Security Guide of UnionPay Card Personalization+Service+Provider

Security Management Guide of
UnionPay Card Personalization Service Provider
December 2010
Table of Contents
PREFACE ............................................................................................................................ 1
1 INTRODUCTION .............................................................................................................. 2
Security Management Guide of Card Personalization Service
1.1 SCOPE.............................................................................................................................................. 2
1.2 VERSION .......................................................................................................................................... 2
2 PERSONNEL ORGANIZATIONAL MANAGEMENT ...................................................... 3

2.1 ESTABLISHMENT AND RESPONSIBILITIES OF SECURITY MANAGEMENT ORGANIZATION .................. 3
2.1.1 Basic Requirements ................................................................................................................. 3
2.1.2 Major Responsibilities............................................................................................................. 3
2.2 PERSONNEL MANAGEMENT ............................................................................................................. 3
2.2.1 Personnel on Key Positions ..................................................................................................... 3
2.2.2 Security Auditing Personnel .................................................................................................... 3
2.3 KEY MANAGEMENT PERSONNEL ..................................................................................................... 4
2.3.1 Work Responsibilities .............................................................................................................. 4
2.3.2 Security Requirements ............................................................................................................. 4
3 DATA SECURITY MANAGEMENT .................................................................................. 5

3.1 SECURITY MANAGEMENT OF DATA TRANSMISSION ......................................................................... 5
3.1.1 Dedicated Line Transmission .................................................................................................. 5
3.1.2 Mail Delivery of Data Disk and Personal Delivery ................................................................ 5
3.2 DATA SECURITY............................................................................................................................... 6
3.2.1 Data Reception ........................................................................................................................ 6
3.2.2 Data Processing ...................................................................................................................... 6
3.3 Management of Data Storage Media.......................................................................................... 7
4 SECURITY MANAGEMENT OF NETWORK .................................................................. 8

4.1 COMMUNICATION METHODS ........................................................................................................... 8
4.2 SECURITY OF PERSONALIZED NETWORK ......................................................................................... 8
4.2.1 Firewall and Anti-invasion ...................................................................................................... 8
4.2.2 Anti-virus ............................................................................................................................... 11
4.2.3 Access Control on Customers and Third Party ..................................................................... 11
5 WORKSHOP AND SYSTEM SECURITY ...................................................................... 12

5.1 BASIC CONTENT ............................................................................................................................ 12
5.2 ACCESS SECURITY CONTROL......................................................................................................... 12
5.3 MAINFRAME SECURITY ................................................................................................................. 12
5.4 ENVIRONMENT FOR DATA WORKSHOP AND SECURITY REQUIREMENTS ........................................ 12
5.5 DATA BACKUP AND DISASTER RECOVERY ..................................................................................... 13
5.5.1 Data Backup .......................................................................................................................... 13
5.5.2 Disaster Recovery ................................................................................................................. 13
5.6 SYSTEM MAINTENANCE AND ACCIDENT TREATMENT ................................................................... 13
5.6.1 Routine Maintenance............................................................................................................. 13
5.6.2 Accident Treatment ................................................................................................................ 13
5.7 PERSONALIZATION WORKSHOP SECURITY..................................................................................... 13
6 ACCESS CONTROL AND AUDIT ................................................................................. 15

ii
Security Management Guide of Card Personalization
6.1 CONTROL ON USER AUTHORIZATION ............................................................................................. 15

6.2 USER NAME MANAGEMENT .......................................................................................................... 15
6.3 LOGIN CONTROL ........................................................................................................................... 15
6.4 PASSWORD MANAGEMENT ............................................................................................................ 16
6.5 SECURITY AUDIT ........................................................................................................................... 16
6.6 LOG MANAGEMENT ...................................................................................................................... 17
7 PRODUCT PROCESSING AND SECURITY MANAGEMENT ..................................... 18

7.1 PERSONALIZATION PROCESSING PROCESS ..................................................................................... 18
7.2 PERSONALIZATION OF MAGNETIC STRIPE CARD ........................................................................... 18
7.2.1 Data Preparation .................................................................................................................. 18
7.2.2 Personalization Processing ................................................................................................... 18
7.3 INITIALIZATION OF IC CARD AND ITS SECURITY ............................................................................ 18
7.3.1 Initialization Description ...................................................................................................... 18
7.3.2 Security Requirements ........................................................................................................... 18
7.4 PERSONALIZATION OF IC CARD ..................................................................................................... 19
7.4.1 Security Requirements for Data Preparation ........................................................................ 19
7.4.2 Security Requirements for Personalization Processing ......................................................... 19
7.4.3 Post-processing ..................................................................................................................... 19
7.5 PROCESS SECURITY REQUIREMENTS ............................................................................................. 20
7.5.1 Process Procedures ............................................................................................................... 20
7.5.2 Control of Personalization Handling Process ....................................................................... 20
7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color Strip .......................... 21
7.5.4 Management of Personalization Cards ................................................................................. 21
8 KEY MANAGEMENT ..................................................................................................... 22

8.1 KEY DESCRIPTION ......................................................................................................................... 22
8.1.1 Personalization Key .............................................................................................................. 22
8.1.2 Card Key ............................................................................................................................... 22
8.1.3 Transmission Key .................................................................................................................. 24
8.2 ENCRYPTION AND TRANSMISSION OF KEY AND DATA.................................................................... 25
8.2.1 from the Issuer to the Personalization Provider .................................................................... 25
8.2.2 Security Requirements during the Personalization Process .................................................. 26
8.3 KEY OPERATION ............................................................................................................................ 26
8.3.1 Asymmetric (RSA) Key .......................................................................................................... 26
8.3.2 Symmetric Key (DES) ............................................................................................................ 27
8.4 KEY STORAGE ............................................................................................................................... 29
8.5 KEY BACKUP ................................................................................................................................. 29
8.6 KEY DESTRUCTION........................................................................................................................ 30
8.6.1 Keys to be Destroyed ............................................................................................................. 30
8.6.2 Destruction Methods ............................................................................................................. 30
8.6.3 Miscellaneous ........................................................................................................................ 30
9 HARDWARE SECURITY MACHINE (HSM) .................................................................. 32

iii
Security Management Guide of Card Personalization Service
9.1 PHYSICAL CHARACTERISTICS SPECIFIED BY HSM ........................................................................ 32

9.2 LOGIC CHARACTERISTICS SPECIFIED BY HSM .............................................................................. 32
9.3 HSM MANAGEMENT ..................................................................................................................... 32
9.3.1 HSM Operation ..................................................................................................................... 32
9.3.2 HSM Disuse ........................................................................................................................... 33
APPENDIX 1: VARIOUS EXISTING ACCESS METHODS .............................................. 34

