Professional Documents
Culture Documents
December 2010
Table of Contents
PREFACE ............................................................................................................................ 1
1 INTRODUCTION .............................................................................................................. 2
1.1 SCOPE.............................................................................................................................................. 2
1.2 VERSION .......................................................................................................................................... 2
iv
Preface
In case of any discrepancy between terms and conditions of this Guide and state or
local laws, the legal official document shall prevail.
This Guide serves as the supplement to the UnionPay Card Manufacturer Security
Management Guidewith requirements related to personalization processing service
of magnetic stripe card and IC card mainly added. Those manufacturers engaged in
personalization processing service shall observe the regulations in the UnionPay
Card Manufacturer Security Management Guide as well.
Loss, theft, deterioration damage and leakage of the products, data and security
materials cannot be completely avoided by the implementation of this Guide, thus
the company shall assume the liability of such matters.
China UnionPay Co., Ltd. reserves the copyright and interpretation for this Guide.
Notification for any change will be given to issuers and manufacturers in writing.
The manufacturer can supplement additional measures to enhance security
management based on this Guide in accordance with its requirements towards
security management. China UnionPay Co., Ltd. will review the security system of
the manufacturer on a regular basis. Any deviation from this Guide shall be
approved by China UnionPay Co., Ltd.
1 Introduction
1.1 Scope
Based on the UnionPay Card Manufacturer Security Management Guide V3.0,
further requirements for security management that shall be observed by the
manufacturer engaged in personalization processing service of UnionPay logo
magnetic stripe card and integrated circuit (IC) card are stipulated in this Guide.
This Guide is applicable to the service provider of personalization processing
service of UnionPay logo magnetic stripe card and IC card, who shall observe the
regulations in the UnionPay Card Manufacturer Security Management Guide V3.0
as well in terms of personnel management, security facility management, storage
and transportation of products, manufacturing process, data security management,
etc.
2 Personnel Management
2.1 Responsibilities and Requirements
2.1.1 Basic Requirements
Appropriate security management organization shall be established as per the
requirements in the UnionPay Card Manufacturer Security Management Guide to
guarantee the security requirements for card personalization and ensure the
implementation of security measures.
Liaison with law enforcement department and business cooperation institution shall
be maintained by the security management organization to ensure timely notification
of and appropriate measures taken against the security accidents.
Security management organization shall be able to examine and manage security
implementation of various departments independently, and ensure that the work of
security management organization could properly reflect security requirements that
are feasible and effective.
2.1.2 Major Responsibilities
To establish the security management system for UnionPay logo magnetic stripe
card and IC card personalization and the production process, security material
management, data transmission, key management and personnel security behavior.
To be responsible for examination on logic security within the manufacturers, which
includes software design, network security, key generation, data management, card
personalization, security procedures adopted during the transmission and storage
process, etc..
To be responsible for remedying the processing behavior with defect in logic
security, and establish a whole set of concrete method to solve those problems that
have not been properly solved till it is resolved.
2.2 Personnel Management
2.2.1 Personnel on Key Positions
Strict selection process shall be carried out for selecting employees for key positions
such as security management personnel, workshop management personnel, treasury
operation personnel, key management personnel, personalization processing
personnel, etc., and guarantee that the part-time employees, temporary workers, etc.
cannot assume such positions.
2.2.2 Security Auditing Personnel
The manufacturers must ensure that the security auditing personnel will not directly
involve in the work content audited by the same person, while the Security Chief
shall examine the security auditing personnel on a yearly basis.
3
3 Data Management
3.1 Security Management of Data Transmission
In order to prevent loss, modification or embezzlement of data information
transmitted between organizations, transmission of data information between
organizations shall be controlled. The leased line (Please refer to Section 4.1
network security management), data disk mail delivery and personal delivery shall
be used in general case.
