The People’s Bank of China (“PBC”) Shanghai Head Office ; all branches and business management departments of the PBC; all central sub-branches of the PBC in capital cities of provinces (autonomous regions) and sub-provincial cities; all state-owned commercial banks, joint-stock commercial banks, and Postal Savings Bank of China; China UnionPay Co., Ltd.; and Payment and Clearing Association of China:
With the rapid development of mobile communication technologies and Internet finance, the security of bankcard use is facing new challenges. In order to further strengthen the security management of bankcard information, and improve the payment risk prevention and control capabilities, you are hereby notified of the relevant issues as follows:
I. Strengthening the security management of bankcard information
(1) Strengthening the internal control management of sensitive payment information. All commercial banks and payment institutions (non-banking payment institutions engaging in bankcard acquiring business and online payment business, here and below) and bankcard clearing institutions shall strictly implement the Notice of the People's Bank of China on Urging Banking Financial Institutions to Effectively Protect Personal Financial Information (No.17 [2011], PBC), and improve the system for internal control management of sensitive payment information security, and report the relevant information to the PBC prior to September 1, 2016. First, it shall be strictly prohibited to retain the sensitive payment information of other institutions (including the magnetic stripe or chip information of bankcards, card verification codes, terms of validity of cards, passwords of bankcards, and online payment transaction passwords, among others). Where it is truly necessary to retain such information, the authorization of the clients themselves and account management institutions shall be obtained. Second, the management responsibilities of relevant posts and personnel shall be clarified; incompatible posts shall be strictly separated, and information operating authority shall be controlled; information operational procedures and norms shall be developed; internal supervision and the accountability mechanisms shall be strengthened; and practitioners shall be strictly prohibited from illegally storing, stealing, leaking or trading in sensitive payment information. Third, two or more internal audits of the security of sensitive payment information shall be conducted each year, and reports shall be formed for archival filing and future reference. Where the leakage of any sensitive payment information caused by system vulnerabilities or any violation of regulation by any internal person is found, effective measures shall be taken immediately to prevent the expansion of risks, and it shall be reported to the PBC. Where any suspected violation of law or crime is found, it shall be reported to the public security organ in a timely manner.
(2) Strengthening the security protection of sensitive payment information. All commercial banks and payment institutions shall conduct channel encryption and bi-directional authentication between client software and server and between servers, hash or store in an encrypted manner key fields of important information, and guarantee the security of information transmission, storage and use. When conducting the online payment business, it is not allowed to commission or authorize the partners unqualified for engaging in the payment business to collect the sensitive payment information; the security controls with the functions of information input security protection and real-time data encryption shall be adopted; and effective measures shall be taken to prevent the partners from acquiring and retaining the sensitive payment information.
(3) Comprehensively applying the payment tokenization technologies. From December 1, 2016, all commercial banks and payment institutions shall use the payment tokenization technologies to desensitize bankcard numbers, card verification codes, payment accounts of payment institutions and other information, and control the risks of information leakage and fraudulent transactions from the source by setting the domain control properties of payment tokens, such as the number of transactions, transaction amount, term of validity, and payment channels.
(4) Strengthening the transaction password protection mechanism. All commercial banks and payment institutions shall strengthen the protection management of the transaction passwords of bankcards and online payment, among others, and the clients' security education, strictly limit the use of initial transaction passwords and remind clients to modify passwords in a timely manner, and establish the system verification mechanisms for the complexity of transaction passwords, so as to avoid that a transaction password is too simple (such as “111111” or “123456”, among others) or is highly similar to a client's personal information (such as date of birth, certificate number, or mobile phone number, among others).