APPENDIX 2: SECURITY RECOMMENDATIONS ON THE USE OF VPN ACCESS .... 35
iv
Preface
In case of any discrepancy between terms and conditions of this Guide and state or
local laws, the legal official document shall prevail.
This Guide serves as the supplement to the UnionPay Card Manufacturer Security
Management Guidewith requirements related to personalization processing service
of magnetic stripe card and IC card mainly added. Those manufacturers engaged in
personalization processing service shall observe the regulations in the UnionPay
Card Manufacturer Security Management Guide as well.
Loss, theft, deterioration damage and leakage of the products, data and security
materials cannot be completely avoided by the implementation of this Guide, thus
the company shall assume the liability of such matters.
China UnionPay Co., Ltd. reserves the copyright and interpretation for this Guide.
Notification for any change will be given to issuers and manufacturers in writing.
The manufacturer can supplement additional measures to enhance security
management based on this Guide in accordance with its requirements towards
security management. China UnionPay Co., Ltd. will review the security system of
the manufacturer on a regular basis. Any deviation from this Guide shall be
approved by China UnionPay Co., Ltd.
1 Introduction
1.1 Scope
Based on the UnionPay Card Manufacturer Security Management Guide V3.0,
further requirements for security management that shall be observed by the
manufacturer engaged in personalization processing service of UnionPay logo
magnetic stripe card and integrated circuit (IC) card are stipulated in this Guide.
This Guide is applicable to the service provider of personalization processing
service of UnionPay logo magnetic stripe card and IC card, who shall observe the
regulations in the UnionPay Card Manufacturer Security Management Guide V3.0
as well in terms of personnel management, security facility management, storage
and transportation of products, manufacturing process, data security management,
etc.
2 Personnel Management
2.1 Responsibilities and Requirements
2.1.1 Basic Requirements
Appropriate security management organization shall be established as per the
requirements in the UnionPay Card Manufacturer Security Management Guide to
guarantee the security requirements for card personalization and ensure the
implementation of security measures.
Liaison with law enforcement department and business cooperation institution shall
be maintained by the security management organization to ensure timely notification
of and appropriate measures taken against the security accidents.
Security management organization shall be able to examine and manage security
implementation of various departments independently, and ensure that the work of
security management organization could properly reflect security requirements that
are feasible and effective.
2.1.2 Major Responsibilities
To establish the security management system for UnionPay logo magnetic stripe
card and IC card personalization and the production process, security material
management, data transmission, key management and personnel security behavior.
To be responsible for examination on logic security within the manufacturers, which
includes software design, network security, key generation, data management, card
personalization, security procedures adopted during the transmission and storage
process, etc..
To be responsible for remedying the processing behavior with defect in logic
security, and establish a whole set of concrete method to solve those problems that
have not been properly solved till it is resolved.
2.2 Personnel Management
2.2.1 Personnel on Key Positions
Strict selection process shall be carried out for selecting employees for key positions
such as security management personnel, workshop management personnel, treasury
operation personnel, key management personnel, personalization processing
personnel, etc., and guarantee that the part-time employees, temporary workers, etc.
cannot assume such positions.
2.2.2 Security Auditing Personnel
The manufacturers must ensure that the security auditing personnel will not directly
involve in the work content audited by the same person, while the Security Chief
shall examine the security auditing personnel on a yearly basis.
3
2.3 Key Management Personnel

2.3.1 Responsibilities
1. To receive and store safely key components and security medium;
2. To record or track the maintenance of visiting log and application of key data,
including the visiting time, date, personnel, purpose, return time and personnel,
etc.;
3. To be responsible for supervising the destruction of old and outdated key
components;
4. To input key to the security hardware security module (HSMbased on the
requirements.
2.3.2 Security Requirements
1. The key management personnel must be the permanent employee, not the
temporary worker, part-time employee or consultant;
2. Working behavior of the key management personnel must be monitored;
3. Enough control shall be implemented for the management control personnel
who are responsible for key data or its security medium to ensure that no
individual personnel (or unauthorized personnel) can access to the encryption
system key or security medium data.
3 Data Management
3.1 Security Management of Data Transmission
In order to prevent loss, modification or embezzlement of data information
transmitted between organizations, transmission of data information between
organizations shall be controlled. The leased line (Please refer to Section 4.1
network security management), data disk mail delivery and personal delivery shall
be used in general case.
3.1.1 Leased Line Transmission
Separate data receiving server shall be installed for card personalization
manufacturer under leased line transmission. Safe transmission rules for
personalization data shall be defined through mutual coordination between
personalization provider and issuer. However, the following requirements must be
met:
1. Completeness and security of the personalization data shall be guaranteed
simultaneously. The completeness can be realized by adding check code to the
personalization data file, while the security is achieved via full-text encryption
for the data file; meanwhile; key and encryption data can not be transmitted at
the same time.
2. Hardware security module (HSM) shall be adopted for transmission of
personalization data between personalization provider and issuer in general case;
if software security module is adopted, the key length shall be no less than 128
bit.
3. Symmetric cryptography system shall be adopted for data encryption protection,
while asymmetric cryptography system shall be used for signature and key
encryption based on the specific requirements.
4. The personalization manufacturers shall safely keep the communication log with
the card issuer and the third-party service provider (TPSP). If the
communication log (or message) has to be obtained from the production
environment because of the business needs, the review and approval process
shall be followed and conducted by at least two people. Whats more, the
communication log (or message) shall be used only in the designated security
environment. All communication logs (or message) shall not be taken away from
the workplace.
3.1.2 Mail Delivery and Express Delivery of Disks
Reliable mail delivery institution and transportation means shall be selected for
transmission via mail delivery or personal delivery of data disk with validation of
mail carriers identity.
Via mail delivery or express delivery of data disk, the stored data must be encrypted
with the encryption and decryption means through communication between the
personalization provider and issuer, and can validate the authenticity and
completeness of the data.
Package of the storage media shall be able to protect the content from any physical
damage that may arise out of transshipment. Dedicated measures can be adopted to
protect the data information from unauthorized publication or modification when
necessary, such as:
1. Using locked container;
2. Personal delivery;
3. Anti-disclosure package;
4. Divide the goods (data and keys) consigned into several parts under special
circumstance for consignment and delivery by different means.
3.2 Data Security
3.2.1 Data Reception
1. For the data transmission through the leased line, the manufacturers must
promptly transfer the encrypted data to the internal personalization processing
network, delete the data on the receiving device and take records.
2. For the data transmission through mail delivery of data disk, the manufacturers
must arrange two or more personnel to receive the packaging, check whether it
is damaged and confirm by signing. After receiving, the encrypted data shall be
timely transferred to the personalization processing network, delete the data on
the storage media or destruct the storage media, and record the storage
information.
3.2.2 Data Processing
1. When the manufacturers deal with the data transferred to the personalization
processing network, the plaintext data shall not appear in principle. In case the
plaintext data occurs because of the work needs, it must be handled under the
supervision of the security management staff on spot upon the written
permission of the card issuer. The recorded information shall be recorded for file,
including but not limited to the contents such as the operators name, processing
time, reasons for data-processing, name of the data-owning bank, finish time,
signature of the security administrator.
2. The processed personalized data must be promptly deleted or destructed under
the supervision of the security management personnel. If the data need to be
stored, the written permission of the card issuers must be obtained and the
storage information shall be recorded in detail.
6
3. Related information of the cardholder and the card issuer can only be accessed
by the staff based on work needs.
4. To modify the data of the cardholder, the prior written approval from the card
issuer must be obtained before, and the modification information must be
recorded in detail.
3.3 Management of Data Storage Media
Comprehensive management system shall be established for mobile data storage
media, including tapes, disks, cassette, hard disks, compact disc, printed reports, etc.
The following management measures shall be adopted for storage media:
1. All the storage media shall be maintained in a safe environment, which shall
meet the maintenance environment requirements as proposed by the
manufacturer of such storage media;
2. All the storage media to be brought away from the manufacturing area shall be
approved with corresponding records taken, and such records shall be kept for at
least one year;
3. All the data must be deleted from the reusable storage media returned to the
customers;
4. Storage media carrying data information which will not be used any longer
should be burnt down or crushed under supervision of security personnel with
corresponding records taken, which shall be kept for at least a year.
4 Security Management of Network

