ISO 13491-2:2017 金融服务 安全加密设备（零售） 第2部分：安全合规检查清单设备用于金融交易

标准编号：ISO 13491-2:2017

中文名称：金融服务 安全加密设备（零售） 第2部分：安全合规检查清单设备用于金融交易

英文名称：Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

发布日期：2017-03

标准范围

ISO 13491-2:2017规定了用于评估金融服务环境中包含ISO 9564-1、ISO 9564-2、ISO 16609、ISO 11568-1、ISO 11568-2和ISO 11568-4规定的加密过程的安全加密设备（SCD）的检查表。集成电路（IC）支付卡应符合本文件中规定的要求，直到发行时为止，之后将其视为“个人”设备，不在本文件范围内。ISO 13491-2:2017未解决因SCD拒绝服务而产生的问题。在附件A至附件H中给出的清单中，“不可行”一词意在传达这样一种概念，即尽管某一特定攻击在技术上可能是可行的，但在经济上是不可行的，因为实施该攻击的成本高于从成功的攻击中获得的任何利益。除了纯粹为了经济利益的攻击外，还需要考虑针对名誉损失的恶意攻击。

ISO 13491-2:2017 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564？1, ISO 9564？2, ISO 16609, ISO 11568？1, ISO 11568？2, and ISO 11568？4 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue after which they are to be regarded as a "personal" device and outside of the scope of this document.ISO 13491-2:2017 does not address issues arising from the denial of service of an SCD.In the checklists given in Annex A to Annex H, the term "not feasible" is intended to convey the notion that although a particular attack might be technically possible, it would not be economically viable since carrying out the attack would cost more than any benefits obtained from a successful attack. In addition to attacks for purely economic gain, malicious attacks directed toward loss of reputation need to be considered.

标准预览图