(5) Strictly regulating the acquiring outsourcing services. All commercial banks and payment institutions shall strictly implement the Measures for the Administration of Bankcard Acquiring Business (Announcement No. 9 [2013], PBC), and the Notice of the People's Bank of China on Strengthening the Outsourcing Management of Bankcard Acquiring Business (No. 199 [2015], PBC), and undertake the responsibilities for security management of sensitive payment information in the acquiring process. First, it is not allowed to transfer such work as system operation of core business, secret key management of acceptance terminals, and examination of the qualifications of chartered merchants to outsourced service providers; second, special persons shall be designated to manage the secret keys of terminals and relevant parameters, and ensure that different acceptance terminals use different master secret keys of terminals which are changed on a regular basis. Third, physical and online chartered merchants and outsourced service providers shall be prohibited, through agreements, from retaining sensitive payment information. Fourth, security assessment with certain independence of outsourced service providers and physical and online chartered merchants shall be conducted at a minimum once each year, and reports shall be formed for archival filing and future reference. Where relevant parties fail to comply with relevant agreements, cooperation therewith shall be suspended immediately.
(6) Strengthening the regulation of payment innovations. For the application of important payment technologies and business innovations, all commercial banks and payment institutions shall undergo the recordation formalities with the PBC at a minimum 30 days before the projects are launched, and submit the project implementation plans and external security assessment reports and other written materials. In the process of conducting the business, the dynamic monitoring, evaluation as well as prevention and control of risks shall be effectively conducted.
II. Increasing the efforts in the risk prevention and control of Internet bankcard transactions
(1) Strengthening the security management of client software. First, all commercial banks and payment institutions shall improve the security prevention and control capabilities of their client software in such aspects as Trojan virus prevention, encrypted protection of information, and credibility of operating environment. Client software should be able to monitor and feed back to the background system the security status of mobile payment environment, which shall act as the basis for limitation or refusal of transactions or for any other risk control strategy. Second, credibility labels or quick entry shall be set for client software or official websites, and correct identification and access methods shall be notified to clients through a variety of channels. Third, external security assessment shall be conducted at a minimum once each year, and reports shall be formed for archival filing and future reference, so as to ensure the conformity to technical standards.
(2) Strengthening the security management of identity authentication for business activation. From November 1, 2016, all commercial banks shall, when conducting the associated business with payment institutions and commercial institutions on the basis of bankcards, directly identify clients' identities strictly through multi-factor identity authentication, and obtain clients' authorization. Identity authentication shall be conducted through any of the following combination patterns: First, digital certificates that comply with the Specifications for Financial Electronic Certification (JR/T 0118) shall be adopted in combination with at a minimum one certification factor, such as transaction passwords. Second, dynamic token devices that comply with the Technical Specifications for Application of Dynamic Passwords (GM/T 0021) shall be adopted in combination with at a minimum one certification factor, such as transaction passwords. Third, two or more dynamic certification factors (such as dynamic verification codes, and dynamic challenge response based on client behavior, among others) shall be used in combination, and two or more different communication channels, such as voice, SMS or data (such as mobile banks, instant messaging, and e-mail), among others, shall be adopted.
(3) Enhancing the security intensity of payment transactions. First, all commercial banks shall, in accordance with the Notice of the People's Bank of China on Improving Individual Bank Account Services and Strengthening Account Management (No. 392 [2015], PBC), establish and improve the classified management mechanisms for personal bank settlement accounts, and direct clients to use Class II and Class III bank accounts to handle the small-sum online payment business, and effectively prevent and control the risk of information leakage of various bank accounts, especially Class I bank accounts. Second, when payment institutions or other partners send payment instructions to commercial banks to deduct the funds in clients' bankcards, all commercial banks and payment institutions shall, in strict accordance with the provisions of Article 10 of the Measures for the Administration of Online Payment Business of Non-banking Payment Institutions (Issued by Announcement No. 43 [2015], PBC), take the technical measures of matching the transaction verification intensity with the amount of a transaction, so as to improve the security of transactions.
(4) Strengthening Internet transaction risk monitoring. All commercial banks and payment institutions shall, through big data analysis or user behavior modeling or by other means, establish the transaction risk monitoring model and system to give early warning of abnormal transactions, and take such measures as investigation and verification, risk warning, and settlement delay. Where a system is logged onto in batch or in high frequency or in case of any other abnormal behavior, a comprehensive identification shall be conducted by making use of IP address, terminal device identification information, or browser cache information, among others, and additional verification or refusal of clients' requests or other means shall be adopted in a timely manner.