4.1 Communication Methods
The applicable connections between the manufacturers and the data providers are
suggested as the following:
1. The recommended use of the access methods: the leased line (mainly ADSL,
SDH, frame relay, DDN, ATM, ISDN, telephone dial), MPLS based on the
private network (refer to Appendix 1 Current Access Methods List for the
definition of the access methods).
2. When using the IPSEC/SSL based on MPLS (Internet), MPLS based on the
Internet, relevant risks shall be fully taken into account and accepted and related
security recommendations shall be followed (please refer to Appendix 2: The
security recommendations for using the VPN access).
3. When using the IPSEC/SSL based on the Internet, relevant risks shall be fully
taken into account and accepted and related security recommendations shall be
followed (refer to Annex 2: The security recommendations for using the VPN
access).
4. The prohibited access means: Internet.
4.2 Security of Personalized Network
The network used to link data reception processing, the encryption devices or
systems, the personalization preparing system, the database, the personalization
devices and the system must be an isolated and independent network. Connection
with the card issuers by means of communication methods in Section 4.1 must be
installed with two or more firewalls to carry out the network isolation.
The network used for card personalization must be isolated from devices irrelevant
with the personalization process physically or logically. Strict systems and processes
shall be stipulated to prevent any unauthorized individuals or devices from visiting
and accessing the personalized network.
4.2.1 Firewall and Anti-invasion
4.2.1.1 The manufacturers shall establish the firewall configuration standards,
including:
1. Stipulate standardized procedures to approve and test all external network
connections and the firewall configuration changes, and keep a detailed record
of configuration changes.
2. Describe the network topology in detail and mark all connections to the
personalization data (including all wireless network connections)
3. Firewalls shall be required to be configured between all external network

connections as well as the demilitarized zone (DMZ) and the internal network
area.
4. Clearly describe the groups, roles and duties of the logic management of the
network components.
5. Specify the services and ports list files required by the business.
6. Any adopted transport protocol must be approved and recorded. The transport
protocol is not limited to the Hypertext Transfer Protocol (HTTP), Secure
Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN)
protocol.
7. Any adopted high-risk protocol must be approved and recorded, and details shall
be given to describe the reason to use the protocol and the security measures
taken.
8. Rule settings of the firewall and router shall be investigated quarterly.
9. Standard configuration model of the router shall be established.
4.2.1.2 Establish a firewall configuration to refuse all communications from
suspicious networks and hosts, except the required protocol of the personalization
data environment.
4.2.1.3 A firewall configuration shall be built to restrict any connection (including
the wireless connection) between any system that store the cardholder data (or its
components) and the public server. The firewall configuration shall:
1. Restrict the Internet importation traffic to the Internet Protocol (IP) address in
the demilitarized zone (entering filter)
2. Not allow the internal address to visit DMZ through Internet.
3. Implement state testing (also known as dynamic packet filtering), and only allow
access to the network through established connections.
4. Place the data on the internal network area, and the data must be isolated from
DMZ.
5. Limit the inbound and outbound traffic flow of the cardholder data environment
and only allow necessary outward-inward traffic flow.
6. Protect and synchronize the router configuration files. For example, running
configuration files (the configuration files used when the router is under normal
operating state) and the initialization configuration files (used when the router is
restarted) shall have the same security configuration.
7. Reject all the inbound and outbound traffic that have not been definitely
permitted.
9
8. Any mobile computers directly connected to the Internet and also used in the
internal network and all employees computers (e.g. laptops used by the
employees) shall install personal firewall software.
4.2.1.4 Forbid any internal network that store cardholder data and system
components (e.g. databases, logs, trace files) to be indirectly / directly accessed by
external network.
1. Establish a DMZ to filter and screen all traffic, and forbid to provide direct
inbound and outbound routing for the Internet traffic.
2. Restrict the outbound traffic derived from the personalization system whose
destination is the IP address of the DMZ.
3. Disguise the IP to prevent the internal address from being identified and exposed
to the Internet.
4.2.1.5 Maintenance Configuration
1. Regularly check the routing configurations and the firewall policies, and analyze
and deal with the event logs of the router and the firewall, the alarm event of the
intrusion detection (defensive) equipment
2. Establish the formal process to approve, test, and change all the routing
configurations and the firewall policies, which shall be timely filed after each
change.
3. Indentify the users who log on the network and the network security equipment,
and strictly control the account that can modify the configurations of the
network and the network security equipment.
4. Timely install the patch and upgrade the version of the network and the network
security equipment, and update the defensive knowledge base of the intrusion
detection (defense) system.
5. If there is a dial-up access to the network, the dial-up users shall be strictly
controlled, and each user shall set up the different password that shall not be less
than 8 digits and shall be regularly modified. Forbid the dial-up from the
external companies or other forms of the remote maintenance connection.
6. Regularly or after significant changes in the network, carry out penetration
testing or vulnerability scanning on the security control measures, network
connection and restrictive measures, check system configuration, patch
configuration and the known vulnerabilities of the network and the network
security equipment, and shall confirm that no internal user is privately connected
to the external network and that the non-authorized external visit can not enter
the internal network.
7. The intrusion detection (defensive) equipment shall be deployed in the network
10
boundary to monitor possible attacks, record the invasion and give an alarm
when the ongoing invasion.
4.2.1.6 Backup and Recovery
The firewall (including system, software, configuration files and database files)
must be backed up, in order to timely recover the data and the configuration files
when the system collapses. The backup data and files must be properly kept to
ensure safety, and they are only allowed to be accessed by the authorized personnel.
Once the firewall is attacked, the firewall administrator must re-configure the
firewall against the detected attack. If the firewall level needs to be degraded, the
system must be disconnected with the external IP or the Internet, or the standby
firewall.
In the absence of the firewall protection, the personalization system can not be
connected to the external IP or the Internet.
4.2.2 Anti-virus
1. The manufacturers must use the anti-virus software to protect the whole
personalization network. Any file, software or data that access to the
personalization network must be tested by the anti-virus software before
entering.
2. Timely update the information such as the virus database in accordance with the
requirements of the anti-virus software suppliers, and generate auditing log.
3. Stipulate the necessary strategy to regularly scan the personalization network.
4.2.3 Access Control on Customers and Third Party
1. Access interface provided to the customers and third party shall be configured in
accordance with the permission scope. The third party and customers can only
view the contents that are available to them;
2. Only authorized communication protocol, instruction and channels can be used
for the access interface provided to outside;
3. Regular inspection on the account number of customers and third party with
access authorization shall be carried out at least once a week, with detailed
records taken.
4. Service provided by the network connection with access authorization shall be
strictly controlled and mutual communication between the customers and third
party via such network is not allowed.
11
5 Workshop and System Security

