Security Management Guide of UnionPay Card Personalization Service Provider
December 2010
Table of Contents PREFACE PREFACE ................................................................ ................................................................................................. ............................................................ ........................... 1 1 INTRODUCTION INTRODUCTION ................................................................... ..................................................................................................... ........................................... ......... 2
Security Management Guide of Card Personalization Personali zation Service
1.1 SCOPE............................................................. ................................................................. ................ 2 1.2 VERSION ......................................................... ................................................................. ................ 2
2 PERSONNEL PERSONNEL ORGANIZATIONAL ORGANIZATIONAL MANAGEMENT ...................................................... 3 2.1 ESTABLISHMENT AND R ESPONSIBILITIES ESPONSIBILITIES OF SECURITY MANAGEMENT ORGANIZATION .................. 3 2.1.1 Basic Requirements ...................................................................................... ........................... 3 2.1.2 Major Responsibilities ............................................................. ................................................ 3 2.2 PERSONNEL MANAGEMENT ............................................................. ................................................ 3 2.2.1 Personnel on Key Positions ............................................................... ...................................... 3 2.2.2 Security Auditing Personnel .............................................................. ...................................... 3 2.3 K EY EY MANAGEMENT PERSONNEL ..................................................................................................... 4 2.3.1 Work Work Responsibilities .............................................................. ................................................ 4 2.3.2 Security Requirements ............................................................. ................................................ 4
3 DATA DATA SECURITY MANAGEMENT ....................................... ......................................................................... ........................................... ......... 5 3.1 SECURITY MANAGEMENT OF DATA TRANSMISSION ......................................................................... 5 3.1.1 Dedicated Line Transmission .................................................................................................. 5 3.1.2 Mail Delivery of Data Disk and Pe rsonal Delivery ................................................................ 5 3.2 DATA SECURITY............................................................................................................................... 6 3.2.1 Data Reception ............................................................. ........................................................... 6 3.2.2 Data Processing ..................................................................... ................................................. 6 3.3 Management of Data Storage Media.................... ................................................................. ..... 7
4 SECURITY MANAGEMENT OF NETWORK .................................................................. .................................................................. 8 4.1 COMMUNICATION METHODS ................................................................................ ........................... 8 4.2 SECURITY OF PERSONALIZED NETWORK .................................................................................... .................................................................................... ..... 8 4.2.1 Firewall and Anti-invasion ................................................................ ...................................... 8 4.2.2 Anti-virus ................................................................................................................. .............. 11 4.2.3 Access Control on Customers and Third Party ........... .......................................................... 11
5 WORKSHOP WORKSHOP AND SYSTEM SECURITY ...................................................................... ...................................................................... 12 5.1 BASIC CONTENT ........................................................ ................................................................. ... 12 5.2 ACCESS SECURITY CONTROL........................................................... .............................................. 12 5.3 MAINFRAME SECURITY ................................................................................................ ................. 12 5.4 E NVIRONMENT FOR DATA WORKSHOP AND SECURITY R EQUIREMENTS EQUIREMENTS .......................... .............. 12 5.5 DATA BACKUP AND DISASTER R ECOVERY ECOVERY ..................................................................................... 13 5.5.1 Data Backup ...................................................... ................................................................. ... 13 5.5.2 Disaster Recovery ................................................................................................................. 13 5.6 SYSTEM MAINTENANCE AND ACCIDENT TREATMENT .......................................... ......................... 13 5.6.1 Routine Maintenance............................................................... .............................................. 13 5.6.2 Accident Treatment Treatment ................................................................................................................ 13 5.7 PERSONALIZATION WORKSHOP SECURITY ............................................................ ......................... 13
6 ACCESS CONTROL AND AUDIT ................................................................................. ................................................................................. 15 ii
Security Management Guide of Card Personalization
6.1 CONTROL ON USER AUTHORIZATION ......................................................... .................................... 15 6.2 USER NAME MANAGEMENT .................................................................................................... ...... 15 6.3 LOGIN CONTROL ....................................................................................... .................................... 15 6.4 PASSWORD MANAGEMENT .............................................................................................. .............. 16 6.5 SECURITY AUDIT ............................................................................................................. .............. 16 6.6 LOG MANAGEMENT ...................................................................................................................... 17
7 PRODUCT PROCESSING AND SECURITY MANAGEMENT ..................................... ..................................... 18 7.1 PERSONALIZATION PROCESSING PROCESS ..................................................................................... 18 7.2 PERSONALIZATION OF MAGNETIC STRIPE CARD ....................................... .................................... 18 7.2.1 Data Preparation ......................................................... ......................................................... 18 7.2.2 Personalization Processing ............................................................... .................................... 18 7.3 I NITIALIZATION OF IC CARD AND ITS SECURITY.............................................................. .............. 18 7.3.1 Initialization Description ................................. ............................................................... ...... 18 7.3.2 Security Requirements ............................................................. .............................................. 18 7.4 PERSONALIZATION OF IC CARD ................................................................. .................................... 19 7.4.1 Security Requirements for Data Preparation ........................................................................ 19 7.4.2 Security Requirements for Personalization Processing ......................................................... 19 7.4.3 Post-processing ............................................................................................ ......................... 19 7.5 PROCESS SECURITY R EQUIREMENTS EQUIREMENTS ............................................................................... .............. 20 7.5.1 Process Procedures ...................................................................................... ......................... 20 7.5.2 Control of Personalization Handling Process ......................................................... .............. 20 7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color Strip .......................... 21 7.5.4 Management of Personalization Cards ................................................................................. 21
8 KEY MANAGEMENT MANAGEMENT ................................................................. .................................................................................................... ..................................... 22 8.1 K EY EY DESCRIPTION ..................................................... ................................................................. ... 22 8.1.1 Personalization Key ..................................................... ......................................................... 22 8.1.2 Card Key ..................................................................... .......................................................... 22 8.1.3 Transmission Key ................................................................... ............................................... 24 8.2 E NCRYPTION NCRYPTION AND AND TRANSMISSION OF K EY EY AND DATA................................................................ .... 25 8.2.1 from the Issuer to the Personalization Provider ................................................................ .... 25 8.2.2 Security Requirements during the Personalization Process .................................................. 26 8.3 K EY EY OPERATION ........................................................ ................................................................. ... 26 8.3.1 Asymmetric (RSA) Key ................................................. ......................................................... 26 8.3.2 Symmetric Key (DES) .............................................................. .............................................. 27 8.4 K EY EY STORAGE ...................................................................................................... ......................... 29 8.5 K EY EY BACKUP ............................................................. ................................................................. ... 29 8.6 K EY EY DESTRUCTION ........................................................................................................................ 30 8.6.1 Keys to be Destroyed ............................................................... .............................................. 30 8.6.2 Destruction Methods ......................................................................... .................................... 30 8.6.3 Miscellaneous ............................................................... ......................................................... 30
9 HARDWARE HARDWARE SECURITY MACHINE M ACHINE (HSM) ............................................................... .................................................................. ... 32 iii
Security Management Guide of Card Personalization Personali zation Service
9.1 PHYSICAL CHARACTERISTICS SPECIFIED BY HSM ............................................... ......................... 32 9.2 LOGIC CHARACTERISTICS SPECIFIED BY HSM .............................................................................. 32 9.3 HSM MANAGEMENT ............................................................ ......................................................... 32 9.3.1 HSM Operation ............................................................ ......................................................... 32 9.3.2 HSM Disuse ....................................................... ................................................................. ... 33
APPENDIX 1: VARIOUS EXISTING ACCESS METHODS.................................. .............................................. ............ 34 APPENDIX 2: SECURITY RECOMMENDATIONS ON THE USE OF VPN ACCESS .... 35
iv
Security Management Guide of Card Personalization
Preface In case of any discrepancy between terms and conditions of this Guide and state or local laws, the legal official document shall prevail. This Guide serves as the supplement to the UnionPay Card Manufacturer Security Management Guidewith Guidewith requirements related to personalization processing service of magnetic stripe card and IC card mainly added. Those manufacturers engaged in personalization processing service shall observe the regulations in the UnionPay Card Manufacturer Security Management Guide as Guide as well. Loss, theft, deterioration damage and leakage of the products, data and security materials cannot be completely avoided by the implementation of this Guide, thus the company shall assume the liability of such matters. China UnionPay Co., Ltd. reserves the copyright and interpretation for this Guide. Notification for any change will be given to issuers issuers and manufacturers manufacturers in writing. The manufacturer can supplement additional measures to enhance security management based on this Guide in accordance with its requirements towards security management. China UnionPay Co., Ltd. will review the security system of the manufacturer on a regular basis. Any deviation from this Guide shall be approved by China UnionPay Co., Ltd.