(5) Intensifying the efforts in joint prevention and control of payment risks. All commercial banks and payment institutions shall conscientiously implement the Notice of the People's Bank of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Industry and Commerce on Establishing the Mechanisms for the Emergency Suspension of Payments and Rapid Freezing of Accounts Involved in Any New-Type Violations of Laws or Crimes Related to Telecommunications Networks (No. 86 [2016], PBC), access to as required the risk event management platforms for new-type illegal and criminal transactions related to telecommunications networks, and strengthen the management of the suspension of payment and freezing of accounts involved in cases.
III. Effectively preventing the risks of fraudulent transactions with the counterfeit cards of magnetic stripe cards
(1) Reducing the risks of magnetic stripe transactions by using financial IC cards. First, from September 1, 2016, the bankcards based on RMB settlement accounts newly issued by all commercial banks shall be financial IC cards that comply with the China Financial Integrated Circuit (IC) Card Specifications (JR/T 0025), and adopt the chips that pass the security assessment by the institutions accredited by the certification and accreditation administrative department of the state. Second, all commercial banks shall further strengthen the risk control of magnetic stripe transactions in terms of transaction channels, frequency of swiping bankcards, the amount of a single transaction, and daily cumulative transaction amounts, among others. For suspicious transactions, transaction confirmation and risk warning shall be conducted via SMS, telephone, and client software, among others. From May 1, 2017, magnetic stripe transactions of composite cards with both chips and magnetic stripes shall be completely closed. Third, all commercial banks shall accelerate the replacement of stock magnetic stripe cards with financial IC cards by means of the replacement of cards with card numbers unchanged, or real-time card issuance, among others.
(2) Strengthening the security management of acceptance terminals. All commercial banks and payment institutions shall strengthen security management in terms of product selection, acceptance check, and on-site inspection of acceptance terminal, among others, so as to ensure the conformity of acceptance terminals to technical standards. Bankcard clearing institutions shall, in conjunction with member institutions, strengthen the network access management of acceptance terminals through the network-accessed terminal signatures, unique identification and other technical measures, and strictly prohibit the network access and use of the acceptance terminals that fail to comply with standards or are illegally modified. For stock terminals, regular inspection mechanisms shall be established to continuously conduct random terminal inspections, so as to ensure the consistency between the terminals laid and the qualified samples, and to strictly control the use of modified terminals.
(3) Strengthening the real-name system management of chartered merchants. Bankcard clearing institutions shall, in conjunction with member institutions, establish and improve the electronic information management system for physical and online chartered merchants, strictly implement the relevant provisions on the real-name system for chartered merchants, and record in a complete and accurate manner the identity information of chartered merchants and their legal representatives or primary persons-in-charge, and conduct associated management of the registered information of the same chartered merchant in different commercial banks and payment institutions. The chartered merchant qualification examination and information updating mechanisms shall be improved by making full use of image acquisition, regional positioning and other technologies, and through multi-channel cross validation or by other effective means, and continuous efforts shall be made to strengthen the administration of the authenticity of chartered merchants' information.
(4) Strengthening the administration of the blacklist of chartered merchants that violate regulations. First, all commercial banks and payment institutions shall establish and improve the administration system for the blacklists of physical and online chartered merchants that violate regulations, and clarify the conditions for being included into and removed from the blacklists and the punitive measures, among others. The monitoring and patrol inspection of chartered merchants shall be strengthened. The chartered merchants that leak sensitive payment information, illegally modify terminals, get involved in counterfeit card frauds or commit any other violations of regulations shall be subject to the blacklist administration, and be given severe disciplinary actions according to the seriousness of the circumstances, such as delay in settlement, suspension of transactions, or termination of cooperation, among others, and the Payment and Clearing Association of China and bankcard clearing institutions shall be notified in a timely manner. Second, the Payment and Clearing Association of China and bankcard clearing institutions shall, in conjunction with commercial banks and payment institutions, establish and improve the blacklist information sharing and inquiry mechanisms, and take more rigid disciplinary actions; and may not develop the chartered merchants that have been included into the blacklists.
