1. Bank card upgrades are generally background system upgrades that add some functions, which generally have nothing to do with consumers. However, when upgrading, bank cards must be stopped, and the time is usually around 0:00. affect the use.

2. For bank system maintenance, there will usually be text message reminders or announcements. Bank Card is a credit payment instrument issued to the society by financial institutions such as commercial banks and postal savings and remittance institutions with all or part of the functions of consumer credit, transfer settlement, cash deposits and withdrawals, etc. Bank cards include credit cards and debit cards.

Extended information

1. Strengthen the security management of bank card information

(1) Strengthen the internal control management of sensitive payment information. All commercial banks, payment institutions (non-bank payment institutions engaged in bank card acquiring business and online payment business, the same below), and bank card clearing institutions should strictly implement the "People's Bank of China's Notice on Banking Financial Institutions to Protect Personal Financial Information" "Notice" (Yinfa [2011] No. 17), improve the security internal control management system for sensitive payment information, and report the relevant situation to the People's Bank of China before September 1, 2016.

First, it is strictly prohibited to retain sensitive payment information that is not owned by the institution (including bank card track or chip information, card verification code, card validity period, bank card password, online payment transaction password, etc.), unless it is necessary to retain it. Authorization from the client and the account management institution should be obtained.

The second is to clarify the management responsibilities of relevant positions and personnel, strictly separate incompatible positions and control information operation authority, formulate information operation procedures and specifications, strengthen internal supervision and accountability mechanisms, and strictly prohibit illegal storage by employees. , steal, leak, buy and sell sensitive payment information.

Third, internal audits on the security of sensitive payment information should be conducted at least twice a year, and reports should be archived for future reference. If it is discovered that sensitive payment information has been leaked due to system vulnerabilities or internal personnel have violated regulations, effective measures should be taken immediately to prevent the risk from expanding and reported to the People's Bank of China; if suspected of illegal crimes, the public security organs should be reported in a timely manner.

(2) Strengthen the security protection of sensitive payment information. All commercial banks and payment institutions should implement channel encryption and two-way authentication between client software and servers, and servers and servers, and hash or encrypt key fields of important information to ensure the security of information transmission, storage, and use. When conducting online payment business, cooperative institutions without payment business qualifications shall not be entrusted or authorized to collect sensitive payment information. Security controls with information input security protection and real-time data encryption functions shall be adopted, and effective measures shall be taken to prevent cooperative institutions from obtaining and retaining sensitive payment information. .

(3) Comprehensive application of payment tokenization technology. Starting from December 1, 2016, all commercial banks and payment institutions should use payment tokenization technology (Tokenization) to desensitize bank card numbers, card verification codes, payment institution payment accounts and other information, and set payment tags The number of transactions, transaction amount, validity period, payment channel and other domain control attributes can be controlled from the source to control information leakage and fraudulent transaction risks.

(4) Strengthen the transaction password protection mechanism. All commercial banks and payment institutions should strengthen the protection and management of bank card, online payment and other transaction passwords and customer security education, strictly limit the use of initial transaction passwords and prompt customers to modify them in a timely manner, establish a transaction password complexity system verification mechanism, and avoid excessive transaction passwords. Simple (such as "111111", "123456", etc.) or too similar to the customer's personal information (such as date of birth, ID number, mobile phone number, etc.).

(5) Strictly regulate the outsourcing services of acquiring. All commercial banks and payment institutions should strictly implement the "Management Measures for Bank Card Acquiring Business" (Announcement No. 9 of the People's Bank of China [2013]) and the "Notice of the People's Bank of China on Strengthening the Outsourcing Management of Bank Card Acquiring Business" (Yinfa [2015] No. 199), responsible for the security management of sensitive payment information in the acquiring process.

First, core business system operation, acceptance terminal key management, special merchant qualification review and other tasks must not be handed over to outsourcing service agencies.

The second is to designate a dedicated person to manage terminal keys and related parameters to ensure that different acceptance terminals use different terminal master keys and replace them regularly.

The third is to prohibit entities, online merchants, and outsourcing service agencies from retaining sensitive payment information through agreements. Fourth, conduct at least one independent security assessment of outsourcing service agencies, entities and online merchants every year, and formulate a report to archive for future reference. If relevant agreements are not followed, cooperation should be suspended immediately.

(6) Strengthen the standardized management of payment innovation. For important payment technology applications and business innovations, all commercial banks and payment institutions should register with the People's Bank of China at least 30 days before the project is launched, and submit written materials such as project implementation plans and external security assessment reports. In the process of business development, dynamic monitoring, assessment, prevention and control of risks should be done well.