5.1 Basic Content
1. The servers, routers, switches, firewalls as well as the computer equipments used to
process sensitive data (such as the track information) shall be placed in the workshop.
2. When selecting the location of the workshop, the following shall be avoided: the
dangerous buildings, the interference of strong magnetic fields and strong noise sources.
Keep away from places such as the factories, warehouses, yards that can generate dust,
soot and harmful gases and that produce or store corrosive, flammable, explosive goods.
3. The workshop shall try to use the dual power supply or the single power supply
combined with the back-up power generator, and shall achieve automatically transfer
through ATS (Automatic Transfer Switch).
5.2 Access Security Control
1. Security requirements for high security area shall be implemented in the workshop;
2. All the accesses shall be controlled by access control system;
3. Any unauthorized working personnel or visitor who needs to access data workshop for
the job purpose shall be accompanied by the authorized personnel during the whole
course with registration and signature by himself on the registration form.
5.3 Mainframe Security
1. Any personnel entering the data workshop cannot handle any equipment in the
workshop without permission by the authorized personnel;
2. Any sensitive information related to personalization business shall be deleted under the
supervision of security personnel in case that the mainframe equipment is eliminated or
used for other purposes, with relevant records taken.
3. All the operation of every equipment in the workshop shall comply with the access
control requirements (please refer to 6 Access control and Audit).
5.4 Environment for Data Workshop and Security Requirements
1. No dangerous, flammable materials and chemicals can be stored in the workshop to
avoid jeopardy to the security of data in workshop due to fire or leakage of chemicals;
2. Protection measures shall be taken for the cables in data workshop to avoid mutual
interference of electronic signals that may influence data security and smooth
connection;
3. Except for monitoring equipment, no recording equipment that is irrelevant to work like
photographing, video or audio recording can be used in the workshop;
4. Security monitoring alarm shall be installed in the data workshop to implement
monitoring on a 24-hour basis. Security alarm device in the data workshop shall be
started up for defense after work.
12
5.5 Data Backup and Disaster Recovery

5.5.1 Data Backup
1. Regular backup shall be conducted for ensuring recovery of system to the
updated status in case of disaster, and the backup data can be divided into
system status data, application software date, access log, etc.;
2. Various repair disks and startup disks of the system shall be updated on a regular
basis;
3. A set of complete backup strategy shall be developed to ensure the feasibility
and rapidness of disaster recovery;
4. Backup of personalization data must be conducted under the monitoring by the
security personnel after obtaining the customers written authorization.
5.5.2 Disaster Recovery
1. Complete disaster recovery strategy shall be developed;
2. Disaster recovery drill shall be carried out on a regular basis with detailed
records taken.
5.6 System Maintenance and Accident Treatment
5.6.1 Routine Maintenance
IT manager and security personnel shall inspect the system, network and
environment on a daily basis with detailed records taken.
All operating system and application system shall timely install the latest version of
the security patch provided by the manufacturers, and the security patch shall be
installed within two months after the security vendors release the patch. Establish
and execute review and approval procedures in terms of such change operation as
system upgrade and version renewal. Besides, such information as the copyright,
source and version of software upgrade shall be registered in details.
5.6.2 Accident Treatment
1. In case of any accident that influences the routine business, IT manager shall
make preliminary judgment after observation and report to IT supervisor in a
timely manner. Relevant responsible person shall arrive at the workshop
immediately to analyze and decide the cause of such incident, and adopt further
handling measures to solve the problems;
2. After the cause of accident has been identified, it shall be handled as soon as
possible with corresponding records taken.
5.7 Personalization Workshop Security
1. The security requirements for high security area shall be implemented strictly
13
within the high security area;

2. All the accesses shall be controlled by access control system;
3. Any unauthorized working personnel or visitor who needs to access data
workshop for job purpose shall be accompanied by the authorized personnel
during the whole course and register and sign by himself on the registration
form;
14
6 Access Control and Audit

6.1 Control on User Authorization
6.1.1 Only allow the individual to access the network, system and data resource
because of work needs.
6.1.2 Establish a set of a security user access management system, and access and
control according to the principle of obtaining information based on actual needs.
Except specially permitted, all access are refused. Including:
1. All users who want to obtain authority shall pass related process as application,
auditing and review, and must specify the authority and responsibility of all
levels of users.
2. Assign the unique user name to the user who has access authority, to ensure
that the key data and the system operation can be traced back to the known and
authorized users.
6.2 User Name Management
The user name is an identifier existing in the system for specific users to enter the
system and use the information resources. The users within the same system shall
comply with a unified naming rule according to the nature and the purpose,
including but not limited to administrator users, general users, application users and
auditing users.
1. Administrator users: the privilege users who are responsible for managing and
assigning all the system resources.
2. General users: the operating users who use some system resources and
implement specific business functions.
3. Application users: the interface users used when other application systems
exchange information or call the program mutually with the system.
4. Auditing users: the special users activated to implement certain auditing
functions.
6.3 Login Control
The system can be access only through verifying the user name as identification and
the password as authentication. The following control shall be made over the users
login:
1. The general users shall be locked after failure of three times of login
authentication.
2. The alarm prompting mechanism of the authentication failure shall be used.
15
3. The general users will automatically log off when their inactive duration is more
than 5 minutes.
4. Strictly limit operating range and the approval procedures of the telnet login
(remote dial-up or VPN).
6.4 Password Management
For those only using the static password to log in the system, the password strategy
shall comply with the following principles. For those that can not be applied for
special reasons, they shall be illustrated as exception.
1. The password is not less than 6 digits.
2. The password shall include at least one letter and one number.
3. The password shall include at least three different characters.
4. The password shall be changed each quarter.
5. The password that has been used in the latest four times shall be forbidden to be
used.
6. Security mechanism must be installed for the users to reset their password.
7. The initial password shall be force to be changed by the system. The password
shall not be displayed, stored and transmitted in the plaintext.
8. The default password generated by the installation of the system and products
shall not be used.
9. For the account that has not been used for 90 executive days, the authority of the
account shall be frozen. If the account is not used for 30 days after the freezing,
it shall be canceled.
6.5 Security Audit
The system must initiate necessary auditing function to record the following event
log:
1. The date and manner of the user logging on to the system.
2. The failure access tries.
3. Record of the access to the key directory or of the key operation implementation
(the event related to system security).
4. Regularly gather the statistics of the record information of the users accessing
the system resources and feedback to the users for confirmation and evaluation.
The resource items that need statistical analysis are determined according to the
users need.
5. For systems that do not have or do not suitable for initiating the auditing
16
function, the third-party auxiliary auditing tools can be selected.

6. Every year, at least one time of the internal or external auditing shall be carried
out on the network, the security equipment and the personalization system, so as
to validate whether the management, the configuration or the strategy are in line
with the security requirements, and make a detailed record of the auditing.
6.6 Log Management
1. The log files shall be kept for at least one year.
2. Except for the auditing users, other users shall not access or modify the auditing
log.
3. The manufacturers shall establish sound mechanisms for log recording and
review. The content of the log shall include the user ID, the operating date and
time, the operating content and whether the operating is successful.
The system shall record the log of the following events:
The users access to the sensitive information and the sensitive equipment
The method to log in the system
The failed access try
The operation of the system administrator
The access to the system log
Other system events involving logical security
4. The time of all important system clocks shall keep synchronous to truly record
the system access and the operation situation.
17
7 Product Processing and Security Management