3.1.1 Leased Line Transmission
Separate data receiving server shall be installed for card personalization
manufacturer under leased line transmission. Safe transmission rules for
personalization data shall be defined through mutual coordination between
personalization provider and issuer. However, the following requirements must be
met:
1. Completeness and security of the personalization data shall be guaranteed
simultaneously. The completeness can be realized by adding check code to the
personalization data file, while the security is achieved via full-text encryption
for the data file; meanwhile; key and encryption data can not be transmitted at
the same time.
2. Hardware security module (HSM) shall be adopted for transmission of
personalization data between personalization provider and issuer in general case;
if software security module is adopted, the key length shall be no less than 128
bit.
3. Symmetric cryptography system shall be adopted for data encryption protection,
while asymmetric cryptography system shall be used for signature and key
encryption based on the specific requirements.
4. The personalization manufacturers shall safely keep the communication log with
the card issuer and the third-party service provider (TPSP). If the
communication log (or message) has to be obtained from the production
environment because of the business needs, the review and approval process
shall be followed and conducted by at least two people. Whats more, the
communication log (or message) shall be used only in the designated security
environment. All communication logs (or message) shall not be taken away from
the workplace.
3.1.2 Mail Delivery and Express Delivery of Disks
Reliable mail delivery institution and transportation means shall be selected for
transmission via mail delivery or personal delivery of data disk with validation of
mail carriers identity.
Via mail delivery or express delivery of data disk, the stored data must be encrypted
with the encryption and decryption means through communication between the
personalization provider and issuer, and can validate the authenticity and
completeness of the data.
Package of the storage media shall be able to protect the content from any physical
damage that may arise out of transshipment. Dedicated measures can be adopted to
protect the data information from unauthorized publication or modification when
necessary, such as:
1. Using locked container;
2. Personal delivery;
3. Anti-disclosure package;
4. Divide the goods (data and keys) consigned into several parts under special
circumstance for consignment and delivery by different means.
3.2 Data Security
3.2.1 Data Reception
1. For the data transmission through the leased line, the manufacturers must
promptly transfer the encrypted data to the internal personalization processing
network, delete the data on the receiving device and take records.
2. For the data transmission through mail delivery of data disk, the manufacturers
must arrange two or more personnel to receive the packaging, check whether it
is damaged and confirm by signing. After receiving, the encrypted data shall be
timely transferred to the personalization processing network, delete the data on
the storage media or destruct the storage media, and record the storage
information.
3.2.2 Data Processing
1. When the manufacturers deal with the data transferred to the personalization
processing network, the plaintext data shall not appear in principle. In case the
plaintext data occurs because of the work needs, it must be handled under the
supervision of the security management staff on spot upon the written
permission of the card issuer. The recorded information shall be recorded for file,
including but not limited to the contents such as the operators name, processing
time, reasons for data-processing, name of the data-owning bank, finish time,
signature of the security administrator.
2. The processed personalized data must be promptly deleted or destructed under
the supervision of the security management personnel. If the data need to be
stored, the written permission of the card issuers must be obtained and the
storage information shall be recorded in detail.
6
3. Related information of the cardholder and the card issuer can only be accessed
by the staff based on work needs.
4. To modify the data of the cardholder, the prior written approval from the card
issuer must be obtained before, and the modification information must be
recorded in detail.
3.3 Management of Data Storage Media
Comprehensive management system shall be established for mobile data storage
media, including tapes, disks, cassette, hard disks, compact disc, printed reports, etc.
The following management measures shall be adopted for storage media:
1. All the storage media shall be maintained in a safe environment, which shall
meet the maintenance environment requirements as proposed by the
manufacturer of such storage media;
2. All the storage media to be brought away from the manufacturing area shall be
approved with corresponding records taken, and such records shall be kept for at
least one year;
3. All the data must be deleted from the reusable storage media returned to the
customers;
4. Storage media carrying data information which will not be used any longer
should be burnt down or crushed under supervision of security personnel with
corresponding records taken, which shall be kept for at least a year.
