PROVISION OF CENTRAL BANK OF THE RUSSIAN FEDERATION

of June 4, 2020 No. 719-P

About requirements to ensuring information security when implementing money transfers and about procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers

This Provision based on part 3 of article 27 of the Federal Law of June 27, 2011 No. 161-FZ "About national payment system" (The Russian Federation Code, 2011, No. 27, Art. 3872; 2019, No. 31, the Art. 4423) establishes requirements to providing with operators on money transfer, bank payment agents (subagents), operators of services of information exchange, suppliers of payment applications, operators of payment service providers, operators of services of payment infrastructure of information security when implementing money transfers, and also procedure by the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers within the supervision exercised by the Bank of Russia in national payment system.

Chapter 1. General provisions

1.1. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure regarding requirements to ensuring information security when implementing the money transfers applied concerning the automated systems, the software, computer aids, the telecommunication equipment which operation and use is provided when implementing money transfers by operators on money transfer (further - objects of information infrastructure) shall provide:

realization of the information security levels established by this Provision for the objects of information infrastructure used for processing, transfer, storage of information specified in paragraph one of Item 1.3 of this provision for the purpose of implementation of the money transfers determined by the national standard of the Russian Federation GOST P 57580.1-2017 "Safety of financial (bank) transactions. Information security of the financial organizations. Basic structure of organizational and technical measures", the approved order of Federal Agency for Technical Regulation and Metrology of August 8, 2017 No. 822 of St "About approval of the national standard of the Russian Federation" (M., Federal State Unitary Enterprise Standartinform, 2017) (further - GOST P 57580.1-2017);

annual testing for penetration and the analysis of vulnerabilities of information security of objects of information infrastructure taking into account the features provided by Items 3.8 and 3.9 of this provision;

evaluating compliance to the levels of information security established by this Provision (further - information security assessment of conformity), according to the national standard of the Russian Federation of GOST P 57580.2-2018 "Safety of financial (bank) transactions. Information security of the financial organizations. Technique of assessment of conformity", the approved order of Federal Agency for Technical Regulation and Metrology of March 28, 2018 No. 156 of St "About approval of the national standard of the Russian Federation" (M., Federal State Unitary Enterprise Standartinform, 2018) (further - GOST P 57580.2-2018), taking into account the features provided by Items 2. 3, 2.4, 3.6 - 3.9, 4.4, 4.5, 6.7 and 6.8 of this provision.

Assessment of conformity of information security shall be performed with attraction of the third parties having license for activities on technical protection of confidential information on work and the services provided by subitems "b", "d" or "e" of item 4 of the Regulations on licensing of activities for technical protection of confidential information approved by the order of the Government of the Russian Federation of February 3, 2012 No. 79 "About licensing of activities for technical protection of confidential information" (The Russian Federation Code, 2012, No. 7, Art. 863; 2016, No. 26, the Art. 4049) (further respectively - the checking organization, the order of the Government of the Russian Federation No. 79).

Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure shall provide storage of the report prepared by the checking organization for results of assessment of conformity of information security, at least five years since date of its issue by the checking organization.

1.2. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure regarding requirements to ensuring information security when implementing the money transfers applied concerning application software of the automated systems and appendices taking into account the features provided by Items 3.8 - 3.10, 4.6 and 6.10 of this provision, shall provide use undergone certification in system of certification of the Federal Service for Technical and Export Control or assessment of conformity according to requirements to estimative level of credibility (further - OUD) not below than OUD 4 according to requirements of the national standard of the Russian Federation to state standard specification P ISO/MEK 15408-3-2013 "Information technology. Methods and safety controls. Criteria for evaluation of safety of information technologies. Part 3. Trust components to safety", the Federal Agency for Technical Regulation and Metrology approved by the order of November 8, 2013 No. 1340 of St "About approval of the national standard" (M., Federal State Unitary Enterprise Standartinform, 2014) (further - state standard specification P ISO/MEK 15408-3-2013), and processing information specified in paragraph one of Item 1.3 of this provision:

application software of the automated systems and appendices extended to clients of operators on money transfer for making of the actions which are directly connected with implementation of money transfers;

the software operated on the sites used for documents acceptance, connected with implementation of the money transfers constituted in electronic form (further - electronic messages), to execution in the automated systems and appendices with use of the Internet (further - Internet network).

For evaluating compliance of application software of the automated systems and appendices operators on money transfer, bank payment agents (subagents) taking into account features, stipulated in Item 3.11 this provision, operators of services of information exchange, operators of services of payment infrastructure shall attract the checking organizations.

1.3. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure regarding requirements to ensuring information security when implementing the money transfers applied concerning the technology of the information processing prepared, processed and stored on sites of identification, authentication and authorization of clients of operators on money transfer when making actions for the purpose of implementation of money transfers; forming (preparation), transfer and acceptance of electronic messages; certificates of the right of clients of operators on money transfer to dispose of money; implementation of money transfers; accounting of results of implementation of money transfers; storages of electronic messages and information on the transferred money (further respectively - the protected information, technological sites), shall provide:

integrity and reliability of the protected information;

regulation, realization, control (monitoring) of technology of processing of the protected information;

registration of results of making of the actions connected with implementation of access to the protected information.

1.4. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure shall provide registration of results of making of the following actions connected with implementation of access to the protected information:

identification, authentication and authorization of clients of operators on money transfer when making actions for the purpose of implementation of money transfers;

acceptance of electronic messages from clients of operators on money transfer;

acceptance (transfer) of electronic messages in case of interaction of operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure when implementing money transfers, including for the certificate of the right of clients of operators on money transfer to dispose of money and for accounting of results of money transfers;

implementation of measures, the electronic messages (double control) directed to check of correctness of forming (preparation) applied according to subitem 1.9 of Item 1 of appendix 1 to this Provision;

implementation of access for workers to the protected information and implementation of actions by clients of the operators for money transfer with the protected information who are carried out with use of the automated systems, the software.

The following data on the operations performed by workers with use of the automated systems, the software are subject to registration:

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info