7.1 Personalization Processing Process
Personalization processing process of magnetic stripe card and IC card has various
procedures like initialization, data preparation, processing of personalization
equipment, post-processing, etc.
7.2 Personalization of Magnetic Stripe Card
7.2.1 Data Preparation
During the personalization of magnetic stripe card, data preparation means that the
personalization provider conducts data processing (data decryption and format
conversion) on the personalization data transmitted by the issuer in order that the
data format that can be identified by the personalization equipment. It is
recommended that the data encryption and decryption process as well as the data
conversion process shall be conducted in the hardware security machine (HSM).
7.2.2 Personalization Processing
Personalization processing refers to the process that the magnetic stripe
reader/writer sends personalization data to the magnetic stripe card. Encryption and
format that can be identified by the personalization equipment must be adopted
when the personalization equipment writes data into the card, while the equipment
operator shall not be able to read text data on the equipment.
7.3 Initialization of IC Card and Its Security
7.3.1 Initialization Description
Initialization of IC card mainly means that IC card receives initialization instruction
and relevant data from the initialization equipment and creates relevant application,
necessary document structure and partial data as per the initialization instruction to
get prepared for the next-step personalization.
7.3.2 Security Requirements
When the initialization equipment of IC card sends initialization command and
direct to the IC card, encryption and decryption as well as MAC check must be
conducted on the instruction and data sent, while the encryption and decryption
process must be connected with the hardware security module (HSM);
Key value like KENC, KDEC, KMAC shall be unique for each card, and set for the
card with the generators key protection. If it cannot be set for the card, the physical
access must have strict restriction;
Access to the card must be protected by password of 16 digits or above;
18
It must locate within high security area of the plant, and meet all the security
requirements and procedures in order to comply with the requirements in Guide to
Security Management of UnionPay Card Product Manufacturer.
7.4 Personalization of IC Card
7.4.1 Security Requirements for Data Preparation
Data preparation is responsible for creating the procedures and data for application
of IC card, and the data mainly includes master key and relevant data, application
key and certificate as well as application data, etc. of the issuer. The steps are listed
below:
1. Create personalization data;
2. Integrate personalization data into data grouping;
3. Create personalization instruction and command;
4. Create data of log record for the application;
5. Create input document for the personalization equipment.
Security requirements for data preparation are as follows:
Whole process of data preparation must be conducted on the data processing
equipment connected with the hardware security module (HSM).
Leading in/out of key and data shall be conducted strictly in accordance with the
requirements in the EMV 2000 Integrated Circuit Card Specification for Payment
Systems and China Financial Integrated Circuit Card Specifications to ensure key
and data security.
7.4.2 Security Requirements for Personalization Processing
Processing of personalization equipment refers to the process when the chip
reader/writer sends personalization data to the chip card. During data input process,
the personalization equipment must be connected with a hardware security module
(HSM) to ensure data encryption and decryption and MAC check while sending the
instruction;
Obtain KENC, KDEC and KMAC, and create one security channel via mutual
authentication;
It shall be located in high security area of the plant and comply with the
security requirements and procedures to meet requirements in the
UnionPay Card Manufacturer Security Management Guide V3.07.4.3
Post-processing
Post-processing of IC card personalization refers to confirming acceptance of
personalization application data by IC card from the personalization equipment,
19
which is correctly stored for future use, and locking the IC card which has
completed personalization processing with the key before personalization.
7.5 Process Security Requirements
7.5.1 Process Procedures
Personalization processing procedures shall be kept as official document and any
modification shall be authorized by relevant managers. Detailed processes for
implementation of various jobs shall be indicated in these procedures, including:
1. Operation process of personalization equipment;
2. Handling and disposal process of data information;
3. Operation guidance for mistakes or other abnormal conditions occurred in the
handling process, including application restriction for system equipment, etc..
7.5.2 Control of Personalization Handling Process
1. Information of the card and cardholder shall not be disclosed to non-job-related
personnel during personalization handling process and it must be ensured that no
modification can be made to the personalization data;
2. During the handover at each step, the personnel responsible for counting the
cards and envelops shall not know the specific number in advance (blind
statistics);
3. Digital management shall be carried out strictly during personalization handling
process. Major examination control record for each work sheet / batch shall be
kept separately. The examination control record shall include work sheet No.,
name of issuer, type of card, etc. Every processing function shall include the
following record contents: quantity of initial issuance, quantity of remaining
cards in the previous phase, quantity of handed over cards, number of cards
returned to the warehouse, quantity of the abandoned cards, quantity of sample
cards / testing cards, personalization operating equipment and records, signature
of the operator, date, time, signature of the inspector, etc.;
4. Any failure of the personalization processing equipment shall be recorded and
the records shall be kept for at least three months, including the following
contents: operators name, signature of the inspector, equipment description /
equipment No., work sheet No., date, time, reason for failure, etc.;
5. During the card preparation process, it shall be ensured that more than two
people are at the card embossing and production site. Dual control shall be
carried out for system log-in and the relevant file on the personalization
equipment shall be deleted upon completion.
20
7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color

Strip
1. Foil inventory registration form is recommended to be used. The check and
verification shall be carried out based on the number of destroyed foils;
2. Used foils shall be stored in the dual-management area before being destroyed;
3. Embossing foil destroying log shall be established, including contents like roll
(barrel) number, date, double signature that used to testify destruction, etc.;
4. All the foils carrying the information of cardholder shall be destroyed in a
timely manner under dual supervision upon being removed from the card
machine;
5. Same security control shall be carried out for card mailing sheet and UG color
strip.
7.5.4 Management of Personalization Cards
1. Complete blank card archive and quantity management system shall be
established. Card type that have been in or out of the warehouse shall be verified
for quantity on the same day;
2. Ex-warehouse cards that have not been used shall be returned to the treasury for
storage before the completion of personalization processing.
3. Cards under processing shall be taken charge by the authorized employees /
operators to ensure the security. It is not allowed that the card under processing
is not taken charge;
4. Cards without personalization processing (blank cards) shall be stored in the
treasury under dual control. The unauthorized employees must be kept away
from them;
5. Mailing of the personalized cards shall be conducted on a safe and traceable
basis.
21
8 Key Management
The principle for key security management is that all the encryption and decryption
operation outside the IC card shall be conducted on the hardware security module
(HSM).
8.1 Key Description
8.1.1 Personalization Key
Corresponding encryption key shall be created before personalization of IC card,
mainly including the following:
KMC (personalization master key): version number for personalization master key
shall exist on the IC card, which is used to generate initial personalization key
(KENC, KMAC and KDEK) for every application. KMC is unique to every issuer.
KENC (encryption dispersion key): one KENC shall be generated for every piece of
IC card and written into the corresponding application. Such key shall be used to
generate IC cipher text of IC card and verify cipher text of mainframe. If it is
requested by the security level of cipher text that data field of STORE DATA
command is encrypted, such dispersion key can also be used to decrypt data filed of
such command under CBC mode. KENC is a 16-byte (112-bit plus parity check bit)
DES key, which is unique to every piece of card.
KMAC (check code dispersion key): one KMAC shall be generated for every piece
of IC card and written into the corresponding application. Such key shall be used to
verify C-MAC used by the EXTERNAL AUTHENTICATE command. Meanwhile
when MAC is adopted by the command required by the cipher text security level in
the STORE DATA command, such key can also be used to verify C-MAC used by
the STORE DATA command. KMAC is a 16-byte (112-bit plus parity check bit)
DES key, which is unique to every piece of card.
KDEK (key encryption dispersion key): one (KDEK) shall be generated for every
piece of IC card and written into the corresponding IC card. Such key shall be used
to decrypt the confidential data received by the STORE DATA command under
ECB mode. KDEK is a 16-byte (112-bit plus parity check bit) DES key, which is
unique to every piece of card.
8.1.2 Card Key
Public key/private key pair of the issuer: usually generated by the issuer. The public
key shall be transmitted to the certification institution for financial integrated circuit
(IC) card in China to create certificate for the issuers public key, while the private
key shall be stored in the issuers HSM (mainframe encryption module).
If the key is processed by the personalization provider for the issuer, the key pair
shall be managed as per this Guide.
22
The following optional keys can also be generated:

Public key pair of IC card: such key pair is adopted by the card which generates
algorithm by the implementation of DDA and CDDA/AC or card with PIN
encrypted. The public key shall be signed by the issuers private key for establishing
IC card public key certificate. Public key pair of IC card shall be unique for every
piece of card;
MDK ENC: used to lead out UDK ENC
UDK ENC: used to encrypt the issuers script confidential information
MDK MAC: used to lead out UDK MAC
UDK MAC: usually used to confirm the manuscript information.
MDK ENC and MDK MAC shall be unique to every issuer. UDK ENC and UDK
MAC shall be unique to every piece of card.
Please refer to the following table:
Key Name
Online
key
Key Share
verification
of
integrated
Issuer and card
financial
circuit
Purpose
The Master key is used to generate
Master
Card
Key
Key
MDK
UDK
Dialogue Key
SUDK (used
the unique card key, used for online
for universal
verification for the card and issuer.
password)
(IC) card in China

Message
Issuer and card
The master key is used to generate
MAC
MAC
certification key of
the unique card key, and such card
MDK
UDK
financial
key is used to generate the key for
The master key is used to generate
ENC
ENC
financial
the unique card key, and such card
MDK
UDK
circuit
key is used to generate the dialogue
integrated
circuit (IC) card in
message
certification
China
required for data update after card
SUDK MAC
dialogue
issuance.
Data encryption key
of
integrated
Issuer and card
(IC) card in China
key for encryption of the updated

confidential data (offline PIN) after
card issuance.
ICC private key
Issuer and card
Generated by the issuer and safely

stored on the card. During the offline
data
authentication
(DDA)
processing, this private key is used

for digital signature of the dynamic
data.
Upon
completion
of
personalization, the issuer usually

does not hold such key.
23
SUDK ENC
8.1.3 Transmission Key

The following keys are mainly used for transmission of data and key during various
stages of card personalization.
Key exchange key (KEK): establish key exchange key for the channel between the
issuer and data preparation system, which is used to encrypt the confidential data
transmitted between the issuer and the personalization data preparation equipment.
KEK shall be unique to every issuer, which shall be modified on a regular basis.
Data encryption key (DEK) / transmission key (TK): one special transmission key
used to encrypt PIN and other confidential data between the data preparation
equipment and personalization equipment.
Message authentication code key (MAC KEY): one special transmission key used to
guarantee completeness of personalization document between the data preparation
system and personalization system.
Please refer to the following table:
Key Name
Key Share
Purpose
Issuers Master
Issuer,
IC
card
IC card manufacturer uses this
key
manufacturer
and
KMC to generate card-level
personalization
key (KENC, KMAC, KDEK) and
equipment
write them onto the card.
Master
Card
Dialogue
Key
Key
Key
KENC
SK
KMC
Used to create one dialogue

key, which can be used to
UENC
create cipher text and encrypt

confidential data under CBC
mode.
KMA
SK
UMAC
KDEK
SK
data
UDEK
encrypt DES key or flexibly
encryp
encrypt other confidential data
tion
under ECB mode.
key
create C-MAC in the command

processing process.
Issuers
key
exchange key
issuer
and
data
Protect the offline PIN and
preparation
other confidential data between
equipment
the issuer and data preparation

equipment.
24
KEKISS

Data encryption
Data
preparation
Protect the offline PIN and
DEK
key/transmission
equipment
and
other confidential data between
TK
key
personalization
the data preparation equipment
equipment
and personalization equipment.
Date transmission keys in the

following special types might
be used:
PEK/TK PIN encryption key,
used to protect PIN data.
KEK/TK key exchange key,
used to protect DES key.
MAC
key
Provided by the data
Used
(message
preparation
completeness of the application
authentication
equipment
code key)
personalization
equipment
to
the
data
to
provided
guarantee
to
MAC
N/A
N/A
key
the
personalization equipment in
in
the
personalization
data
the
personalization
data
document.
document
8.2 Encryption and Transmission of Key and Data
KMC
HSM
Issuer
TK Encryption
KEK Encryption
HSM
Certification Center
Card
HSM
Data reparation
Equipment
HSM
Personalization
Equipment
KEK
KDEK
Personalization Manufacturer
Encryption
KMAC (for card lock)

KDEK (for data encryption)
Personalization Card
8.2.1 from the Issuer to the Personalization Service Provider

While receiving the personalization document from the issuer, the document
information:
1. Must be safely stored, while the right for accessing such information must be
25
strictly assessed;
2. Upon completion of personalization, the data within the system shall be cleaned
in a safe way;
3. Decrypt KEK into TK on the hardware security module (HSM) in order to
transmit the confidential information to the personalization equipment.
4. The data preparation system shall have at least one medium security area that
can control data access, and the data access right shall be limited to those with
business requirements.
Security requirements for encryption process shall be applicable to the given data
group and IC card purpose, and shall be consistent with the corresponding
encryption process no matter in the process of data preparation or during the process
of machine processing which is related to the personalization equipment.
8.2.2 Security Requirements during the Personalization Process
During the personalization processing stage, the personalization equipment:
1. Implement KDEK calculation process for IC card on the hardware security
module (HSM);
2. Decrypt the confidential information in the personalization document from
transmission key TK to KDEK for convenient transmission to the card, and such
decryption process shall be implemented on HSM;
3. The personalization equipment must be installed on high security area in the
plant and comply with all the security requirements and procedure requirements
as stipulated by the security standards for production of financial integrated
circuit (IC) card in China.
8.3 Key Operation
8.3.1 Asymmetric (RSA) Key
Security of IC card depends on the protection of private (signature) key. Failure in
guaranteeing security of private key used for signing the static or dynamic data
elements will impose the risk for falsification of IC card. Major risks confronted by
the private key include:
1. Successfully decompose RSA modulus;
2. Disclosure of private key itself.
In order to restrict disclosure problem represented by these risks, we recommend
application of the following requirements:
1. Length of RSA key modulus bit; e.g., 768, 896, 1024 and 1152 constituting
public/private key modulus;
26
2. Guarantee that the private (signature) key is free of unauthorized access on a

physical basis.
8.3.1.1 Generation of Asymmetric Key
1. Generation of RSA public/private key pair shall be completed in the completely
protected hardware security machine (HSM). Such equipment shall include one
random or pseudo-random digital generator, implement the original
authentication process and support distortion of response mechanism;
2. RSA private (signature) key might be temporary to the physical security
equipment. Key generation will utilize one random or pseudo-random process to
ensure impossibility for predicting any key or it is more possible to determine
some key in the key space than other random key;
3. Personal computer or other similar unsafe equipment, i.e., the equipment that
cannot be fully trusted cannot be used to generate RSA public/private key pair.
8.3.1.2 Transmission of Asymmetric Key
In order to protect completeness and security of public/private key pair during the
transmission process, the following steps shall be ensured:
1. One mode that can ensure completeness shall be used for the public key to
guarantee security and transmission. It is recommended that the public key shall
be transmitted in one data structure like certificate, or utilize one algorithm
defined by ISO 9807 and one key only for this purpose to use the message
authentication code for public key and relevant data, or use dual control to
ensure that recipient of the public key is able to verify its sender and
completeness, i.e., realized by separate or independent transmission of one
authentication value;
2. One mode that can ensure completeness and privacy of the private key shall be
used to guarantee the security and transmission. The transmission mechanism
includes the following modes:
The encryption and decryption operation shall be conducted on one unit of safe
hardware security machine;
Use symmetric algorithm at least equivalent to encryption to encrypt the private key
of protection key as several parts (guaranteeing security on IC card) and use one
symmetric algorithm for decryption.
8.3.2 Symmetric Key (DES)
DES key is used for special affair functions. DES key is lead out from one master
derivation key during the personalization duration, and the final card-level key is
unique.
1. Issuers master derivation key (IDKAC)used to lead out the card key for
27
generating MAC named application context (AC);

