ATM行业标准和规范介绍.ppt

1、以创新的科技便利人类生活,We Move Faster,广电运通金融电子股份有限公司,GRG Banking Equipment CO.,Ltd.,ATM行业标准和规范介绍,以创新的科技便利人类生活,We Move Faster,广电运通金融电子股份有限公司,GRG Banking Equipment CO.,Ltd.,标准作用及分类,为什么要标准？,一种规范、互通的依据 标准普通话、统一 Standard、Norm、Criterion、Specification,标准作用及分类,标准的分类,按照地域分类 国际标准 ISO8583 国家标准 GB-2512 按照执行程度分类 强制性标准 Com

2、pulsory 推荐性标准 Recommended,标准作用及分类,标准的分类,我国的标准分类 国家标准 行业标准 地方标准 企业标准 1989.12.29中华人民共和国标准法,标准作用及分类,标准的编号,国际标准编号 标准代号+专业类号+顺序号+年代号 如：ISO8402:1987、ISO9000-1:1994 CWA 16374-1:2011 E CEN XFS3.2标准 ISO 9126-2001 软件工程产品质量标准,标准作用及分类,标准的编号,我国的标准编号 标准代号+标准发布顺序+标准发布年代号,标准作用及分类,标准的编号,国家标准编号 代码由大写汉字拼音字母构成，强制性国家标准代

3、号为GB，推荐性国家标准的代号为GB/T。 如：GB/T 16260-2003 软件工程产品质量,标准作用及分类,标准的编号,行业标准编号 行业标准代号由汉语拼音大写字母组成，再加上斜线T组成推荐性行业标准，如XX/T。已经正式发布的行业代号有QJ（航天）、SJ（电子）、JR（金融系统）、通信（YD）、机械（JB）等等。 如 JR/T 0025.72013 IC卡规范、JR/T 0055.12009银行卡联网联合技术规范,标准作用及分类,标准的编号,地方标准编号 地方标准代号由大写汉语拼音DB加上省、自治区、直辖市行政区划代码的前面两位数字（北京市11、天津市12、上海市13等），再加上斜线T

4、组成推荐性地方标准（DBXX/T），不加斜线T为强制性地方标准（DBXX）。,标准作用及分类,标准的编号,企业标准编号 企业标准的代号有汉字大写拼音字母Q加斜线再加企业代号组成（Q/XXX），企业代号可用大写拼音字母或阿拉伯数字或者两者兼用所组成。 如：Q/CUP 0082004 中国银联代理业务ATM终端技术规范 Q/CUP 0082004 广电运通ATM应用规范,以创新的科技便利人类生活,We Move Faster,广电运通金融电子股份有限公司,GRG Banking Equipment CO.,Ltd.,ATM行业标准,CEN XFS,J/XFS,PA DSS,EMV,NDC,Acti

5、ve XFS,IFX,ECB,PBOC,ATM行业标准,ATM行业标准,获取行业标准的渠道,公司知识库 网址 33:899/ 目录 I:ftproot06.行业类6.5.行业业务知识类,ATM行业标准,经常访问常用行业网址 银行卡检查中心 ECB http:/www.ecb.europa.eu/home/html/index.en.html EMV PCI / CEN http:/www.cen.eu/work/areas/pages/default.aspx 中国银联 ATM marketpla

6、ce ATMBox ,获取行业标准的渠道,CEN XFS,基于C+的金融自助设备控制统一标准 相应产品：SP4.0、SP5.0,J/XFS,基于Java的金融自助设备控制统一标准 相应产品 DS,EMV,Europay、Master、Visa 相应产品 GrgEmvkernel 1996年 EMV3.1 2000.12 EMV4.0 2004.5 EMV4.1 EMV4.2 2012.6 EMV4.3,PBOC,People Bank Of China中国人民银行的简写，特指IC卡规范 1997年 PBOC1.0 电子钱包/电子存折 2005年3月 PBOC2.0 启用编号JR/T 0025