1
Security Management Guide of Card Personalization Personalizat ion
1 Introduction 1.1 Scope Based on the UnionPay Card Manufacturer Security Management Guide V3.0, V3.0 , further requirements for security management that shall be observed by the manufacturer engaged in personalization processing service of UnionPay logo magnetic stripe card and integrated circuit (IC) card are stipulated in this Guide. This Guide is applicable to the service provider of personalization processing service of UnionPay logo magnetic stripe card and IC card, who shall observe the regulations in the UnionPay Card Manufacturer Security Management Guide V3.0 as well in terms of personnel management, security facility management, storage and transportation of products, manufacturing process, data security management, etc.
2
Security Management Guide of Card Personalization
2 Personnel Management 2.1 Responsibilities and Requirements Requirements 2.1.1 Basic Requireme R equirements nts Appropriate security management organization shall be established as per the requirements in the the UnionPay Card Manufacturer Security Management Guide to guarantee the security requirements for card personalization and ensure the implementation of security measures. Liaison with law enforcement department and business cooperation institution shall be maintained by the security management management organization organization to ensure timely notification of and appropriate measures taken against the security accidents. Security management organization shall be able to examine and manage security implementation of various departments independently, and ensure that the work of security management organization could properly reflect security requirements that are feasible and effective.
2.1.2 Major Responsibilities To establish the security management system for UnionPay logo magnetic stripe card and IC card personalization and the production process, security material management, data transmission, key management and personnel security behavior. To be responsible for examination on logic security within the manufacturers, which includes software design, network security, key generation, data management, card personalization, security procedures adopted during the transmission and storage process, etc.. To be responsible for remedying the processing behavior with defect in logic security, and establish a whole set of concrete method to solve those problems that have not been properly solved till it is resolved.
2.2 Personnel Management Management 2.2.1 Personnel on Key Positions Strict selection process shall be carried out for selecting employees for key positions such as security management personnel, workshop management personnel, treasury operation personnel, key management personnel, personalization processing personnel, etc., and guarantee that the part-time employees, temporary workers, etc. cannot assume such positions.
2.2.2 Security Auditing Personnel The manufacturers must ensure that the security auditing personnel will not directly involve in the work content audited by the same person, while the Security Chief shall examine the security auditing personnel on a yearly basis. 3
Security Management Guide of Card Personalization Personalizat ion
2.3 Key Management Personnel 2.3.1 Responsibilities Responsibilities 1. To receive receive and store safely key components and security medium; 2. To record or track the maintenance of visiting log and application of key data, including the visiting time, date, personnel, purpose, return time and personnel, etc.; 3. To be responsible for supervising the destruction of old and outdated key components; 4. To input key to the security hardware security module (HSM ) based on the requirements.
2.3.2 Security Requirements 1. The key management personnel must be the permanent employee, not the temporary worker, worker, part-time employee or consultant; 2. Working behavior of the key management personnel must be monitored; 3. Enough control shall be implemented for the management control personnel who are responsible for key data or its security medium to ensure that no individual personnel (or unauthorized personnel) can access to the encryption system key or security medium data.
4
Security Management Guide of Card Personalization
3 Data Management 3.1 Security Management of Data Transmission In order to prevent loss, modification or embezzlement of data information transmitted between organizations, transmission of data information between organizations shall be controlled. The leased line (Please refer to Section 4.1 network security management ), ), data disk mail delivery and personal delivery shall be used in general case. case.
3.1.1 Leased Line Transmission Separate data receiving server shall be installed for card personalization manufacturer under leased line transmission. Safe transmission rules for personalization data shall be defined through mutual coordination between personalization provider and issuer. However, the following requirements must be met: 1. Completeness and security of the personalization data shall be guaranteed simultaneously. The completeness can be realized by adding check code to the personalization data file, while the security is achieved via full-text encryption for the data file; meanwhile; key and encryption data can not be transmitted at the same time. 2. Hardware security module (HSM) shall be adopted for transmission of personalization data between between personalization personalization provider and issuer in general general case; if software security module is adopted, the key length shall be no less than 128 bit. 3. Symmetric cryptography system shall be adopted for data encryption protection, while asymmetric cryptography system shall be used for signature and key encryption based on the specific requirements. 4. The personalization manufacturers manufacturers shall safely keep the communication log with the card issuer and the third-party service provider (TPSP). If the communication log (or message) has to be obtained from the production environment because of the business needs, the review and approval process shall be followed and conducted by at least two people. What’ What ’s more, the communication log (or message) shall be used only in the designated security environment. All communication logs (or message) shall not be taken away from the workplace.
3.1.2 Mail Delivery and Express Delivery of Disks Reliable mail delivery institution and transportation means shall be selected for transmission via mail delivery or personal delivery of data disk with validation of mail carrier’s identity. identity.
5
Security Management Guide of Card Personalization Personalizat ion
Via mail delivery or express delivery of data disk, the stored data must be encrypted with the encryption and decryption means through communication between the personalization provider and issuer, and can validate the authenticity and completeness of the data. Package of the storage media shall be able to protect the content from any physical damage that may arise out of transshipment. Dedicated measures can be adopted to protect the data information from unauthorized publication or modification when necessary, such as: 1. Using locked container; 2. Personal delivery; 3. Anti-disclosure package; 4. Divide the goods (data and keys) consigned into several parts under special circumstance for consignment and delivery by different means.
3.2 Data Security 3.2.1 Data Reception 1. For the data transmission through the leased line, the manufacturers must promptly transfer the encrypted data to the internal personalization processing network, delete the data on the receiving device and take records. 2. For the data transmission through mail delivery of data disk, the manufacturers must arrange two or more personnel to receive the packaging, check whether it is damaged and confirm by signing. After receiving, the encrypted data shall be timely transferred to the personalization processing network, delete the data on the storage media or destruct the storage media, and record the storage information.