8. Any mobile computers directly connected to the Internet and also used in the
internal network and all employees computers (e.g. laptops used by the
employees) shall install personal firewall software.
4.2.1.4 Forbid any internal network that store cardholder data and system
components (e.g. databases, logs, trace files) to be indirectly / directly accessed by
external network.
1. Establish a DMZ to filter and screen all traffic, and forbid to provide direct
inbound and outbound routing for the Internet traffic.
2. Restrict the outbound traffic derived from the personalization system whose
destination is the IP address of the DMZ.
3. Disguise the IP to prevent the internal address from being identified and exposed
to the Internet.
4.2.1.5 Maintenance Configuration
1. Regularly check the routing configurations and the firewall policies, and analyze
and deal with the event logs of the router and the firewall, the alarm event of the
intrusion detection (defensive) equipment
2. Establish the formal process to approve, test, and change all the routing
configurations and the firewall policies, which shall be timely filed after each
change.
3. Indentify the users who log on the network and the network security equipment,
and strictly control the account that can modify the configurations of the
network and the network security equipment.
4. Timely install the patch and upgrade the version of the network and the network
security equipment, and update the defensive knowledge base of the intrusion
detection (defense) system.
5. If there is a dial-up access to the network, the dial-up users shall be strictly
controlled, and each user shall set up the different password that shall not be less
than 8 digits and shall be regularly modified. Forbid the dial-up from the
external companies or other forms of the remote maintenance connection.
6. Regularly or after significant changes in the network, carry out penetration
testing or vulnerability scanning on the security control measures, network
connection and restrictive measures, check system configuration, patch
configuration and the known vulnerabilities of the network and the network
security equipment, and shall confirm that no internal user is privately connected
to the external network and that the non-authorized external visit can not enter
the internal network.
7. The intrusion detection (defensive) equipment shall be deployed in the network
10
boundary to monitor possible attacks, record the invasion and give an alarm
when the ongoing invasion.
4.2.1.6 Backup and Recovery
The firewall (including system, software, configuration files and database files)
must be backed up, in order to timely recover the data and the configuration files
when the system collapses. The backup data and files must be properly kept to
ensure safety, and they are only allowed to be accessed by the authorized personnel.
Once the firewall is attacked, the firewall administrator must re-configure the
firewall against the detected attack. If the firewall level needs to be degraded, the
system must be disconnected with the external IP or the Internet, or the standby
firewall.
In the absence of the firewall protection, the personalization system can not be
connected to the external IP or the Internet.
4.2.2 Anti-virus
1. The manufacturers must use the anti-virus software to protect the whole
personalization network. Any file, software or data that access to the
personalization network must be tested by the anti-virus software before
entering.
2. Timely update the information such as the virus database in accordance with the
requirements of the anti-virus software suppliers, and generate auditing log.
3. Stipulate the necessary strategy to regularly scan the personalization network.
4.2.3 Access Control on Customers and Third Party
1. Access interface provided to the customers and third party shall be configured in
accordance with the permission scope. The third party and customers can only
view the contents that are available to them;
2. Only authorized communication protocol, instruction and channels can be used
for the access interface provided to outside;
3. Regular inspection on the account number of customers and third party with
access authorization shall be carried out at least once a week, with detailed
records taken.
4. Service provided by the network connection with access authorization shall be
strictly controlled and mutual communication between the customers and third
party via such network is not allowed.
11
12
14
15
3. The general users will automatically log off when their inactive duration is more
than 5 minutes.
4. Strictly limit operating range and the approval procedures of the telnet login
(remote dial-up or VPN).
6.4 Password Management
For those only using the static password to log in the system, the password strategy
shall comply with the following principles. For those that can not be applied for
special reasons, they shall be illustrated as exception.
1. The password is not less than 6 digits.
2. The password shall include at least one letter and one number.
3. The password shall include at least three different characters.
4. The password shall be changed each quarter.
5. The password that has been used in the latest four times shall be forbidden to be
used.
