JR/T 0185-2020 Commercial bank application programming interface secure management specification
1 Scope
This standard specifies the types and security levels, security design, security deployment, security integration, security operation & maintenance, service termination and system offline, security management and other security technical and security guarantee requirements of commercial bank application programming interface.
This standard is applicable to the design and application of commercial bank application programming interface for the external interconnection, to guide banking financial institutions engaged in or participating in the commercial bank application programming interface services, application agency of integrated interface services to carry out relevant works, and to provide references for third-party security assessment institutions and other units to conduct security inspection and assessment works (for the interface type relationship, please refer to Annex A). This standard may also serve as a reference for the design and application of other types of application programming interfaces.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security techniques - Terminology
JR/T 0071 Implementation guidelines for classified protection of cybersecurity of financial industry
JR/T 0124-2014 Specification for financial organization code
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
application programming interface
set of pre-defined functions, through which or whose combination developers can conveniently access related services, without focusing on the design and implementation of the services
3.2
application agency
institutions that invoke the commercial bank application programming interface
3.3
application programming interface unique ID
unique ID defined by commercial banks themselves to distinguish the functions of commercial bank application programming interfaces
3.4
uniform application programming interface ID
commercial bank uniform application programming interface ID generated by commercial banks according to the coding rules issued by the industry's competent departments
Note: It is used to identify the organization code, interface type, service category, interface sequence number and other contents of commercial banks.
3.5
software development kit
collection of software development tools used when building applications based on specific software packages, software frameworks, hardware platforms, operating systems, etc.
3.6
application unique ID
unique ID granted by a commercial bank based on the type of financial products and services invoked by the application agency after the identity verification of the application agency is passed
Note: It includes two types: server-side application ID and mobile terminal application software ID.
3.7
application secret
application legitimacy authentication credentials, used in conjunction with the application unique ID, to verify the legitimacy of applications accessed via API. Once the access verification is successful, the system connection can be completed, and the application programming interface can be invoked or the functions and data provided by the application programming interface can be used
3.8
financial mobile application software
application software that provides financial transaction services to users on mobile terminals
Note: Including but not limited to executable files, components, etc.
3.9
personal financial information
personal information obtained, processed and retained by financial institutions through providing financial products and services or other channels
Note 1: Including account information, authentication information, financial transaction information, personal identity information, property information, loan information, and other information that reflects certain circumstances of a specific individual.
Note 2: It is revised from Definition 3.1, GB/T 35273-2017.
Contents
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Acronym
5 General
6 Interface types and security levels
7 Security design
8 Security deployment
9 Security integration
10 Security operation & maintenance
11 Service termination and system offline
12 Security management
Annex A (Normative) Schematic diagram of commercial bank application programming interface relationships
Annex B (Normative) Coding rules for the commercial bank uniform application programming interface ID
Bibliography
Commercial bank application programming interface secure management specification
Chinese Name
商业银行应用程序接口安全管理规范
Chinese Classification
A11
Professional Classification
JR
ICS Classification
Issued by
People's Bank of China
Issued on
2020-02-13
Implemented on
2020-2-13
Status
valid
Superseded by
Superseded on
Abolished on
Superseding
Language
English
File Format
PDF
Word Count
9500 words
Price(USD)
285.0
Keywords
JR/T 0185-2020, JR 0185-2020, JRT 0185-2020, JR/T0185-2020, JR/T 0185, JR/T0185, JR0185-2020, JR 0185, JR0185, JRT0185-2020, JRT 0185, JRT0185
Introduction of JR/T 0185-2020
JR/T 0185-2020 Commercial bank application programming interface secure management specification
1 Scope
This standard specifies the types and security levels, security design, security deployment, security integration, security operation & maintenance, service termination and system offline, security management and other security technical and security guarantee requirements of commercial bank application programming interface.
This standard is applicable to the design and application of commercial bank application programming interface for the external interconnection, to guide banking financial institutions engaged in or participating in the commercial bank application programming interface services, application agency of integrated interface services to carry out relevant works, and to provide references for third-party security assessment institutions and other units to conduct security inspection and assessment works (for the interface type relationship, please refer to Annex A). This standard may also serve as a reference for the design and application of other types of application programming interfaces.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 Information security techniques - Terminology
JR/T 0071 Implementation guidelines for classified protection of cybersecurity of financial industry
JR/T 0124-2014 Specification for financial organization code
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
application programming interface
set of pre-defined functions, through which or whose combination developers can conveniently access related services, without focusing on the design and implementation of the services
3.2
application agency
institutions that invoke the commercial bank application programming interface
3.3
application programming interface unique ID
unique ID defined by commercial banks themselves to distinguish the functions of commercial bank application programming interfaces
3.4
uniform application programming interface ID
commercial bank uniform application programming interface ID generated by commercial banks according to the coding rules issued by the industry's competent departments
Note: It is used to identify the organization code, interface type, service category, interface sequence number and other contents of commercial banks.
3.5
software development kit
collection of software development tools used when building applications based on specific software packages, software frameworks, hardware platforms, operating systems, etc.
3.6
application unique ID
unique ID granted by a commercial bank based on the type of financial products and services invoked by the application agency after the identity verification of the application agency is passed
Note: It includes two types: server-side application ID and mobile terminal application software ID.
3.7
application secret
application legitimacy authentication credentials, used in conjunction with the application unique ID, to verify the legitimacy of applications accessed via API. Once the access verification is successful, the system connection can be completed, and the application programming interface can be invoked or the functions and data provided by the application programming interface can be used
3.8
financial mobile application software
application software that provides financial transaction services to users on mobile terminals
Note: Including but not limited to executable files, components, etc.
3.9
personal financial information
personal information obtained, processed and retained by financial institutions through providing financial products and services or other channels
Note 1: Including account information, authentication information, financial transaction information, personal identity information, property information, loan information, and other information that reflects certain circumstances of a specific individual.
Note 2: It is revised from Definition 3.1, GB/T 35273-2017.
Contents of JR/T 0185-2020
Contents
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Acronym
5 General
6 Interface types and security levels
7 Security design
8 Security deployment
9 Security integration
10 Security operation & maintenance
11 Service termination and system offline
12 Security management
Annex A (Normative) Schematic diagram of commercial bank application programming interface relationships
Annex B (Normative) Coding rules for the commercial bank uniform application programming interface ID
Bibliography