3.2.2 Data Processing 1. When the manufacturers deal with the data transferred to the personalization processing network, the plaintext data shall not appear in principle. In case the plaintext data occurs because of the work needs, it must be handled under the supervision of the security management staff on spot upon the written permission of the card issuer. issuer. The recorded information information shall be recorded for file, including but not limited to the contents such as the operator’s name, processing time, reasons for data-processing, name of the data-owning bank, finish time, signature of the security administrator. administrator. 2. The processed personalized data must be promptly deleted or destructed under the supervision of the security management personnel. If the data need to be stored, the written permission of the card issuers must be obtained and the storage information shall be recorded in detail. 6
Security Management Guide of Card Personalization
3. Related information of the cardholder and the card issuer can only be accessed by the staff based based on work needs. 4. To modify the data of the cardholder, the prior written approval from the card issuer must be obtained before, and the modification information must be recorded in detail.
3.3 Management of Data Storage Media Comprehensive management system shall be established for mobile data storage media, including tapes, disks, cassette, hard disks, compact disc, printed reports, etc. The following management measures shall be adopted for storage media: 1. All the storage media shall be maintained in a safe environment, which shall meet the maintenance environment requirements as proposed by the manufacturer of such storage media; 2. All the storage media to be brought away from the manufacturing area shall be approved with corresponding records taken, and such records shall be kept for at least one year; 3. All the data must be deleted from the reusable storage media returned to the customers; 4. Storage media carrying data information which will not be used any longer should be burnt down or crushed under supervision of security personnel with corresponding records taken, which shall be kept for at least a year.
7
Security Management Guide of Card Personalization Personalizat ion
4 Security Management of Network 4.1 Communication Methods The applicable connections between the manufacturers and the data providers are suggested as the following: 1. The recommended use of the access methods: the leased line (mainly ADSL, SDH, frame relay, DDN, ATM, ISDN, telephone dial), MPLS based on the private network (refer to Appendix 1 Current Access Methods List for the definition of the access methods). 2. When using the IPSEC/SSL based on MPLS (Internet), MPLS based on the Internet, relevant risks shall be fully taken into account and accepted and related security recommendations shall be followed (please refer to Appendix 2: The security recommendations for using the VPN access). 3. When using the IPSEC/SSL based on the Internet, relevant risks shall be fully taken into account and accepted and related security recommendations shall be followed (refer to Annex 2: The security recommendations for using the VPN access). 4. The prohibited access means: Internet.
4.2 Security of Personalized Network The network used to link data reception processing, the encryption devices or systems, the personalization preparing system, the database, the personalization devices and the system must be an isolated and independent network. Connection with the card issuers by means of communication methods in Section 4.1 must be installed with two or more firewalls to carry out the network isolation. The network used for card personalization must be isolated from devices irrelevant with the personalization process physically or logically. Strict systems and processes shall be stipulated to prevent any unauthorized individuals or devices from visiting and accessing the personalized network.
4.2.1 Firewall and Anti-invasion 4.2.1.1 The manufacturers shall establish the firewall configuration standards, including: 1. Stipulate standardized procedures to approve and test all external network connections and the firewall configuration changes, and keep a detailed record of configuration changes. 2. Describe the network topology in detail and mark all connections to the personalization data (including (including all wireless network network connections)
8
Security Management Guide of Card Personalization
3. Firewalls shall be required to be configured between all external network connections as well as the demilitarized zone (DMZ) and the internal network area. 4. Clearly describe the groups, roles and duties of the logic management of the network components. 5. Specify the services and ports list files required by the business. 6. Any adopted transport protocol must be approved and recorded. The transport protocol is not limited to the Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocol. 7. Any adopted high-risk protocol must be approved and recorded, and details shall be given to describe the reason to use the protocol and the security measures taken. 8. Rule settings of the firewall and router shall be investigated quarterly. quarterly. 9. Standard configuration model of the router shall be established.
4.2.1.2 Establish a firewall configuration to refuse all communications from suspicious networks and hosts, except the required protocol of the personalization data environment.
4.2.1.3 A firewall configuration shall be built to restrict any connection (including the wireless connection) between any system that store the cardholder data (or its components) and the public server. The firewall configuration shall: 1. Restrict the Internet importation traffic to the Internet Protocol (IP) address in the demilitarized zone (entering filter) 2. Not allow the internal address address to visit DMZ through Internet. Internet. 3. Implement state testing (also known as dynamic packet filtering), and only allow access to the network through established connections. 4. Place the data on the internal network area, and the data must be isolated from DMZ. 5. Limit the inbound and outbound traffic flow of the cardholder data environment and only allow necessary outward-inward traffic flow. flow. 6. Protect and synchronize the router configuration files. For example, running configuration files (the configuration files used when the router is under normal operating state) and the initialization configuration files (used when the router is restarted) shall have the same security configuration. 7. Reject all the inbound and outbound traffic that have not been definitely permitted. 9
Security Management Guide of Card Personalization Personalizat ion
8. Any mobile computers directly connected to the Internet and also used in the internal network and all employees’ computers co mputers (e.g. laptops used by the employees) shall install personal firewall software.
4.2.1.4 Forbid any internal network that store cardholder data and system components (e.g. databases, logs, trace files) to be indirectly / directly accessed by external network. 1. Establish a DMZ to filter and screen all traffic, and forbid to provide direct inbound and outbound routing for the Internet traffic. 2. Restrict the outbound traffic derived from the personalization system whose destination is the IP address of the DMZ. 3. Disguise the IP to prevent the internal address from being identified and exposed to the Internet.
4.2.1.5 Maintenance Configuration 1. Regularly check the routing configurations and the firewall policies, and analyze and deal with the event logs of the router and the firewall, the alarm event of the intrusion detection (defensive) equipment 2. Establish the formal process to approve, test, and change all the routing configurations and the firewall policies, which shall be timely filed after each change. 3. Indentify the users who log on the network and the network security equipment, and strictly control the account that can modify the configurations of the network and the network security equipment. 4. Timely install the patch and upgrade the version of the network and the network security equipment, and update the defensive knowledge base of the intrusion detection (defense) system. 5. If there is a dial-up access to the network, the dial-up users shall be strictly controlled, and each user shall set up the different password that shall not be less than 8 digits and shall be regularly modified. Forbid the dial-up from the external companies or other forms of the remote maintenance connection. 6. Regularly or after significant changes in the network, carry out penetration testing or vulnerability scanning on the security control measures, network connection and restrictive measures, check system configuration, patch configuration and the known vulnerabilities of the network and the network security equipment, and shall confirm that no internal user is privately connected to the external network and that the non-authorized external visit can not enter the internal network. 7. The intrusion detection (defensive) equipment shall be deployed in the network 10
Security Management Guide of Card Personalization
boundary to monitor possible attacks, record the invasion and give an alarm when the ongoing invasion.
4.2.1.6 Backup and Recovery The firewall (including system, software, configuration files and database files) must be backed up, in order to timely recover the data and the configuration files when the system collapses. The backup data and files must be properly kept to ensure safety, and they are only allowed to be accessed by the authorized personnel. Once the firewall is attacked, the firewall administrator must re-configure the firewall against the detected attack. If the firewall level needs to be degraded, the system must be disconnected with the external IP or the Internet, or the standby firewall. In the absence of the firewall protection, the personalization system can not be connected to the external IP or the Internet.
4.2.2 Anti-virus 1. The manufacturers must use the anti-virus software to protect the whole personalization network. Any file, software or data that access to the personalization network must be tested by the anti-virus software before entering. 2. Timely update the information such as the virus database in accordance with the requirements of the anti-virus software suppliers, and generate auditing log. 3. Stipulate the necessary strategy to regularly scan the personalization network.