7、保留 电子钱包/电子存折增补借记/贷记增补钱包存折扩展，划分为10个部分。磁条卡芯片卡 2010年4月 PBOC2.0修订版 对2005版进行修订，增补电子现金，增补非接触支付接触非接触，标准交易小额、快速交易 2013年2月 发布了PBOC3.0,PCI,PCI DSS、 PCI PA-DSS和PCI PTS,Payment Application Payment Card Industry Data Security Standard PIN Transaction Security 官方网址：/,PCI,PA DSS和

8、PCI DSS的区别,PCI DSS is the core standard, which is primarily for merchants and processors, It addressed security technolgy controls and processors for protecting cardholder data. PA DSS is for software developers who sell commercial application for accepting and processing payment cards. Most card br

9、ands require merchants and processors to use only approved payment applications. PED(Pin Entry Device) are for manufactures of payment card devices used at the point of sale. In addition to other PCI DSS requirement, software developers, merchants and processors must use only approved devices compli

10、ant with PED.,PCI,PA DSS和PCI DSS的区别,PCI DSS是从整个金融机构的角度来考虑数据安全的，涉及到商户（Merchant）、Processor、受理行（Acquirer）、发卡行（Issuer）、服务提供者（Service Provider）和其他存储、处理和转移持卡人数据的实体，PA-DSS仅考虑应用程序本身的数据安全性。因此，符合PA-DSS的应用程序并不能保证一个实体就是符合PCI DSS，它必须按照PA-DSS厂商提供的实施手册在符合PCI DSS要求的环境中进行实施。 PCI DSS的适用范围：适用于所有的系统组件，系统组件指网络组件、服务器或应用程

11、序。网络组件包括防火墙、交换器、路由器、无限访问点、网络设备和其他安全设备，服务器包括web服务器、应用程序服务器、数据库服务器、校验服务器、邮件服务器、代理服务器、NTP（network time protocol）、DNS（Domain Name Server），应用程序包括所有购买和定制化的应用程序，包括内部和外部的应用程序。 PA-DSS源自于PCI DSS，它是在应用程序方面对PCI DSS进行了更具体的细化。PA-DSS适用于软件厂商或开发一些需存储、处理、传输持卡人数据的应用程序的厂商。,PCI,What is PCI Security Coucil?,The PCI Secur

12、ity Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Secur

13、ity (PTS) requirements. The Councils five founding global payment brands - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each found

14、ing member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council. PCI 安全标准协会是一个开放的全球论坛，致力于账户数据安全标准的持续发展、完善、存储、普及与实施。 PCI 安全标准协会的使命是：通过推动 PCI 安全标准的教育和普及，不断提升支付账户数据的安全性。该组织由 American Express（美国运通）、Discover Financial Services（发现金融服务公司）、JCB International（JCB 国际信用卡公司）

15、、MasterCard（万事达卡国际组织）与 Visa Inc（Visa 公司）共同创建。,PCI,PCI DSS文档版本历史,PCI,PA-DSS文档版本历史,PCI,PCI PTS文档版本历史,PCI,文档下载,PCI Stardards & Documents-Documents Library,PCI,Validation相关的概念,QSAs(Qualified Security Assessors) Qualified Security Assessor (QSA) companies are organizations that have been qualified by the

16、 Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entitys adherence to the PCI DSS. Payment Application Qualified Security Assessor (PA-QSA) Payment Appli

17、cation Qualified Security Assessor (PA-QSA) companies are organizations that have been qualified by the Council to have their employees assess compliance to the PCI PA-DSS standard. Payment Application Qualified Security Assessors are employees of these organizations who have been certified by the C

18、ouncil to validate an entitys adherence to the PCI PA-DSS.,PCI,Validation相关的概念,Approved Scanning Vendors (ASVs) Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and se

19、rvice providers. The Council has approved more than 130 ASVs. Internal Security Assessor (ISA) Internal Security Assessor (ISA) sponsor companies are organizations that have been qualified by the Council. The PCI SSC Internal Security Assessor (ISA) Program consists of internal security audit profes

