GB/T 21078.2-2011
AbolishedBanking—Personal identification number management and security—Part 2: Requirements for offline PIN handling in ATM and POS systems
银行业务 个人识别码的管理与安全 第2部分:ATM和POS系统中脱机PIN处理的要求
Catalogue
前言 → 引言 → 1 范围 → 2 规范性引用文件 → 3 术语和定义 → 4 在PIN输入设备(PED)和IC卡读卡器之间传输时的PIN保护 → 5 物理安全 → 6 PIN BLOCK格式 → 参考文献 Foreword → Introduction → 1 Scope → 2 Normative References → 3 Terms and Definitions → 4 PIN protection during transmission between PIN entry device (PED) and IC card reader → 5 Physical security → 6 PIN BLOCK format → Bibliography
Scope
This part specifies the minimum security requirements for offline PIN handling and the standard methods for exchanging PIN data in an offline environment. This part applies to financial transactions initiated by cards requiring offline PIN verification, and also to those institutions responsible for implementing PIN management and protection techniques in ATMs and POS terminals deployed by acquirers. This part does not apply to the following: a) PIN management and security in an online PIN environment, which is covered by GB/T 21078.1; b) approved PIN encryption algorithms; c) use of PIN in an open network environment, which is covered by GB/T 21078.3; d) PIN protection against loss or intentional misuse by the user or authorized employees of the issuer or its agents; e) confidentiality of non-PIN transaction data; f) protection of transaction messages against modification or substitution, e.g., online authorization responses; g) prevention of PIN or transaction replay; h) specific key management techniques; i) decision by the IC card whether to accept an encrypted PIN; j) contactless IC cards. The basic principles of PIN management described in Clause 4 of GB/T 21078.1—2007 also apply to this part. Requirements related to multi-application IC cards are the responsibility of the issuer and are not included in this part. This part applies to IC card technology, but is not limited to IC card technology.
本部分规定了脱机PIN处理的最低安全要求和在脱机环境下交换PIN数据的标准方法。本部分适用于要求脱机PIN验证的卡发起的金融交易,也适用于那些负责在ATM和收单方布放的POS终端中实施PIN管理和保护技术的机构。本部分不适用于下列情况:a)联机PIN环境下的PIN管理和安全,GB/T 21078.1包含该项内容;b)核准的PIN加密算法;c)在开放网络环境下使用PIN,GB/T 21078.3包含该项内容;d)防止用户或者发卡方及其代理商的授权雇员丢失或故意误用而采取的PIN保护;e)非PIN交易数据的私密性;f)保护交易报文,防止修改或替换,例如联机授权响应;g)防止PIN或交易重放;h)特定的密钥管理技术;i)IC卡是否接受加密PIN的决策;j)非接触式IC卡。GB/T 21078.1—2007的第4章描述的PIN管理的基本原则也适用于本部分。与多应用IC卡相关的要求由发卡方负责,不包括在本部分内。本部分适用于IC卡技术,但不局限于IC卡技术。
Normative References
Keywords
Application Summary AI generated
Financial institutions, ATM and POS terminal operators, and payment system security personnel use this standard to ensure the security of personal identification number (PIN) processing in offline environments. It specifies minimum security requirements and data exchange standards to prevent PIN theft or tampering during transmission. This standard is crucial for protecting cardholder privacy and the security of financial transactions.
金融机构、ATM和POS终端运营商以及支付系统安全人员使用本标准,以确保在脱机环境下处理个人识别码(PIN)时的安全性。它规定了最低安全要求和数据交换标准,防止PIN在传输过程中被窃取或篡改。该标准对于保护持卡人隐私和金融交易安全至关重要。
AI Summary AI generated
This standard specifies minimum security requirements and data exchange methods for offline PIN handling in ATM and POS systems, applicable to financial transactions requiring offline PIN verification. It covers PIN protection during transmission between input devices and IC card readers, physical security requirements, and PIN BLOCK formats. The standard emphasizes encryption and the use of unique keys or periodic key changes to prevent PIN disclosure, and applies to IC card technology but is not limited to it.
本标准规定了ATM和POS系统中脱机PIN处理的最低安全要求及数据交换方法,适用于需要脱机验证PIN的金融交易。它涵盖了PIN在输入设备与IC卡读卡器间传输时的保护、物理安全要求以及PIN BLOCK格式。标准强调使用加密和唯一密钥或定期更换密钥来防止PIN泄露,并适用于IC卡技术但不限于此。
Key Sentences extracted from text
本部分规定了脱机PIN处理的最低安全要求和在脱机环境下交换PIN数据的标准方法。
当PIN以明文形式通过未受保护的环境传输至IC卡读卡器并提交至IC卡时,应按照GB/T 21078.1—2007的要求对PIN加密。
PED应是GB/T 21078.1—2007的6.3定义的“物理安全设备”。
在PED和IC卡读卡器之间传输的加密PIN应使用GB/T 21078.1—2007中规定的PIN BLOCK格式。
当使用“格式2的PIN BLOCK”时,应为每笔交易使用惟一密钥或者定期更换加密密钥。
This part specifies the minimum security requirements for offline PIN handling and the standard methods for exchanging PIN data in an offline environment.
When the PIN is transmitted in plaintext through an unprotected environment to the IC card reader and submitted to the IC card, the PIN shall be encrypted in accordance with the requirements of GB/T 21078.1—2007.
The PED shall be a 'physically secure device' as defined in 6.3 of GB/T 21078.1—2007.
Encrypted PINs transmitted between the PED and the IC card reader shall use the PIN BLOCK format specified in GB/T 21078.1—2007.
When using 'Format 2 PIN BLOCK', a unique key shall be used for each transaction or the encryption key shall be changed periodically.