2. Increase the risk prevention and control of bank card Internet transactions

(1) Strengthen the security management of client software. First, all commercial banks and payment institutions should improve their client software security prevention and control capabilities in terms of Trojan virus prevention, information encryption protection, and trustworthy operating environment. The client software should be able to monitor and feed back to the backend system the security status of the mobile payment environment as a basis for risk control strategies such as restricting and rejecting transactions. The second is to set up trusted logos or quick entrances to client software and official websites, and inform customers of the correct identification and access methods through multiple channels. Third, an external safety assessment must be conducted at least once a year, and a report must be archived for future reference to ensure compliance with technical standards.

(2) Strengthen the security management of identity authentication for business opening. Starting from November 1, 2016, when establishing related business with payment institutions and commercial institutions based on bank cards, commercial banks should strictly adopt multi-factor identity authentication methods to directly identify customers and obtain customer authorization. Identity authentication should adopt one of the following combinations: First, use a digital certificate that complies with the "Financial Electronic Authentication Specification" (JR/T 0118) and combine it with at least one authentication factor such as a transaction password. The second is to use dynamic token devices that comply with the "Technical Specifications for Application of Dynamic Passwords and Passwords" (GM/T 0021) and combine them with at least one authentication factor such as transaction passwords. The third is to combine at least two dynamic authentication factors (such as dynamic verification code, dynamic challenge response based on customer behavior, etc.), and use at least two different communication channels such as voice, SMS, and data (such as mobile banking, instant messaging, and email).

(3) Improve the security of payment transactions. First, all commercial banks should establish and improve the classification management mechanism for personal bank settlement accounts in accordance with the "Notice of the People's Bank of China on Improving Personal Bank Account Services and Strengthening Account Management" (Yinfa [2015] No. 392), and guide customers to use Type II and Type III Bank accounts handle small-amount online payment services, effectively preventing and controlling the risk of information leakage in various bank accounts, especially Class I accounts. Second, when payment institutions and other partners send payment instructions to commercial banks and deduct funds from customers' bank cards, all commercial banks and payment institutions should strictly implement the "Measures for the Management of Online Payment Business of Non-bank Payment Institutions" (Announcement of the People's Bank of China [2015] Article 10 of Announcement No. 43 stipulates that technical measures should be taken to match the transaction verification intensity with the transaction amount to improve transaction security.

(4) Strengthen the monitoring of Internet transaction risks. All commercial banks and payment institutions should use big data analysis, user behavior modeling and other means to establish transaction risk monitoring models and systems, promptly warn of abnormal transactions, and take measures such as investigation and verification, risk warnings, and delayed settlement. For abnormal behaviors such as batch or high-frequency logins, IP addresses, terminal device identification information, browser cache information, etc. should be used for comprehensive identification, and additional verification, rejection of requests, etc. should be adopted in a timely manner.

(5) Strengthen the joint prevention and control of payment risks. All commercial banks and payment institutions should conscientiously implement the "Notice of the People's Bank of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Industry and Commerce on establishing an emergency payment stop and rapid freezing mechanism for accounts involved in new illegal crimes in telecommunications networks" (Yinfa [2016] No. 86), Access to the telecommunications network's new illegal and criminal transaction risk event management platform as required, and strengthen the management of stop payments and freezing of accounts involved in the case.

3. Effectively prevent the risk of fraudulent transactions with magnetic stripe cards

(1) Use financial IC cards to reduce the risk of magnetic stripe transactions. First, starting from September 1, 2016, newly issued bank cards based on RMB settlement accounts by commercial banks should be financial IC cards that comply with the "China Financial Integrated Circuit (IC) Card Specifications" (JR/T 0025). And adopt chips that have passed the safety assessment of institutions accredited by the national certification and accreditation management department. Second, all commercial banks should further strengthen magnetic stripe transaction risk control in terms of transaction channels, card swiping frequency, single transaction amount, daily cumulative transaction amount, transaction area, etc. For suspicious transactions, transaction confirmation and risk warning should be carried out through text messages, phone calls, client software, etc. Starting from May 1, 2017, magnetic stripe transactions for chip-magnetic stripe composite cards will be completely closed. Third, all commercial banks should adopt measures such as replacing cards without changing numbers and issuance of cards in real time to speed up the process of replacing existing magnetic stripe cards with financial IC cards.

(2) Strengthen the security management of acceptance terminals. All commercial banks and payment institutions should strengthen safety management from acceptance terminal product selection, acceptance, on-site inspection and other aspects to ensure compliance with the technical standards of acceptance terminals. Bank card clearing institutions should work with member institutions to take technical measures such as network terminal signatures and unique identifications to strengthen the management of network access for acceptance terminals, and strictly prohibit the use of acceptance terminals that do not meet standards or have been illegally modified. A regular inspection mechanism should be established for existing terminals, continuous terminal sampling inspections should be carried out to ensure the consistency of deployed terminals and qualified samples, and the use of modified terminals should be strictly controlled.