4.2.3 Access Control on Customers and Third Party 1. Access interface provided to the customers and third party shall be configured in accordance with the permission scope. The third party and customers can only view the contents that are available to them; 2. Only authorized communication protocol, instruction and channels can be used for the access interface provided to outside; 3. Regular inspection on the account number of customers and third party with access authorization shall be carried out at least once a week, with detailed records taken. 4. Service provided by the network connection with access authorization shall be strictly controlled and mutual communication between the customers and third party via such network network is not allowed.
11
Security Management Guide of Card Personalization Personalizat ion
5 Workshop and System Security 5.1 Basic Content 1.
The servers, routers, switches, firewalls as well as the computer equipments used to process sensitive data (such (such as the track information) information) shall be placed placed in the workshop.
2.
When selecting the location of the workshop, the following shall be avoided: the dangerous buildings, the interference of strong magnetic fields and strong noise sources. Keep away from places such as the factories, warehouses, yards that can generate dust, soot and harmful gases and that produce or store corrosive, flammable, explosive goods.
3.
The workshop shall try to use the dual power supply or the single power supply combined with the back-up power generator, and shall achieve automatically transfer through ATS (Automatic Transfer Switch).
5.2 Access Security Control 1.
Security requirements for high security area shall be implemented in the workshop;
2.
All the accesses shall be controlled by access control system;
3.
Any unauthorized working personnel or visitor who needs to access data workshop for the job purpose shall be accompanied by the authorized personnel during the whole course with registration and signature by himself on the registration form.
5.3 Mainframe Security 1.
Any personnel entering the data workshop cannot handle any equipment in the workshop without permission by the authorized personnel;
2.
Any sensitive information related to personalization business shall be deleted under the supervision of security personnel in case that the mainframe equipment is eliminated or used for other purposes, with relevant records taken.
3.
All the operation of every equipment in the workshop shall comply with the access control requirements (please refer to 6 Access control and Audit).
5.4 Environment for Data Workshop and Security Requirements 1. No dangerous, flammable materials and chemicals can be stored in the workshop to avoid jeopardy to the security of data in workshop due to fire or leakage of chemicals; 2.
Protection measures shall be taken for the cables in data workshop to avoid mutual interference of electronic signals that may influence data security and smooth connection;
3.
Except for monitoring equipment, no recording equipment that is irrelevant to work like photographing, video or audio audio recording can be used in the workshop;
4.
Security monitoring alarm shall be installed in the data workshop to implement monitoring on a 24-hour basis. Security alarm device in the data workshop shall be started up for defense after work.
12
Security Management Guide of Card Personalization
5.5 Data Backup and Disaster Recovery 5.5.1 Data Backup 1. Regular backup shall be conducted for ensuring recovery of system to the updated status in case of disaster, and the backup data can be divided into system status data, application software date, access log, etc.; 2. Various repair disks and startup disks of the system shall be updated on a regular basis; 3. A set of complete backup strategy shall be developed to ensure the feasibility and rapidness of disaster recovery; 4. Backup of personalization data must be conducted under the monitoring by the security personnel after obtaining the customer’s customer’s written authorization.
5.5.2 Disaster Recovery 1. Complete disaster recovery strategy shall be developed; 2. Disaster recovery drill shall be carried out on a regular basis with detailed records taken.
5.6 System Maintenance and Accident Treatment 5.6.1 Routine Maintenance IT manager and security personnel shall inspect the system, network and environment on a daily basis with detailed records taken. All operating system and application system shall timely install the latest version of the security patch provided by the manufacturers, and the security patch shall be installed within two months after the security vendors release the patch. Establish and execute review and approval procedures in terms of such change operation as system upgrade and version renewal. Besides, such information as the copyright, source and version of software upgrade shall be registered in details.
5.6.2 Accident Treatment 1. In case of any accident that influences the routine business, IT manager shall make preliminary judgment after observation and report to IT supervisor in a timely manner. Relevant responsible person shall arrive at the workshop immediately to analyze and decide the cause of such incident, and adopt further handling measures to solve the problems; 2. After the cause of accident has been identified, it shall be handled as soon as possible with corresponding records taken.
5.7 Personalization Workshop Security 1. The security requirements for high security area shall be implemented strictly 13
Security Management Guide of Card Personalization Personalizat ion
within the high security area; 2. All the accesses shall be controlled by access control system; 3. Any unauthorized working personnel or visitor who needs to access data workshop for job purpose shall be accompanied by the authorized personnel during the whole course and register and sign by himself on the registration form;
14
Security Management Guide of Card Personalization
6 Access Control and Audit 6.1 Control on User Authorization 6.1.1 Only allow the individual to access the network, system and data resource because of work needs. needs.
6.1.2 Establish a set of a security user access management system, and access and control control according to the principle of ―obtaining information based on actual needs‖. Except specially permitted, all access are refused. Including: 1. All users who want to obtain authority shall pass related process as application, auditing and review, and must specify the authority and responsibility of all levels of users. 2. Assign the unique unique user name
to the user user who has access authority, authority, to ensure
that the key data and the system operation can be traced back to the known and authorized users.
6.2 User Name Management The user name is an identifier existing in the system for specific users to enter the system and use the information resources. The users within the same system shall comply with a unified naming rule according to the nature and the purpose, including but not limited to administrator users, general users, application users and auditing users. 1. Administrator users: the privilege users who are responsible for managing and assigning all the system resources. 2. General users: the operating users who use some system resources and implement specific business functions. 3. Application users: the interface users used when other application systems exchange information or call the program mutually with the system. 4. Auditing users: the special users activated to implement certain auditing functions.
6.3 Login Control The system can be access only through verifying the user name as identification and the password as authentication. The following control shall be made over the users’ login: 1. The general users shall be locked after failure of three times of login authentication. 2. The alarm prompting mechanism of the authentication failure shall be used.
15
Security Management Guide of Card Personalization Personalizat ion
3. The general users will automatically log off when their inactive duration is more than 5 minutes. 4. Strictly limit operating range and the approval procedures of the telnet login (remote dial-up or VPN).
6.4 Password Management For those only using the static password to log in the system, the password strategy shall comply with the following principles. For those that can not be applied for special reasons, they shall be illustrated as exception. 1. The password is not less than 6 digits. 2. The password shall include at least one letter and one number. number. 3. The password shall include at least three different characters. 4. The password shall be changed each quarter. 5. The password that has been used in the latest four times shall be forbidden to be used. 6. Security mechanism must be installed for the users to reset their password. 7. The initial password shall be force to be changed by the system. The password shall not be displayed, stored and transmitted in the plaintext. 8. The default password generated by the installation of the system and products shall not be used. 9. For the account that has not been used for 90 executive days, the authority of the account shall be frozen. If the account is not used for 30 days after the freezing, it shall be canceled.
6.5 Security Audit The system must initiate necessary auditing function to record the following event log: 1. The date and manner of the user logging on to the system. 2. The failure access tries. 3. Record of the access to the key directory or of the key operation implementation (the event related to system security). 4. Regularly gather the statistics of the record information of the users’ accessing the system resources and feedback to the users for confirmation and evaluation. The resource items that need statistical analysis are determined according to the users’ need. 5. For systems that do not have or do not suitable for initiating the auditing 16
Security Management Guide of Card Personalization
function, the third-party auxiliary auditing tools can be selected. 6. Every year, at least one time of the internal or external auditing shall be carried out on the network, the security equipment and the personalization system, so as to validate whether the management, the configuration or the strategy are in line with the security requirements, and make a detailed record of the auditing.