2. Issuers security message master key (IMKSMC IMKSMI)used to lead out
card keys, which are used in the security message between the card and
authentication system, i.e., card lock-in, application lock-in/unlock, updating
specific card data and PIN modification.
8.3.2.1 Generation of Symmetric Key
The key generator shall use the following principles to minimize disclosure
opportunity for key data during the creation period.
1. DES key shall be generated in the physically safe equipment protected by the
distortion response mechanism, or shall be generated part by by the authorized
working staff. The security equipment shall include one random or pseudo
random digital generator;
2. Unprotected key cannot exist outside the protection of one unit of physically
safe equipment at any time. The physically safe equipment cannot lead out plain
text key at any time, unless lead out as the password or in two or more parts;
3. When the key is generated by the authorized working staff via a process for
combining various parts, every party is requested to generate one part with the
same length to be generated. The key shall be combined within one physically
safe equipment, and ensure that key value cannot be identified despite that any
one subset can be known. The separated key shall be mastered by one
management institution, and at least holder of one part shall be one employee of
the issuer;
4. Check digit shall be calculated for all the actual key;
5. Personal computer or other similar unsafe equipment cannot be used to generate
key material;
6. If any key is found to exist outside one physically safe equipment, or every part
of the key is suspected to be known by some people or mastered by single
person, such key shall be deemed as having been disclosed, and one new key
shall be required for replacement.
8.3.2.2 Transmission of Symmetric Key
During the process of transmission or storage of DES key, the following measures
will restrict potential risk for data disclosure.
1. DES key can be safely transferred to one piece of security equipment or smart
card for transmission and storage;
2. Transmission of DES key shall be in the principle of dual control and separate
holding.
28
8.4 Key Storage

The key shall be stored to prevent key disclosure, modification or substitution in
principle, with major security requirements detailed as follows:
1. The general text private key and secret key shall be stored in the hardware
security machine (HSM);
2. Private and secret key and its components shall be stored in the principle of dual
control and separate hold. Effective implementation of these principles needs
procedure control to prevent any administrator (or non-administrator of any
individual component) from accessing sufficient components constituting actual
key;
3. Private and secret key components shall be stored on the medium (e.g., soft disk,
PC card, smart card, etc.), which shall be safely stored to prevent any
unauthorized individual from obtaining the key components;
4. If the private and secrete key components can be stored on the medium, and
have one personal identification number (PIN) medium, then only the medium
owner shall have the medium and its corresponding PIN at the same time;
5. Private or secret key components stored in the key transfer equipment shall be
controlled by sufficient access control like password, etc.
6. When the private key or key encryption key and its components is stored or
loaded onto one security equipment at any time, the record shall be kept, which
shall at least include the date and access time, visit purpose, signature of
administrator accessing such component and other information; the record shall
be clearly maintained till termination or destruction of the key.
8.5 Key Backup
Key backup and duplicate shall exist in only one allowable storage form. All the
backups shall be protected by the same security control level or the level higher than
the key under use. Upon completion of storage, the backup shall be safely stored
under correct access control and at least dual control.
Backup and duplicate of private key in the hardware security machine shall be
controlled via actual user identification (e.g., access identification tag, password or
other methods) to prevent use of unauthorized key.
Key backup must be operated by two authorized management staff, while the
private key and its components shall be output from the hardware security machine
as the cipher text; additionally, all the backup and recovery procedures shall be filed
with access to all the keys recorded.
29
8.6 Key Destruction

8.6.1 Keys to be Destroyed
The unused or replaced key shall be destroyed
1. All the key of which the use is terminated shall be destroyed, including all the
used, stored, backup and duplicated key;
2. All the key termination procedures shall be filed with all the key termination
activities recorded;
3. One non-key administrator, e.g., one external (issuers representative) or internal
(security management personnel) personnel shall witness the whole course of
key destruction and sign on the destruction record form.
8.6.2 Destruction Methods
All the private and secret keys shall be destroyed safely in the following methods:
1. Key components maintained on the paper shall be destroyed via burning or
cutting.
2. Key stored on one EEPROM shall be completely written with binary 0 with
the length in three times longer.
8.6.3 Miscellaneous
1. Components of encryption key used for key transfer shall be destroyed after
being loaded successfully.
2. When one hardware security machine is abandoned, all the keys stored in this
equipment shall be physically deleted before destruction of equipment itself.
30
THIS PAGE INTENTIONALLY LEFT BLANK.
31
9 Hardware Security Machine (HSM)

Hardware security machine used by the personalization providers inside Mainland
of China shall be certified by the State Encryption Administration; hardware
security machine used by personalization providers outside Mainland of China shall
pass the certification by the State Encryption Administration or other international
authority, and comply with relevant requirements of local management institutions.
9.1 Physical Characteristics Specified by HSM
1. One HSM must be qualified as a physical security equipment, ensuring to be
free from distortion or other risks as mentioned by physical or logic
characteristics in ISO 9564-1;
2. Separate physical ports shall be maintained for data input, data output, input
control and output status of all HSMs;
3. All the HSM shall ensure that all the keys and other sensitive data as well as all
the useful residue information of sensitive data shall be immediately and
automatically eliminated for the attempted or recognized disclosure of the
equipment;
4. All the HSM shall be designed for spying into and responding to any
unauthorized modification, while all the keys and other sensitive data as well as
all the useful remaining information of sensitive data shall be immediately and
automatically eliminated.
9.2 Logic Characteristics Specified by HSM
1. Separate logic ports shall be maintained for data input, data output, input control
and output status of all HSMs;
2. All the HSMs that support sensitive or unauthorized status shall be allowed only
to visit those authenticated persons by the basic operator, while such
authentication shall be authorized;
3. If one HSM is capable of loading software or hardware after equipment
configuration (e.g., ex-factory from the manufacturer), one basic authentication
plan for encryption system shall be used to confirm such software or hardware.
9.3 HSM Management
9.3.1 HSM Operation
Equipment under operation status shall be conducted as per the following
requirements:
1. Auditing and control log shall maintain all the record of application activities;
2. For any security encryption system and equipment capable of encrypting one
32
key as well as cipher text generated by such key, encryption protections from
unauthorized application encryption knowing the key or key components should
be used. Such protection shall adopt one or two modes as follows:
Dual access control to enable key encryption function.
Physical protection of equipment under dual control (e.g., lock the access).
9.3.2 HSM Disuse
When one unit of equipment is permanently disused or destroyed, the following is
required:
1. All the encryption system keys, key materials and sensitive data shall be cleared
from the equipment;
2. Any encryption system key, key materials and sensitive data shall be cleared in
compliance with the requirements for key management in this Guide;
3. If safe clearance of encryption system key, key materials and sensitive data
cannot be guaranteed, it shall be physically destroyed to prevent acquisition and
application again, and ensure that the secret data or key will not be disclosed.
33
Appendix 1: Various Existing Access Methods

