function, the service is affected by the event.
d) There must be a time synchrony system for the server system, the ATM system serving card payment;
I'm going to protect the diary data.
-Limit the right to see minimum log data according to the need for work;
-Protect log data files in order to avoid illegal modification;
-Why save the log data to the focused or media servers;
e) The card activity organization must use the tool to monitor the integrity of the log data file or the software detection software that changes the log data;
g) The card operation organization must conduct review, evaluate the log data and security events across the entire device to serve card payment to determine abnormal activity, suspected activity using analytical, mining and analysis tools. warning based on log data, namely:
-The card activity organization must review the minimum daily review of the following log data content:
+ All events on security safety;
+ Log data of the storage system, processing, transmission of card information;
+ The log data of secure security equipment for the system (firewall devices, intrusion detection systems, intrusion prevention, authentication servers).
-The card activity organization must evaluate the entire log data according to the security safety and regulatory safety regulations of the unit. Assessing minimum log data 01 times a year;
-During the evaluation of the log data, it must be monitored for the exception of the unexpected events and events.
h) The log data must be stored online for a minimum of 3 months to be ready to access and backup for a minimum of 01 years.
2. Check card payment system security
a) The card activity organization must carry out control of wireless network access points. There is a list of wireless access points (if any) are allowed to connect to the unit ' s network, which explains the purpose of use and is approved by the authority. The quarterly periodic review of wireless network access points connects to the internal network of the unit;
b) The organisation of the card operation must scan, evaluate the information technology system security systems from the inside and outside the unit network 1 time minimum/quarter and immediately after any significant changes in the system (including: additional devices add to the system). to be; change the network model; the access policy changes of the firewall device; upgrade, update the operating system, the application). Make sure that the security breaches at a high level are determined by paragraph 1 Article 5 of this.
c) The card activity organization must hold a test scenario exercise in accordance with the following requirements:
-Test penetration of all storage systems, processing cardholder data;
-Execute the intrusion testing from inside and outside the system at least 01 times per year and immediately after significant changes in the system or detection of the loopholes after scanning;
-System penetration testing is based on the guidelines of the prestigious organizations on the operational testing and security testing operation;
-An intrusion testing of the vulnerability is listed at paragraph 5 Article 5 of this message;
-An intrusion test for both the network and the application level;
-Assessment and review of the threats and security gaps that have occurred in the past 12 months;
-Archive according to the combined test results.
-The vulnerable loopholes detected during the infiltration testing must be remedied and recoverable ensures that the holes are remedied.
d) The card operation organization must use the detection and anti-intrusion system to detect and prevent unauthorized infiltration into the network system, monitor the entire access to the cardholder data environment and warn the administrator of the risk to the network. We're trespassing. Intrusion prevention devices must be updated with new code signs from the vendor;
A card operation must test integrity for important data (system files, configuration files, content files) for a minimum of months.
What? 19. Request for continuous operation
1. Organization activities for the construction of the event corrects the incident, managing the risk to the card payment system, periodically conducting a sweep, updating the minimum process 01 times a year.
2. The information technology system that serves the card payment operation must ensure the capacity of the accommodation and the disaster room. The disaster reserve system had to replace the main system in the period of not over 04 hours since the main system was attempted.
3. Minimum 2 times a year, the card payment system must be transferred from the main system to the backup system to ensure the consistency and readiness of the backup system.
EXECUTION CLAUSE
The card operations organizations are responsible for sending reports of the State Bank of Vietnam (Bureau of Information Technology) as follows:
1. The annual periodic report on the implementation of the regulations at this message:
a) The deadline to submit the report before November 15 annually;
b) The form of reporting and reporting patterns in the guidelines of the State Bank of Vietnam (Bureau of Information Technology).
2. The groundbreaking report when the loss of safety on the card payment system:
a) The deadline to submit the report: Within 10 days of the day the incident was discovered;
b) The report contents include: the date, location of the incident; the cause of the incident; the risk assessment, the impact on the card payment system and the business at the site of the incident and other locations involved;
c) The organizational measures have conducted to prevent, overcome and prevarate risk; petitions, proposals.
It has been in effect since 1 April 2015.
What? 22. transition regulation
The card operation organization with card payment pages that have been installed before this date of the Notice is to be taken into effect, building processing methods, in which, stating the unmet requirements, measures and dead-term practices in order to fully meet the requirements. requested at the Ministry of Information and sent the State Bank (Bureau of Information Technology) before 01/07/2015.
The State Bank of Vietnam (Bureau of Information Technology) considers the processing method, requiring the organization to operate the revised card, the addition of the processing method including the deadline of execution (if the response is not required or not guaranteed the feasibility) and the necessary measures. in the processing method; the supervisor performs the handling of the card action organizations.
The Card Activity Organization is responsible for implementing the treatment, modification, addition, and implementation of the treatment in accordance with the opinions of the State Bank of Vietnam (if any).
What? 23. organizational responsibility
1. The Bureau of Information Technology is responsible for tracking, examining the implementation of this Information and sending test results to the relevant units for disposal.
2. The Inspector Agency, overseeing the bank with the responsibility of the inspector, oversees the organization, the individual involved in the implementation of this Information and the processing of the breach by law.
3. The State Bank branch of the provincial branch, the Central City of the Central City that is responsible for testing, oversight, disposal of jurisdiction over jurisdiction over ATM operation, POS on the site according to regulations at this privacy and sending test results on the State Bank. It ' s Vietnam (through the Bureau of Technology).
4. Head of related units of the State Bank of Vietnam; Director of the Bank of the State Branch of the Provincial Branch, Central City of China; Chairman of the Board of Directors, General Manager (Director) Card Operations organizations responsible for organizing the practice. This is a private.
KT. GOVERNOR. |
|||
(signed) |
|||
Nguyen Won. |
|||