6.6 Log Management Management 1. The log files shall be kept for at least one year. 2. Except for the auditing users, other users shall not access or modify the auditing log. 3. The manufacturers shall establish sound mechanisms for log recording and review. The content of the log shall include the user ID, the operating date and time, the operating content and whether the operating is successful. The system shall record the log of the following events: The user’s access to the sensitive information and the sensitive equipment The method to log in the system The failed access try The operation of the system administrator The access to the system log Other system events involving logical security 4. The time of all important system clocks shall keep synchronous to truly record the system access and the operation situation.
17
Security Management Guide of Card Personalization Personalizat ion
7 Product Processing and Security Management 7.1 Personalization Processing Process Personalization processing process of magnetic stripe card and IC card has various procedures like initialization, data preparation, processing of personalization equipment, post-processing, etc.
7.2 Personalization of Magnetic Stripe Card 7.2.1 Data Preparation During the personalization of magnetic stripe card, data preparation means that the personalization provider conducts data processing (data decryption and format conversion) on the personalization data transmitted by the issuer in order that the data format that can be identified by the personalization equipment. It is recommended that the data encryption and decryption process as well as the data conversion process shall be conducted in the hardware security machine (HSM).
7.2.2 Personalization Processing Processing Personalization processing refers to the process that the magnetic stripe reader/writer sends personalization data to the magnetic stripe card. Encryption and format that can be identified by the personalization equipment must be adopted when the personalization equipment writes data into the card, while the equipment operator shall not be able to read text data on the equipment.
7.3 Initialization of IC Card and Its Security 7.3.1 Initialization Description Initialization of IC card mainly means that IC card receives initialization instruction and relevant data from the initialization equipment and creates relevant application, necessary document structure and partial data as per the initialization instruction to get prepared for the next-step personalization.
7.3.2 Security Requirements When the initialization equipment of IC card sends initialization command and direct to the IC card, encryption and decryption as well as MAC check must be conducted on the instruction and data sent, while the encryption and decryption process must be connected connected with the hardware hardware security module (HSM); (HSM); Key value like KENC, KDEC, KMAC shall be unique for each card, and set for the card with the generator’s key protection. protection . If it cannot be set for the card, the physical access must have strict restriction; Access to the card must be protected by password of 16 digits or above;
18
Security Management Guide of Card Personalization
It must locate within high security area of the plant, and meet all the security requirements and procedures in order to comply with the requirements in Guide to Security Management of UnionPay Card Product Manufacturer .
7.4 Personalization of IC Card 7.4.1 Security Requirements for Data Preparation Data preparation is responsible for creating the procedures and data for application of IC card, and the data mainly includes master key and relevant data, application key and certificate as well as application data, etc. of the issuer. The steps are listed below: 1. Create personalization data; 2. Integrate personalization data into data grouping; 3. Create personalization instruction and command; 4. Create data of log record for the application; 5. Create input document for the personalization equipment. Security requirements for data preparation are as follows: Whole process of data preparation must be conducted on the data processing equipment connected with the hardware security module (HSM). Leading in/out of key and data shall be conducted strictly in accordance with the requirements in the EMV 2000 Integrated Circuit Card Specification for Payment Systems and China Financial Integrated Circuit Card Specifications to Specifications to ensure key and data security.
7.4.2 Security Requirements for Personalization Personalization Processing Processing of personalization equipment refers to the process when the chip reader/writer sends personalization data to the chip card. During data input process, the personalization equipment must be connected with a hardware security module (HSM) to ensure data encryption and decryption and MAC check while sending the instruction; Obtain KENC, KDEC and KMAC, and create one security channel via mutual authentication;
It shall be located in high security area of the plant and comply with the security requirements and procedures to meet requirements in the U n i o n P a y C a r d M a n u f a c t u r e r S e c u r i t y M a n a g e m e n t G u i d e V 3 .0 .07.4.3
Post-processing Post-processing of IC card personalization refers to confirming acceptance of personalization application data by IC card from the personalization equipment,
19
Security Management Guide of Card Personalization Personalizat ion
which is correctly stored for future use, and locking the IC card which has completed personalization processing with the key before personalization.
7.5 Process Security Requirements 7.5.1 Process Procedures Personalization processing procedures shall be kept as official document and any modification shall be authorized by relevant managers. Detailed processes for implementation of various jobs shall be indicated in these procedures, including: 1. Operation process of personalization equipment; 2. Handling and disposal process of data information; 3. Operation guidance for mistakes or other abnormal conditions occurred in the handling process, including application restriction for system equipment, etc..
7.5.2 Control of Personalization Personalization Handling Process 1. Information of the card and cardholder shall not be disclosed to non-job-related personnel during personalization personalization handling process and it must be ensured that no modification can be made to the personalization data; 2. During the handover at each step, the personnel responsible for counting the cards and envelops shall not know the specific number in advance (blind statistics); 3. Digital management shall be carried out strictly during personalization handling process. Major examination control record for each work sheet / batch shall be kept separately. The examination control record shall include work sheet No., name of issuer, type of card, etc. Every processing function shall include the following record contents: quantity of initial issuance, quantity of remaining cards in the previous phase, quantity of handed over cards, number of cards returned to the warehouse, quantity of the abandoned cards, quantity of sample cards / testing cards, personalization operating equipment and records, signature of the operator, date, time, signature of the inspector, etc.; 4. Any failure of the personalization processing equipment shall be recorded and the records shall be kept for at least three months, including the following contents: operator’s operator’s name, signature of the inspector, equipment description / equipment No., work sheet No., date, time, reason for failure, etc.; 5. During the card preparation process, it shall be ensured that more than two people are at the card embossing and production site. Dual control shall be carried out for system log-in and the relevant file on the personalization equipment shall be deleted upon completion.
20
Security Management Guide of Card Personalization
7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color Strip 1. Foil inventory registration form is recommended to be used. The check and verification shall be carried out based on the number of destroyed foils; 2. Used foils shall be stored in the dual-management area before being destroyed; destroyed; 3. Embossing foil destroying log shall be established, including contents like roll (barrel) number, number, date, double signature that used to testify destruction, etc.; 4. All the foils carrying the information of cardholder shall be destroyed in a timely manner under dual supervision upon being removed from the card machine; 5. Same security control shall be carried out for card mailing sheet and UG color strip.
7.5.4 Management of Personalization Personalization Cards 1. Complete blank card archive and quantity management system shall be established. Card type that have been in or out of the warehouse shall be verified for quantity on the same day; 2. Ex-warehouse cards that have not been used shall be returned to the treasury for storage before the completion of personalization processing. 3. Cards under processing shall be taken charge by the authorized employees / operators to ensure the security. It is not allowed that the card under processing is not taken charge; 4. Cards without personalization processing (blank cards) shall be stored in the treasury under dual control. The unauthorized employees must be kept away from them; 5. Mailing of the personalized cards shall be conducted on a safe and traceable basis.
21
Security Management Guide of Card Personalization Personalizat ion
8 Key Management The principle for key security management is that all the encryption and decryption operation outside the IC card shall be conducted on the hardware security module (HSM).