6. Security mechanism must be installed for the users to reset their password.
7. The initial password shall be force to be changed by the system. The password
shall not be displayed, stored and transmitted in the plaintext.
8. The default password generated by the installation of the system and products
shall not be used.
9. For the account that has not been used for 90 executive days, the authority of the
account shall be frozen. If the account is not used for 30 days after the freezing,
it shall be canceled.
6.5 Security Audit
The system must initiate necessary auditing function to record the following event
log:
1. The date and manner of the user logging on to the system.
2. The failure access tries.
3. Record of the access to the key directory or of the key operation implementation
(the event related to system security).
4. Regularly gather the statistics of the record information of the users accessing
the system resources and feedback to the users for confirmation and evaluation.
The resource items that need statistical analysis are determined according to the
users need.
5. For systems that do not have or do not suitable for initiating the auditing
16
17
18
It must locate within high security area of the plant, and meet all the security
requirements and procedures in order to comply with the requirements in Guide to
Security Management of UnionPay Card Product Manufacturer.
7.4 Personalization of IC Card
7.4.1 Security Requirements for Data Preparation
Data preparation is responsible for creating the procedures and data for application
of IC card, and the data mainly includes master key and relevant data, application
key and certificate as well as application data, etc. of the issuer. The steps are listed
below:
1. Create personalization data;
2. Integrate personalization data into data grouping;
3. Create personalization instruction and command;
4. Create data of log record for the application;
5. Create input document for the personalization equipment.
Security requirements for data preparation are as follows:
Whole process of data preparation must be conducted on the data processing
equipment connected with the hardware security module (HSM).
Leading in/out of key and data shall be conducted strictly in accordance with the
requirements in the EMV 2000 Integrated Circuit Card Specification for Payment
Systems and China Financial Integrated Circuit Card Specifications to ensure key
and data security.
7.4.2 Security Requirements for Personalization Processing
Processing of personalization equipment refers to the process when the chip
reader/writer sends personalization data to the chip card. During data input process,
the personalization equipment must be connected with a hardware security module
(HSM) to ensure data encryption and decryption and MAC check while sending the
instruction;
Obtain KENC, KDEC and KMAC, and create one security channel via mutual
authentication;
It shall be located in high security area of the plant and comply with the
security requirements and procedures to meet requirements in the
UnionPay Card Manufacturer Security Management Guide V3.07.4.3
Post-processing
Post-processing of IC card personalization refers to confirming acceptance of
personalization application data by IC card from the personalization equipment,
19
which is correctly stored for future use, and locking the IC card which has
completed personalization processing with the key before personalization.
7.5 Process Security Requirements
7.5.1 Process Procedures
Personalization processing procedures shall be kept as official document and any
modification shall be authorized by relevant managers. Detailed processes for
implementation of various jobs shall be indicated in these procedures, including:
1. Operation process of personalization equipment;
2. Handling and disposal process of data information;
3. Operation guidance for mistakes or other abnormal conditions occurred in the
handling process, including application restriction for system equipment, etc..
7.5.2 Control of Personalization Handling Process
1. Information of the card and cardholder shall not be disclosed to non-job-related
personnel during personalization handling process and it must be ensured that no
modification can be made to the personalization data;
2. During the handover at each step, the personnel responsible for counting the
cards and envelops shall not know the specific number in advance (blind
statistics);
3. Digital management shall be carried out strictly during personalization handling
process. Major examination control record for each work sheet / batch shall be
kept separately. The examination control record shall include work sheet No.,
name of issuer, type of card, etc. Every processing function shall include the
following record contents: quantity of initial issuance, quantity of remaining
cards in the previous phase, quantity of handed over cards, number of cards
returned to the warehouse, quantity of the abandoned cards, quantity of sample
cards / testing cards, personalization operating equipment and records, signature
of the operator, date, time, signature of the inspector, etc.;
4. Any failure of the personalization processing equipment shall be recorded and
the records shall be kept for at least three months, including the following
contents: operators name, signature of the inspector, equipment description /
equipment No., work sheet No., date, time, reason for failure, etc.;
5. During the card preparation process, it shall be ensured that more than two
people are at the card embossing and production site. Dual control shall be
carried out for system log-in and the relevant file on the personalization
equipment shall be deleted upon completion.