The private lines: mainly ADSL, SDH, frame relay, DDN, ATM. including dial-up.
Internet-based MPLS: MPLS network established on the Internet network, which is
physically the same as the Internet. There are both label switching and traditional IP
message switching in this network. This access method is called Internet - based
MPLS in this Guideline.
Private-network-based MPLS: Some operators build independent MPLS networks
in the backbone network or metropolitan area, which only provides enterprises with
the access of the MPLS type. There is only label switching in this network and it
lacks traditional IP message switching. This access method is called
Private-network-based MPLS in this Guideline.
IPSEC VPN and SSL VPN are chosen and built by the users, which ensure data
security through the encryption mechanism. IPSEC VPNSSL VPN can be built on
the private line, Internet and MPLS VPN, thus forming four access schemes: IPSEC,
SSL Over private line, IPSEC, SSL Over Internet, IPSEC, SSL Over MPLS
Internet, IPSEC, SSL Over MPLS ( private network).
Wireless access method: CDMA 2000 1x, GPRS.
34
Appendix 2: Security Recommendations on the Use of VPN Access

1. The security recommendations on the use of scheme of MPLS over Internet
(1) Select the communication operator with qualifications and good technology.
(2) Sign the service-level agreements with the communication operator to ensure
data availability.
(3) Firewall shall be deployed at the entrance of the interior network of the
enterprise, and access control shall be carried out to the message from the VPN.
(4) If the conditions permit, the IPSECSSL Over MPLS scheme shall be deployed
to build up the IPSEC, SSL tunnel to ensure the confidentiality and integrality of the
data transmission.
(5) When the schemes of IPSEC and SSL over MPLS are adopted, please refer to
the security recommendations of using the IPSEC, SSL VPN equipments in this
section.
2. The security recommendations on the use of the IPSEC VPN equipments

2.1
Recommendations of the IPSEC VPN equipment model selection
(1) Select the hardware to implement the VPN gateway.

(2) Select the access in the VPN client hardware, and avoid selecting the access in
the VPN client software.
(3) Select the products that provide the VPN client access control.
(4) Select the products that support key encryption of more than 128 bits.
(5)Select the products that provide the two-factor verification, such as adding the
dynamic password verification.
(6) Select the products that can check whether the client has installed the firewall
and anti-virus software.
(7) Select the products that provide the functions of statistic and audit access at the
users end.
2.2
Recommendations on the security operation and maintenance of IPSEC
VPN equipment
(1) Strictly restrict the user with VPN administration authority, record the operation
of adding, modifying and deleting the VPN legal users, and regularly consult the
relevant record.
35
(2) Set up the password strategy. Control the password, and set the minimum length
and complexity of the password. The password is required to be regularly replaced.
(3)Adopt the two-factor verification. Set the updating period of such verification
methods as token and certificate.
(4) Strictly control the access to the VPN client in the principle of minimum
authority, and regularly review the VPN client authority.
(5) If the VPN products can not implement the access control, it is recommended to
use the firewall in tandem with the VPN gateway.
(6) Regularly consult the records of statistical and auditing events, so as to know
whether there are any violation and insecurity issues.
(7) The VPN client is required to install the personal firewall and anti-virus
software.
(8) If the VPN client is not used for a some time, it shall be disconnected with the
VPN, and it is better to disconnect the Internet at the same time.
(9) Keep close contact with the VPN manufacturer or buy the maintenance service
to timely upgrade the security patches.
3. The security recommendations on the use of the SSL VPN equipment

3.1 Recommendations of the SSL VPN equipment model selection
(1) Select the hardware to implement the VPN gateway.
(2) Select the products that support key encryption of more than 128 bits.
(3)Select the products that provide the two-factor verification, such as adding the
dynamic password verification.
(4Select the products that can check whether the client has installed the firewall
and anti-virus software.
(5) Select the products that provide the functions of statistic and audit access at the
users end.
(6) Select the products that provide the data protection function at the users end.
3.2 Security operation and maintenance recommendations of SSL VPN equipment
(1) Strictly restrict the user with VPN administration authority, record the operation
of adding, modifying and deleting the VPN legal users, and regularly consult the
relevant record.
(2) Set up the password strategy. Control the password, and set the minimum length
and complexity of the password. The password is required to be regularly replaced.
36
(3) Adopt the two-factor verification. Set the updating period of such verification
methods as token and certificate.
(4) Strictly control the access to the VPN client in the principle of minimum
authority, and regularly review the VPN client authority.
(5) Regularly consult the records of statistical and auditing events, so as to know
whether there are any violation and insecurity issues.
(6) The VPN client is required to install the personal firewall and anti-virus
software.
(7) If the VPN client is not used for a some time, it shall be disconnected with the
VPN, and it is better to disconnect the Internet at the same time.
(8) Keep close contact with the VPN manufacturer or buy the maintenance service
to timely upgrade the security patches.
37

Security Guide of UnionPay Card Personalization+Service+Provider

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Guide of UnionPay Card Personalization+Service+Provider

Uploaded by

Copyright:

Available Formats

Security Management Guide of

UnionPay Card Personalization Service Provider

Security Management Guide of Card Personalization Service

2 PERSONNEL ORGANIZATIONAL MANAGEMENT ...................................................... 3

3 DATA SECURITY MANAGEMENT .................................................................................. 5

4 SECURITY MANAGEMENT OF NETWORK .................................................................. 8

5 WORKSHOP AND SYSTEM SECURITY ...................................................................... 12

6 ACCESS CONTROL AND AUDIT ................................................................................. 15

Security Management Guide of Card Personalization

6.1 CONTROL ON USER AUTHORIZATION ............................................................................................. 15

7 PRODUCT PROCESSING AND SECURITY MANAGEMENT ..................................... 18

8 KEY MANAGEMENT ..................................................................................................... 22

9 HARDWARE SECURITY MACHINE (HSM) .................................................................. 32

Security Management Guide of Card Personalization Service

9.1 PHYSICAL CHARACTERISTICS SPECIFIED BY HSM ........................................................................ 32

APPENDIX 1: VARIOUS EXISTING ACCESS METHODS .............................................. 34

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

2.3 Key Management Personnel

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

4 Security Management of Network

Security Management Guide of Card Personalization

3. Firewalls shall be required to be configured between all external network

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

5 Workshop and System Security

Security Management Guide of Card Personalization

5.5 Data Backup and Disaster Recovery

Security Management Guide of Card Personalization

within the high security area;

Security Management Guide of Card Personalization

6 Access Control and Audit

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

function, the third-party auxiliary auditing tools can be selected.

Security Management Guide of Card Personalization

7 Product Processing and Security Management

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

7.5.3 Management of Embossing Foil, Card Mailing Sheet and UG Color

Security Management Guide of Card Personalization

Security Management Guide of Card Personalization

The following optional keys can also be generated:

Issuer and card

The Master key is used to generate

the unique card key, used for online

verification for the card and issuer.

(IC) card in China

Issuer and card

The master key is used to generate

the unique card key, and such card

key is used to generate the key for

The master key is used to generate

the unique card key, and such card

key is used to generate the dialogue

circuit (IC) card in

required for data update after card