8.1 Key Description 8.1.1 Personalization Key Corresponding encryption key shall be created before personalization of IC card, mainly including the following: KMC (personalization master key): version number for personalization master key shall exist on the IC card, which is used to generate initial personalization key (KENC, KMAC and KDEK) for every application. KMC is unique to every issuer. KENC (encryption dispersion key): one KENC shall be generated for every piece of IC card and written into the corresponding application. Such key shall be used to generate IC cipher text of IC card and verify cipher text of mainframe. If it is requested by the security level of cipher text that data field of STORE DATA command is encrypted, such dispersion key can also be used to decrypt data filed of such command under CBC mode. KENC is a 16-byte (112-bit plus parity check bit) DES key, which is unique to every piece of card. KMAC (check code dispersion key): one KMAC shall be generated for every piece of IC card and written into the corresponding application. Such key shall be used to verify C-MAC used by the EXTERNAL AUTHENTICATE command. Meanwhile when MAC is adopted by the command required by the cipher text security level in the STORE DATA command, such key can also be used to verify C-MAC used by the STORE DATA command. KMAC is a 16-byte (112-bit plus parity check bit) DES key, which is unique to every piece of card. KDEK (key encryption dispersion key): one (KDEK) shall be generated for every piece of IC card and written into the corresponding IC card. Such key shall be used to decrypt the confidential data received by the STORE DATA command under ECB mode. KDEK is a 16-byte (112-bit plus parity check bit) DES key, which is unique to every piece of card.
8.1.2 Card Key Public key/private key pair of the issuer: usually generated by the issuer. The public key shall be transmitted to the certification institution for financial integrated circuit (IC) card in China to create certificate for the issuer’s public key, while the private key shall be stored in the issuer’s HSM (mainframe (mainframe encryption module). If the key is processed by the personalization provider for the issuer, the key pair shall be managed as per this Guide. 22
Security Management Guide of Card Personalization
The following optional keys can also be generated: Public key pair of IC card: such key pair is adopted by the card which generates algorithm by the implementation of DDA and CDDA/AC or card with PIN encrypted. The public key shall be signed by the issuer’s private key for establishing IC card public key certificate. Public key pair of IC card shall be unique for every piece of card; MDK ENC: used to lead out UDK ENC UDK ENC: used to encrypt the issuer’s script confidential information MDK MAC: used to lead out UDK MAC UDK MAC: usually used to confirm the manuscript information. MDK ENC and MDK MAC shall be unique to every issuer. UDK ENC and UDK MAC shall be unique to every piece of card. Please refer to the following table: Key Name
Online key
Key Share
verification of
financial
integrated
circuit
Issuer and card
Purpose
The Master key is used to generate
Master
Card
Key
Key
MDK
UDK
Dialogue Key
SUDK (used
the unique card key, used for online
for universal
verification for the card and issuer.
password) password)
(IC) card in China Message
Issuer and card
The master key is used to generate
MAC
MAC
certification key of
the unique card key, and such card
MDK
UDK
financial
key is used to generate the key for
The master key is used to generate
ENC
ENC
financial
the unique card key, and such card
MDK
UDK
circuit
key is used to generate the dialogue
integrated
circuit (IC) card in
message
certification
China
required for data update after card
SUDK MAC
dialogue
issuance. Data encryption key of integrated
Issuer and card
(IC) card in China
key for encryption of the updated confidential data (offline PIN) after card issuance.
ICC private key
Issuer and card
Generated by the issuer and safely stored on the card. During the offline data
authentication
(DDA)
processing, processing, this private key is used for digital signature of the dynamic data.
Upon
completion
of
personalization, personalization, the issuer usually does not hold such key.
23
SUDK ENC
Security Management Guide of Card Personalization Personalizat ion
8.1.3 Transmission Key The following keys are mainly used for transmission of data and key during various stages of card personalization. Key exchange key (KEK): establish key exchange key for the channel between the issuer and data preparation system, which is used to encrypt the confidential data transmitted between the issuer and the personalization data preparation equipment. KEK shall be unique to every issuer, which shall be modified on a regular basis. Data encryption key (DEK) / transmission key (TK): one special transmission key used to encrypt PIN and other confidential data between the data preparation equipment and personalization equipment. Message authentication code key (MAC KEY): one special transmission key used to guarantee completeness of personalization document between the data preparation system and personalization system. Please refer to the following table: Key Name
Issuer’s
Key Share
Master
key
Issuer,
Purpose
IC
card
IC card manufacturer uses this
manufacturer
and
KMC to generate card-level
personalization personalization
key (K ENC ENC, K MAC MAC, K DEK DEK ) and
equipment
write them onto the card.
Master
Card
Dialogue
Key
Key
Key
KENC
SK
KMC
Used to create one dialogue key, which can be used to
UENC
create cipher text and encrypt confidential data under CBC mode. Used to create one dialogue
KMA
SK
key, which can be used to
C
UMAC
Used to create one dialogue
KDEK
SK
key, which can be used to
data
UDEK
encrypt DES key or flexibly
encryp
encrypt other confidential data
tion
under ECB mode.
key
create C-MAC in the command processing process.
Issuer’s
key
exchange key
issuer
and
data
Protect the offline PIN and
preparation
other confidential data between
equipment
the issuer and data preparation equipment.
24
KEK ISS ISS
Security Management Guide of Card Personalization Data encryption
Data
preparation
Protect the offline PIN and
DEK
key/transmission
equipment
and
other confidential data between
TK
key
personalization personalization
the data preparation equipment
equipment
and personalization equipment.
/
Date transmission keys in the following special types might be used: PEK/TK – PEK/TK – PIN PIN encryption key, used to protect PIN data. KEK/TK – key exchange key, used to protect DES key. MAC
key
Provided by the data
Used
(message
preparation
completeness of the application
authentication
equipment
code key)
personalization personalization equipment
to
the
to
data
provided
guarantee
to
MAC
N/A
N/A
key
the
personalization personalization equipment equipment in
in
the
personalization personalization
data
the
personalization
data
document.
document
8.2 Encryption and Transmission of Key and Data
KMC
HSM Issuer
TK Encryption
KEK Encryption
HSM HSM Certification Center
Card
Data reparation
HSM
KEK
Personalization
Equipment
Equipment
KDEK
Personalization Manufacturer
Encryption
KMAC (for card lock) KDEK (for data encryption)
Personalization Card
8.2.1 from the Issuer to the Personalization Service Provider While receiving the personalization document from the issuer, the document information: 1. Must be safely stored, while the right for accessing such information must be
25
Security Management Guide of Card Personalization Personalizat ion
strictly assessed; 2. Upon completion of personalization, the data within the system shall be cleaned in a safe way; 3. Decrypt KEK into TK on the hardware security module (HSM) in order to transmit the confidential information to the personalization equipment. 4. The data preparation system shall have at least one medium security area that can control data access, and the data access right shall be limited to those with business requirements. Security requirements for encryption process shall be applicable to the given data group and IC card purpose, and shall be consistent with the corresponding encryption process no matter in the process of data preparation or during the process of machine processing which is related to the personalization equipment.
8.2.2 Security Requirements during the Personalization Process During the personalization processing stage, the personalization equipment: 1. Implement KDEK calculation process for IC card on the hardware security module (HSM); 2. Decrypt the confidential information in the personalization document from transmission key TK to KDEK for convenient transmission to the card, and such decryption process shall be implemented on HSM; 3. The personalization equipment must be installed on high security area in the plant and comply with all the security requirements and procedure requirements as stipulated by the security standards for production of financial integrated circuit (IC) card in China.