(3) Strengthen the real-name management of special merchants. Bank card clearing institutions should work with member institutions to establish and improve the electronic management system for entity and online special merchant information, strictly implement the relevant regulations on the real-name system for special merchants, completely and accurately record the identity information of special merchants and their legal representatives or principals, and Information registered by the same merchant at different commercial banks and payment institutions is managed in an associated manner. Make full use of technologies such as image collection and regional positioning, adopt effective means such as multi-channel cross-verification, improve the qualification review and information update mechanism of special merchants, and continue to strengthen the authenticity management of special merchant information.

(4) Strengthen the blacklist management of illegal special merchants. First, all commercial banks and payment institutions should establish and improve the blacklist management system for illegal entities and special online merchants, and clarify the blacklist inclusion and removal conditions, punitive measures, etc. Strengthen the monitoring and inspection of specially contracted merchants. Those who have leaked sensitive payment information, illegally modified terminals, participated in counterfeit card fraud and other irregularities should be included in the blacklist management, and strict measures will be taken to delay settlement, suspend transactions, and terminate cooperation depending on the severity. and other disciplinary measures, and promptly notify the China Payment and Clearing Association and the bank card clearing agency. Second, the China Payment and Clearing Association and bank card clearing agencies should work with commercial banks and payment institutions to establish and improve a blacklist information sharing and inquiry mechanism, increase joint punishment, and prohibit the expansion of special merchants that have been included in the blacklist.

(5) Implement the rules for transferring responsibility for counterfeit card fraud risks. Bank card clearing agencies should work with member institutions to further implement the risk responsibilities for counterfeit card fraud during the bank card acceptance process and protect the rights and interests of chip migration parties. Establish a complete complaint handling mechanism to properly handle fraud risk events and effectively protect the legitimate rights and interests of customers.

4. Strictly implement various regulations and increase supervision and penalties

(1) Strictly implement national network security and standards and comply with relevant regulations. All commercial banks, payment institutions, and bank card clearing agencies must strictly implement relevant national network security and information technology security regulations and use commercial encryption products approved by the national encryption management agency. First, the client software, acceptance terminals, bank cards, digital certificates, dynamic token devices, etc. involved should comply with relevant national and financial industry standards and pass the security assessment of an institution accredited by the national certification and accreditation management department. Second, the construction and operation of business systems should comply with the relevant requirements of national information security level protection. Third, business systems and backup systems should be deployed within my country in accordance with relevant national network security requirements.

(2) Establish and improve the supervision and inspection mechanism.

The branches of the People's Bank of China must attach great importance to it and make unremitting efforts, establish a bank card risk management leading group, establish a daily supervision and inspection mechanism, and incorporate the safe production of payment business systems, the security of acceptance terminals (including network payment interfaces), and the protection of sensitive payment information into law enforcement Inspections, and overall coordination of guidance and coordination, policy publicity, law enforcement inspections, situation notifications, etc.

(3) Increase penalties for violations. The branches of the People's Bank of China shall strictly investigate the interruption of payment services, leakage of sensitive payment information, and loss of funds due to modifications of bank card acceptance terminals, low intensity of payment transaction verification, system security vulnerabilities, and cyber attacks, and shall act in accordance with the Bank Card Acceptance Strict penalties are imposed by relevant regulations such as the Measures for the Management of Single Business and the Measures for the Management of Online Payment Business of Non-bank Payment Institutions.

For serious cases, in accordance with the provisions of Article 46 of the Law of the People's Republic of China on the People's Bank of China, relevant institutions and directly responsible directors, senior managers and other directly responsible Responsible personnel will be punished; if suspected of committing a crime, report to the public security organs in a timely manner. For payment institutions with serious circumstances, they should also follow the "Measures for the Administration of Payment Services of Non-Financial Institutions" (issued by the People's Bank of China Order [2010] No. 2) and the "Measures for the Administration of Classified Ratings of Non-Bank Payment Institutions" (Yinfa [2016] No. 106 (Issuance of the document) stipulates that the classification rating will be lowered until the "Payment Business License" is cancelled.

(4) Strengthen industry self-discipline and standards. The Payment and Clearing Association of China shall, in accordance with the requirements of this notice and relevant regulations, formulate self-regulatory norms for the bank card risk management industry, establish self-regulatory inspection and violation restraint mechanisms, and organize and implement them after reporting to the People's Bank of China before September 30, 2016, and supervise member units Strengthen self-discipline and strictly implement various regulations.

Reference material: Notice of the People's Bank of China on further strengthening bank card risk management