(5) Implementing the rules on the transfer of risk responsibilities of counterfeit card frauds. Bankcard clearing institutions shall, in conjunction with member institutions, further fulfill the risk responsibilities of counterfeit card frauds in the process of bankcard acceptance, and protect the rights and interests of the chip migration parties. Complaint handling mechanisms shall be established and improved, and fraud risk events shall be addressed properly, so as to effectively protect the lawful rights and interests of clients.
IV. Strictly implementing various provisions, and reinforcing supervision, inspection and punishment
(1) Strictly implementing the relevant provisions of the state on network security and standard conformity. All commercial banks, payment institutions, and bankcard clearing institutions shall strictly implement the relevant provisions of the state on network security and information technology security, and use the commercial password products accredited by the password administration authority of the state. First, the client software, acceptance terminals, bankcards, digital certificates, and dynamic token devices involved, among others, shall comply with the relevant standards of the state and the financial industry, and pass the security assessment by the institutions accredited by the certification and accreditation administrative department of the state. Second, business system construction and operation shall comply with the relevant requirements of the graded protection of information security of the state. Third, business system and backup system shall be arranged within the territory of China in accordance with the relevant requirements of the state for network security.
(2) Establishing and improving the supervision and inspection mechanisms. All branch offices of the PBC shall attach great importance to and make unremitting efforts in effectively controlling the relevant work; form the leadership teams for bankcard risk management; establish routine supervision and inspection mechanisms; incorporate the work safety of the payment business system, acceptance terminal (including online payment interface) security, and protection of sensitive payment information, among others, into law enforcement inspection; and make overall arrangements for effectively conducting guidance and coordination, policy publicity, law enforcement inspection, information notification, and other work.
(3) Imposing heavier punishments on violations of regulations. All branch offices of the PBC shall strictly investigate the interruption of payment services, leakage of sensitive payment information, and financial loss events caused by the modification of bankcard acceptance terminals, low intensity in payment transaction verification, security vulnerabilities of the system, or network attacks suffered, and impose strict punishments in accordance with the Measures for the Administration of Bankcard Acquiring Business, the Measures for the Administration of Online Payment Business of Non-banking Payment Institutions and other relevant provisions; if the circumstances are serious, they shall punish the relevant institutions and directly responsible directors and senior executives and other directly liable persons in accordance with Article 46 of the Law of the People's Republic of China on the People's Bank of China; or if any conduct is criminally punishable, it shall be reported to the public security organs in a timely manner. Where the circumstances of any payment institution are serious, its classification and rating shall also be lowered, or the Payment Business Permit shall be even cancelled in accordance with the provisions of the Measures for the Administration of Payment Services Provided by Non-financial Institutions (Issued by Order No. 2 [2010], PBC) and the Measures for the Administration of the Classification and Rating of Non-banking Payment Institutions (No. 106 [2016], PBC).
(4) Strengthening the industry self-disciplinary rules. The Payment and Clearing Association of China shall, in accordance with the requirements of this Notice and other relevant provisions, develop the industry self-disciplinary rules for bankcard risk management, establish the self-disciplinary inspection and regulatory violation constraint mechanisms, and organize the implementation thereof after reporting them to the PBC for recordation prior to September 30, 2016, so as to urge member entities to strengthen self-discipline, and strictly implement various provisions.
For the matters subject to reporting or recordation as prescribed in this Notice, the national commercial banks, the Payment and Clearing Association of China, and bankcard clearing institutions shall report them to the Head Office of the PBC; and other banking financial institutions and payment institutions shall report them to the PBC branch offices at or above the level of a central sub-branch of a sub-provincial city at the places where their corporate bodies are located.
The PBC branch offices at or above the level of a central sub-branch of a sub-provincial city shall forward this Notice to the local banking financial institutions and payment institutions within their respective jurisdictions, and strengthen the organization of the implementation thereof.
The People's Bank of China
June 13, 2016