20
21
8 Key Management
The principle for key security management is that all the encryption and decryption
operation outside the IC card shall be conducted on the hardware security module
(HSM).
8.1 Key Description
8.1.1 Personalization Key
Corresponding encryption key shall be created before personalization of IC card,
mainly including the following:
KMC (personalization master key): version number for personalization master key
shall exist on the IC card, which is used to generate initial personalization key
(KENC, KMAC and KDEK) for every application. KMC is unique to every issuer.
KENC (encryption dispersion key): one KENC shall be generated for every piece of
IC card and written into the corresponding application. Such key shall be used to
generate IC cipher text of IC card and verify cipher text of mainframe. If it is
requested by the security level of cipher text that data field of STORE DATA
command is encrypted, such dispersion key can also be used to decrypt data filed of
such command under CBC mode. KENC is a 16-byte (112-bit plus parity check bit)
DES key, which is unique to every piece of card.
KMAC (check code dispersion key): one KMAC shall be generated for every piece
of IC card and written into the corresponding application. Such key shall be used to
verify C-MAC used by the EXTERNAL AUTHENTICATE command. Meanwhile
when MAC is adopted by the command required by the cipher text security level in
the STORE DATA command, such key can also be used to verify C-MAC used by
the STORE DATA command. KMAC is a 16-byte (112-bit plus parity check bit)
DES key, which is unique to every piece of card.
KDEK (key encryption dispersion key): one (KDEK) shall be generated for every
piece of IC card and written into the corresponding IC card. Such key shall be used
to decrypt the confidential data received by the STORE DATA command under
ECB mode. KDEK is a 16-byte (112-bit plus parity check bit) DES key, which is
unique to every piece of card.
8.1.2 Card Key
Public key/private key pair of the issuer: usually generated by the issuer. The public
key shall be transmitted to the certification institution for financial integrated circuit
(IC) card in China to create certificate for the issuers public key, while the private
key shall be stored in the issuers HSM (mainframe encryption module).
If the key is processed by the personalization provider for the issuer, the key pair
shall be managed as per this Guide.
22
Online
key
Key Share
verification
of
integrated
financial
circuit
Purpose
Master
Card
Key
Key
MDK
UDK
Dialogue Key
SUDK (used
for universal
password)
MAC
MAC
certification key of
MDK
UDK
financial
ENC
ENC
financial
MDK
UDK
circuit
integrated
message
certification
China
SUDK MAC
dialogue
issuance.
Data encryption key
of
integrated
authentication
(DDA)
Upon
completion
of
23
SUDK ENC
Key Share
Purpose
Issuers Master
Issuer,
IC
card
key
manufacturer
and
personalization
equipment
Master
Card
Dialogue
Key
Key
Key
KENC
SK
KMC
UENC
KMA
SK
UMAC
KDEK
SK
data
UDEK
encryp
tion
key
Issuers
key
exchange key
issuer
and
data
preparation
equipment
24
KEKISS
Data
preparation
DEK
key/transmission
equipment
and
TK
key
personalization
equipment
key
Used
(message
preparation
authentication
equipment
code key)
personalization
equipment
to
the
data
to
provided
guarantee
to
MAC
N/A
N/A
key
the
personalization equipment in
in
the
personalization
data
the
personalization
data
document.
document
KMC
HSM
Issuer
TK Encryption
KEK Encryption
HSM
Certification Center
Card
HSM
Data reparation
Equipment
HSM
Personalization
Equipment
KEK
KDEK
Personalization Manufacturer
Encryption
Personalization Card
strictly assessed;
2. Upon completion of personalization, the data within the system shall be cleaned
in a safe way;
3. Decrypt KEK into TK on the hardware security module (HSM) in order to
transmit the confidential information to the personalization equipment.