20、sionals of Sponsor organizations who are qualified through training from the Council to improve their organizations understanding of the PCI DSS, facilitate the organizations interactions with QSAs, enhance the quality, reliability, and consistency of the organizations internal PCI DSS self-assessme

21、nts, and support the consistent and proper application of PCI DSS measures and controls.,PCI,Validation相关的概念,Qualified Integrators and Resellers (QIRs) The PCI SSC Qualified Integrators and Resellers Program provides an opportunity for eligible professionals of qualifying organizations to receive tr

22、aining and qualification on the secure installation of PA-DSS validated payment applications into merchant environments in a manner that supports PCI DSS compliance. PCI Forensic Investigator (PFI) The PCI Forensic Investigator (PFI) program establishes and maintains rules and requirements regarding

23、 eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators.,PCI,Validation相关的概念,Point-to-Point Encryption

24、 (P2PE) Qualified Security Assessors Point to Point Encryption/ (QSA (P2PE)s companies are organizations that have been qualified by the Council to have their employees assess PCI P2PE Solutions. Qualified Security Assessors Point to Point Encryption assessors are employees of these organizations ha

25、ve been certified by the Council to validate P2PE Solutions. Payment Card Industry Professional (PCIP)The Payment Card Industry Professional Program provides a personal qualification that stays with you regardless of your employer. This entry-level credential demonstrates your professional awareness

26、 and knowledge of the payments security industry, the PCI standards, and supporting documents.,PCI,Validation相关的概念,PCI Recognized Laboratories PCI-recognized evaluation laboratories are organizations that have been approved by the Council to conduct security evaluations on a range of product types,

27、both hardware and software. For device vendors and manufacturers, the labs perform device testing to validate compliance to the PIN Transaction Security (PTS) requirements and, to facilitate the evaluation process prior to actual testing, offer guidance on device design and compliance assessments. 银

28、行卡检测中心是PCI-recognized evaluation laboratories（Since this year）,PCI,PA DSS和PCI DSS,PCI,PA DSS和PCI DSS,PCI,PA DSS和PCI DSS,PCI,PCI PTS（PIN Transaction Security）,PCI PED (PIN Entry Device),PCI EPP (Encrypting PIN Pad),PCI UPT (Unattended Payment Terminal),PCI PTS (PIN Transaction Security ),在V3.0时合并成一个规

29、范了,PCI,PCI PTS测试内容,PCI,PCI PTS测试内容,PCI,PCI PTS 物理/逻辑测试范围,The physical security characteristics of the device are those attributes that deter a physical attack on the device, for example, the penetration of the device to determine its key(s) or to plant a sensitive data-disclosing “bug” within it. Lo

30、gical security characteristics include those functional capabilities that preclude, for example, allowing the device to output a clear-text PIN-encryption key.,PCI,PCI PTS测试需求样例,PCI,Validated Payment Application,Approved Companies & Providers - Validated Payment Application 官方网址：https:/www.pcisecuri

31、/ 证书有效期：,PCI,Aproved PTS Devices,Approved Companies & Providers - Approved PTS Devices 官方网址：/ 证书有效期：7年,ECB,ECB：European Central Bank 是为了适应欧元发行流通而设立的金融机构。 欧洲央行的职能是维护货币的稳定，管理主导利率、货币的储备和发行以及制定欧洲货币政策。 2010年9月16日，欧洲央行制定并发布了ECB/2010/14法规，制定了欧元的识别和检测的规则和处理过程。ECB新版标准于2012年12月发布了ECB/2012/19，新增了对新版欧元的支持要求。 法规主要包括以下几个方面的内容： 1、对欧元处理的机器进行分类。 2、对欧元的识别情况进行分类。 3、对不同的欧元识别结果的处理流程进行定义。,ECB,钞票处理机的分类,ECB,钞票处理机的分类,Customer-oper