Shulou(Shulou.com)11/24 Report--

CTOnews.com August 9 news, personal payment information refers to the personal information obtained, processed and saved during the payment service.

According to the China payment and Clearing Association, in order to meet the latest requirements of national laws and regulations and better serve the development of the industry, the China payment and Clearing Association revised the group standard "Technical guidelines on personal Information Protection" issued by the Association in 2016 and renamed it "guidelines on the Protection of personal payment Information".

The document shall be implemented as of the date of promulgation, and the original Technical guidelines for the Protection of personal Information shall be repealed.

Personal payment information classifies any information involved in an individual's participation in a payment activity that can be known and processed, is relevant to an individual, and can be identified individually or in combination with other information:

A) account information refers to the account and account-related information, including, but not limited to, payment account number, bank card track data (or chip equivalent information), bank card validity period, account opening time, account opening institution, account balance and payment marking information based on the above information.

B) Authentication information refers to the information used to verify whether the subject has access or use rights, including but not limited to bank card password, prepaid card payment password; personal payment information subject login password, account query password, transaction password; card verification code (CVN and CVN2), dynamic password, SMS verification code, password prompt question answer, etc.

C) payment transaction information refers to all kinds of information generated by the subject of personal payment information in the course of the transaction, including but not limited to transaction amount, payment record, overdraft record, transaction log, transaction voucher

D) personal identity information refers to personal basic information, personal biometric information, etc.:

Basic personal information includes, but is not limited to, customer legal name, ID card, passport and other document information, contact information (such as mobile phone number, fixed telephone number, email address), as well as photos, audio and video information collected in the process of providing products and services.

CTOnews.com note: personal biometric information includes but is not limited to biometric sample data, eigenvalues and templates, such as fingerprint, face, iris, ear print, palmprint, vein, voice print, eye print, gait, handwriting, etc.

E) additional information:

Information formed by processing and analyzing the original data that can reflect certain situations of a particular individual, including, but not limited to, the consumption willingness, payment habits and other derivative information of the subject of the specific individual payment information.

Other personal information obtained, processed and saved in the course of providing payment services.

Personal payment information security framework personal payment information needs to be transferred among different payment business subjects in the payment business. The life cycle of personal payment information is closely related to the choice of payment business subject, business scenario and payment technology. Therefore, three elements are proposed in this payment framework:

A) payment business subjects: it is appropriate to carry out information protection work according to the main categories of payment information, identify the main responsibilities of all kinds of payment business subjects, and determine their own security protection scope, and establish personal payment information protection capability according to different dimensions such as basic requirements, management requirements, personnel requirements, system requirements and so on.

B) Business scenario: personal payment information protection needs to achieve full coverage of the scenario. According to the different participation roles of payment service, we should at least consider the data protection of user scenario, business operation scenario and system operation and maintenance scenario.

C) payment technology: it is appropriate to set specific personal payment information protection requirements according to different payment technologies, including network payment, mobile payment, bank card receipt and other different technical models.

The life cycle of personal payment information includes collection, transmission, storage, use, processing, provision, disclosure, deletion, destruction and so on.

A) Collection is the main source of external source of personal payment information. When collecting information through mobile App and other intelligent terminals, it should meet the requirements of GB / T 41391-2022; when collecting personal information through other non-information systems, follow the basic principles of information collection in GB / T35273-2020 and JR / T 0171-2020, and pay special attention to the process of scanning paper documents or converting them into electronic data through OCR.

B) when personal payment information is transmitted between different participants, it is appropriate to use encrypted channels and data encryption to ensure data security.

C) different participants need to determine the necessity of data storage according to their business roles, and in principle, C3 personal payment information other than their own institutions should not be stored.

D) the use and processing of personal payment information should be strictly restricted for its purpose. In principle, the payment business subject should not use personal payment information outside the payment business.

E) in principle, personal payment information should not be provided to non-business-related parties and personal payment information is not allowed to be made public. If the payment business subject provides the merchant with personal payment information due to the need of reconciliation and other activities, he shall desensitize the personal payment information and require the merchant to do a good job in the protection of personal payment information.

F) the deletion and destruction of personal payment information is an important means to prevent the disclosure of payment information. When personal payment information is no longer needed, deletion and destruction measures can be taken to deal with it.

G) the exit of personal payment information shall meet the requirements of laws and regulations such as the Law on the Protection of personal Information and the measures for Security Assessment of data exit, the exit assessment organized by the State Internet Information Office should be completed in advance for the exit of personal information, and cross-border transactions may involve the departure of personal financial information, and the exit assessment shall be completed in accordance with the regulations.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.