8.3 Key Operation 8.3.1 Asymmetric (RSA) Key Security of IC card depends on the protection of private (signature) key. Failure in guaranteeing security of private key used for signing the static or dynamic data elements will impose the risk for falsification of IC card. Major risks confronted by the private key include: 1. Successfully decompose RSA modulus; 2. Disclosure of private key itself. In order to restrict disclosure problem represented by these risks, we recommend application of the following requirements: 1. Length of RSA key modulus’ modulus’ bit; e.g., 768, 896, 1024 and 1152 constituting public/private key modulus; modulus; 26
Security Management Guide of Card Personalization
2. Guarantee that the private (signature) key is free of unauthorized access on a physical basis.
8.3.1.1 Generation of Asymmetric Key 1. Generation of RSA public/private key pair shall be completed in the completely protected hardware security machine (HSM). Such equipment shall include one random
or
pseudo-random
digital
generator,
implement
the
original
authentication process and support distortion of response mechanism; 2. RSA private (signature) key might be temporary to the physical security equipment. Key generation will utilize one random or pseudo-random process to ensure impossibility for predicting any key or it is more possible to determine some key in the key space than other random key; 3. Personal computer or other similar unsafe equipment, i.e., the equipment that cannot be fully trusted cannot be used to generate RSA public/private key pair. pair.
8.3.1.2 Transmission of Asymmetric Asymmetric Key In order to protect completeness and security of public/private key pair during the transmission process, the following steps shall be ensured: 1. One mode that can ensure completeness shall be used for the public key to guarantee security and transmission. It is recommended that the public key shall be transmitted in one data structure like certificate, or utilize one algorithm defined by ISO 9807 and one key only for this purpose to use the message authentication code for public key and relevant data, or use dual control to ensure that recipient of the public key is able to verify its sender and completeness, i.e., realized by separate or independent transmission of one authentication value; 2. One mode that can ensure completeness and privacy of the private key shall be used to guarantee the security and transmission. The transmission mechanism includes the following modes: The encryption and decryption operation shall be conducted on one unit of safe hardware security machine; Use symmetric algorithm at least equivalent to encryption to encrypt the private key of protection key as several parts (guaranteeing security on IC card) and use one symmetric algorithm for decryption.
8.3.2 Symmetric Key (DES) DES key is used for special affair functions. DES key is lead out from one master derivation key during the personalization duration, and the final card-level key is unique. 1. Issuer’s master derivation key (IDKAC)—— used used to lead out the card key for 27
Security Management Guide of Card Personalization Personalizat ion
generating MAC named application context (AC); 2. Issuer’s security message master key (IMKSMC IMKSMI)—— used used to lead out card keys, which are used in the security message between the card and authentication system, i.e., card lock-in, application lock-in/unlock, updating specific card data and PIN modification.
8.3.2.1 Generation of Symmetric Key The key generator shall use the following principles to minimize disclosure opportunity for key data during the creation period. 1. DES key shall be generated in the physically safe equipment protected by the distortion response mechanism, or shall be generated part by by the authorized working staff. The security equipment shall include one random or pseudo random digital generator; 2. Unprotected key cannot exist outside the protection of one unit of physically safe equipment at any time. The physically safe equipment cannot lead out plain text key at any time, unless lead out as the password or in two or more parts; 3. When the key is generated by the authorized working staff via a process for combining various parts, every party is requested to generate one part with the same length to be generated. The key shall be combined within one physically safe equipment, and ensure that key value cannot be identified despite that any one subset can be known. The separated key shall be mastered by one management institution, and at least holder of one part shall be one employee of the issuer; 4. Check digit shall be calculated for all the actual key; 5. Personal computer or other similar unsafe equipment cannot be used to generate key material; 6. If any key is found to exist outside one physically safe equipment, or every part of the key is suspected to be known by some people or mastered by single person, such key shall be deemed as having been disclosed, and one new key shall be required for replacement. replacement.
8.3.2.2 Transmission of Symmetric Symmetric Key During the process of transmission or storage of DES key, the following measures will restrict potential risk for data disclosure. 1. DES key can be safely transferred to one piece of security equipment or smart card for transmission and storage; 2. Transmission of DES key shall be in the principle of dual control and separate holding.
28
Security Management Guide of Card Personalization
8.4 Key Storage The key shall be stored to prevent key disclosure, modification or substitution in principle, with major security requirements requirements detailed as follows: 1. The general text private key and secret key shall be stored in the hardware security machine (HSM); 2. Private and secret key and its components shall be stored in the principle of dual control and separate hold. Effective implementation of these principles needs procedure control to prevent any administrator (or non-administrator of any individual component) from accessing sufficient components constituting actual key; 3. Private and secret key components shall be stored on the medium (e.g., soft disk, PC card, smart card, etc.), which shall be safely stored to prevent any unauthorized individual from obtaining the key components; 4. If the private and secrete key components can be stored on the medium, and have one personal identification number (PIN) medium, then only the medium owner shall have the medium and its corresponding PIN at the same time; 5. Private or secret key components stored in the key transfer equipment shall be controlled by sufficient access control like password, etc. 6. When the private key or key encryption key and its components is stored or loaded onto one security equipment at any time, the record shall be kept, which shall at least include the date and access time, visit purpose, signature of administrator accessing such component and other information; the record shall be clearly maintained maintained till termination or destruction destruction of the key. key.
8.5 Key Backup Key backup and duplicate shall exist in only one allowable storage form. All the backups shall be protected by the same security security control level or the level higher than the key under use. Upon completion of storage, the backup shall be safely stored under correct access control and at least dual control. Backup and duplicate of private key in the hardware security machine shall be controlled via actual user identification (e.g., access identification tag, password or other methods) to prevent use of unauthorized key. Key backup must be operated by two authorized management staff, while the private key and its components shall be output from the hardware security machine as the cipher text; additionally, all the backup and recovery procedures shall be filed with access to all the keys recorded.
29
Security Management Guide of Card Personalization Personalizat ion
8.6 Key Destruction 8.6.1 Keys to be Destroyed The unused or replaced key shall be destroyed 1. All the key of which the use is terminated shall be destroyed, including all the used, stored, backup and duplicated key; 2. All the key termination procedures shall be filed with all the key termination activities recorded; 3. One non-key non-key administrator, e.g., one external (issuer’s representative) or internal (security management personnel) personnel shall witness the whole course of key destruction and sign on the destruction record form.
8.6.2 Destruction Methods All the private and secret keys shall be destroyed safely in the following methods: 1. Key components maintained on the paper shall be destroyed via burning or cutting. 2. Key stored on one EEPROM shall be completely written with binary ―0‖ with the length in three times longer.
8.6.3 Miscellaneo M iscellaneous us 1. Components of encryption key used for key transfer shall be destroyed after being loaded successfully successfully. 2. When one hardware security machine is abandoned, all the keys stored in this equipment shall be physically deleted before destruction of equipment itself.
30
Security Management Guide of Card Personalization
THIS PAGE INTENTIONALLY LEFT BLANK.