4. The data preparation system shall have at least one medium security area that
can control data access, and the data access right shall be limited to those with
business requirements.
Security requirements for encryption process shall be applicable to the given data
group and IC card purpose, and shall be consistent with the corresponding
encryption process no matter in the process of data preparation or during the process
of machine processing which is related to the personalization equipment.
8.2.2 Security Requirements during the Personalization Process
During the personalization processing stage, the personalization equipment:
1. Implement KDEK calculation process for IC card on the hardware security
module (HSM);
2. Decrypt the confidential information in the personalization document from
transmission key TK to KDEK for convenient transmission to the card, and such
decryption process shall be implemented on HSM;
3. The personalization equipment must be installed on high security area in the
plant and comply with all the security requirements and procedure requirements
as stipulated by the security standards for production of financial integrated
circuit (IC) card in China.
8.3 Key Operation
8.3.1 Asymmetric (RSA) Key
Security of IC card depends on the protection of private (signature) key. Failure in
guaranteeing security of private key used for signing the static or dynamic data
elements will impose the risk for falsification of IC card. Major risks confronted by
the private key include:
1. Successfully decompose RSA modulus;
2. Disclosure of private key itself.
In order to restrict disclosure problem represented by these risks, we recommend
application of the following requirements:
1. Length of RSA key modulus bit; e.g., 768, 896, 1024 and 1152 constituting
public/private key modulus;
26
28
29
30
31
key as well as cipher text generated by such key, encryption protections from
unauthorized application encryption knowing the key or key components should
be used. Such protection shall adopt one or two modes as follows:
Dual access control to enable key encryption function.
Physical protection of equipment under dual control (e.g., lock the access).
9.3.2 HSM Disuse
When one unit of equipment is permanently disused or destroyed, the following is
required:
1. All the encryption system keys, key materials and sensitive data shall be cleared
from the equipment;
2. Any encryption system key, key materials and sensitive data shall be cleared in
compliance with the requirements for key management in this Guide;
3. If safe clearance of encryption system key, key materials and sensitive data
cannot be guaranteed, it shall be physically destroyed to prevent acquisition and
application again, and ensure that the secret data or key will not be disclosed.
33
34
35
(2) Set up the password strategy. Control the password, and set the minimum length
and complexity of the password. The password is required to be regularly replaced.
(3)Adopt the two-factor verification. Set the updating period of such verification
methods as token and certificate.
(4) Strictly control the access to the VPN client in the principle of minimum
authority, and regularly review the VPN client authority.
(5) If the VPN products can not implement the access control, it is recommended to
use the firewall in tandem with the VPN gateway.
(6) Regularly consult the records of statistical and auditing events, so as to know
whether there are any violation and insecurity issues.
(7) The VPN client is required to install the personal firewall and anti-virus
software.
(8) If the VPN client is not used for a some time, it shall be disconnected with the
VPN, and it is better to disconnect the Internet at the same time.
(9) Keep close contact with the VPN manufacturer or buy the maintenance service
to timely upgrade the security patches.
(3) Adopt the two-factor verification. Set the updating period of such verification
methods as token and certificate.
(4) Strictly control the access to the VPN client in the principle of minimum
authority, and regularly review the VPN client authority.
(5) Regularly consult the records of statistical and auditing events, so as to know
whether there are any violation and insecurity issues.
(6) The VPN client is required to install the personal firewall and anti-virus
software.
(7) If the VPN client is not used for a some time, it shall be disconnected with the
VPN, and it is better to disconnect the Internet at the same time.
(8) Keep close contact with the VPN manufacturer or buy the maintenance service
to timely upgrade the security patches.
37