31
Security Management Guide of Card Personalization Personalizat ion
9 Hardware Security Machine (HSM) Hardware security machine used by the personalization providers inside Mainland of China shall be certified by the State Encryption Administration; hardware security machine used by personalization providers outside Mainland of China shall pass the certification by the State Encryption Administration or other international authority, and comply with relevant requirements of local management institutions.
9.1 Physical Characteristics Specified by HSM 1. One HSM must be qualified as a physical security equipment, ensuring to be free from distortion or other risks as mentioned by physical or logic characteristics in ISO 9564-1; 2. Separate physical ports shall be maintained for data input, data output, input control and output status of all HSMs; 3. All the HSM shall ensure that all the keys and other sensitive data as well as all the useful residue information of sensitive data shall be immediately and automatically eliminated for the attempted or recognized disclosure of the equipment; 4. All the HSM shall be designed for spying into and responding to any unauthorized modification, while all the keys and other sensitive data as well as all the useful remaining information of sensitive data shall be immediately and automatically eliminated.
9.2 Logic Characteristics Specified by HSM 1. Separate logic ports shall be maintained for data input, data output, input control and output status of all HSMs; 2. All the HSMs that support sensitive or unauthorized status shall be allowed only to visit those authenticated persons by the basic operator, while such authentication shall be authorized; 3. If one HSM is capable of loading software or hardware after equipment configuration (e.g., ex-factory from the manufacturer), one basic authentication plan for encryption encryption system shall be used to confirm such software or hardware. hardware.
9.3 HSM Management Management 9.3.1 HSM Operation Equipment under operation status shall be conducted as per the following requirements: 1. Auditing and control log shall maintain all the record of application activities; 2. For any security encryption system and equipment capable of encrypting one 32
Security Management Guide of Card Personalization
key as well as cipher text generated by such key, encryption protections from unauthorized application encryption knowing the key or key components should be used. Such protection protection shall adopt one or two two modes as follows: Dual access control to enable key encryption function. Physical protection of equipment under dual control (e.g., lock the access).
9.3.2 HSM Disuse When one unit of equipment is permanently disused or destroyed, the following is required: 1. All the encryption system keys, key materials and sensitive data shall be cleared from the equipment; 2. Any encryption system key, key materials and sensitive data shall be cleared in compliance with the requirements for key management in this Guide; 3. If safe clearance of encryption system key, key materials and sensitive data cannot be guaranteed, it shall be physically destroyed to prevent acquisition and application again, and ensure that the secret data or key will not be disclosed.
33
Security Management Guide of Card Personalization Personalizat ion
Appendix 1: Various Existing Access Methods The private lines: mainly ADSL, SDH, frame relay, DDN, ATM. including dial-up. Internet-based MPLS: MPLS network established on the Internet network, which is physically the same as the Internet. There are both label switching and traditional IP message switching in this network. This access method is called Internet - based MPLS in this Guideline. Private-network-based MPLS: Some operators build independent MPLS networks in the backbone network or metropolitan area, which only provides enterprises with the access of the MPLS type. There is only label switching in this network and it lacks
traditional
IP
message
switching.
This
access
method
is
called
Private-network-based Private-network-based MPLS in this Guideline. IPSEC VPN and SSL VPN are chosen and built by the users, which ensure data security through the encryption mechanism. IPSEC VPN 、SSL VPN can be built on the private line, Internet and MPLS VPN, thus forming four access schemes: IPSEC, SSL Over private line, IPSEC, SSL Over Internet, IPSEC, SSL Over MPLS (Internet ), IPSEC, SSL Over MPLS ( private network).
Wireless access method: CDMA 2000 1x, GPRS.
34
Security Management Guide of Card Personalization
Appendix 2: Security Recommendations on the Use of VPN Access 1. The security recommendations on the use of scheme of MPLS over Internet (1) Select the communication operator with qualifications and good technology. (2) Sign the service-level agreements with the communication operator to ensure data availability. (3) Firewall shall be deployed at the entrance of the interior network of the enterprise, and access control shall be carried out to the message from the VPN. (4) If the conditions permit, the IPSEC 、SSL Over MPLS scheme shall be deployed to build up the IPSEC, SSL tunnel to ensure the confidentiality and integrality of the data transmission. (5) When the schemes of IPSEC and SSL over MPLS are adopted, please refer to the security recommendations of using the IPSEC, SSL VPN equipments in this section.
2. The security recommendations on the use of the IPSEC VPN equipments 2.1
Recommendations of the IPSEC VPN equipment model selection
(1) Select the hardware to implement the VPN gateway. (2) Select the access in the VPN client hardware, and avoid selecting the access in the VPN client software. (3) Select the products that provide the VPN client access control. (4) Select the products that support key encryption of more than 128 bits. (5)Select the products that provide the two-factor verification, such as adding the dynamic password verification. (6) Select the products that can check whether the client has installed the firewall and anti-virus software. (7) Select the products that provide the functions of statistic and audit access at the users’ users’ end. 2.2
Recommendations on the security operation and maintenance of IPSEC
VPN equipment (1) Strictly restrict the user with VPN administration authority, record the operation of adding, modifying and deleting the VPN legal users, and regularly consult the relevant record.
35
Security Management Guide of Card Personalization Personalizat ion
(2) Set up the password strategy. Control the password, and set the minimum length and complexity of the password. The password is required to be regularly replaced. replaced. (3)Adopt the two-factor verification. Set the updating period of such verification methods as token and certificate. (4) Strictly control the access to the VPN client in the principle of ―minimum authority‖ authority‖, and regularly review the VPN client authority. (5) If the VPN products can not implement the access control, it is recommended to use the firewall in tandem with the VPN gateway. (6) Regularly consult the records of statistical and auditing events, so as to know whether there are any violation and insecurity issues. (7) The VPN client is required to install the personal firewall and anti-virus software. (8) If the VPN client is not used for a some time, it shall be disconnected with the VPN, and it is better to disconnect the Internet at the same time. (9) Keep close contact with the VPN manufacturer or buy the maintenance service to timely upgrade the security patches.
3. The security recommendations on the use of the SSL VPN equipment 3.1 Recommendations of the SSL VPN equipment model selection (1) Select the hardware to implement the VPN gateway. (2) Select the products that support key encryption of more than 128 bits. (3)Select the products that provide the two-factor verification, such as adding the dynamic password verification. (4)Select the products that can check whether the client has installed the firewall and anti-virus software. (5) Select the products that provide the functions of statistic and audit access at the users’ users’ end. (6) Select the products that provide the data protection function at the users ’ end. 3.2 Security operation and maintenance recommendations of SSL VPN equipment (1) Strictly restrict the user with VPN administration authority, record the operation of adding, modifying and deleting the VPN legal users, and regularly consult the relevant record. (2) Set up the password strategy. Control the password, and set the minimum length and complexity of the password. The password is required to be regularly replaced. replaced. 36
Security Management Guide of Card Personalization
(3) Adopt the two-factor verification. Set the updating period of such verification methods as token and certificate. (4) Strictly control the access to the VPN client in the principle of ―minimum authority‖ authority‖, and regularly review the VPN client authority. (5) Regularly consult the records of statistical and auditing events, so as to know whether there are any violation and insecurity issues. (6) The VPN client is required to install the personal firewall and anti-virus software. (7) If the VPN client is not used for a some time, it shall be disconnected with the VPN, and it is better to disconnect the Internet at the same time. (8) Keep close contact with the VPN manufacturer or buy the maintenance service to timely upgrade the security patches.
37