It is registered
Ministry of Justice
Russian Federation
On December 6, 2023 No. 76286
of August 17, 2023 No. 821-P
About requirements to ensuring information security when implementing money transfers and about procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers
This Provision based on part 3 of article 27 of the Federal Law of June 27, 2011 No. 161-FZ "About national payment system" establishes requirements to providing with operators on money transfer, bank payment agents (subagents), operators of services of information exchange, suppliers of payment applications, operators of payment service providers, operators of services of payment infrastructure, operators of electronic platforms of information security when implementing money transfers, and also procedure by the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers within the supervision exercised by the Bank of Russia in national payment system.
1.1. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure, operators of electronic platforms for the purpose of implementation of requirements to ensuring information security when implementing the money transfers (further - requirements to ensuring information security) applied concerning the automated systems, the software, computer aids, the telecommunication equipment which operation and use is provided when implementing money transfers by operators on money transfer (further - objects of information infrastructure) shall:
apply information measures of protection by means of which accomplishment realization of levels of information security for the objects of information infrastructure used for processing, transfer, storage of information specified in paragraph one of Item 1.3 of this provision for the purpose of implementation of money transfers, stipulated in Item 6.7 Sections 6 of the national standard of the Russian Federation by GOST P 57580.1-2017 "Safety of financial (bank) transactions is provided. Information security of the financial organizations. Basic structure of organizational and technical measures", the Federal Agency for Technical Regulation and Metrology approved by the order of August 8, 2017 No. 822 of St <1> (further - GOST P 57580.1-2017);
--------------------------------
<1> M, Federal State Unitary Enterprise Standartinform, 2017.
hold annual testing regarding availability of possibility of penetration into information infrastructure and the analysis of vulnerabilities of information security of objects of information infrastructure, including according to Items 3.8 and 3.9 of this provision;
carry out assessment of conformity to information security levels (further - information security assessment of conformity) according to provisions of Section 6 of the national standard of the Russian Federation of GOST P 57580.2-2018 "Safety of financial (bank) transactions. Information security of the financial organizations. Technique of assessment of conformity", the Federal Agency for Technical Regulation and Metrology approved by the order of March 28, 2018 No. 156 of St <1> (further - GOST P 57580.2-2018), and Items 2. 3, 2.4, 3.6 - 3.9, 4.4, 4.5, 6.7 and 6.8 of this provision.
--------------------------------
<1> M, Federal State Unitary Enterprise Standartinform, 2018.
Assessment of conformity of information security shall be performed with involvement of the organizations having license for activities on technical protection of confidential information for the work and services provided by subitems "b", "d" or "e" of item 4 of the Regulations on licensing of activities for technical protection of confidential information approved by the order of the Government of the Russian Federation of February 3, 2012 No. 79 (further - the checking organization).
For the purpose of ensuring information security operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure, operators of electronic platforms shall keep the result of assessment of conformity of information security prepared by the checking organization in report type, at least five years since date of its issue by the checking organization.
1.2. Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure, operators of electronic platforms specified in subitem 1.4.3 of Item 1.4 of the Provision of the Bank of Russia of April 20, 2021 to No. 757-P "About establishment of requirements to ensuring information security, obligatory for not credit financial credit institutions, when implementing activities in the sphere of the financial markets for the purpose of counteraction to implementation of illegal financial transactions" <1> (further - the Provision of the Bank of Russia of April 20, 2021 No. 757-P), shall fulfill the requirements to ensuring information security applied concerning application software of the automated systems and appendices including according to Items 2. 5, 3.8 - 3.10, 4.6, 6.9 and 6.10 of this provision.
--------------------------------
<1> It is registered by the Ministry of Justice of the Russian Federation on June 15, 2021, registration No. 63880.
Operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure, and also the operators of electronic platforms specified in paragraph one of this Item shall use the certifications of the Federal Service for Technical and Export Control which underwent certification in system according to the procedure established by the order of the Government of the Russian Federation of June 26, 1995 No. 608 "About certification of means of information protection" (further - certification), or undergone assessment of conformity according to requirements to estimative level of credibility (further - OUD) not below than OUD 4, stipulated in Item 7.6 Sections 7 of the national standard of the Russian Federation of state standard specification P ISO/MEK 15408-3-2013 "Information technology. Methods and safety controls. Criteria for evaluation of safety of information technologies. Part 3. Trust components to safety", the Federal Agency for Technical Regulation and Metrology approved by the order of November 8, 2013 No. 1340 of St <2> (further respectively - assessment of conformity of application software of the automated systems and appendices, and also the separate software, state standard specifications P ISO/MEK 15408-3-2013), and processing information specified in paragraph one of Item 1.3 of this provision:
--------------------------------
<2> M, Federal State Unitary Enterprise Standartinform, 2014.
application software of the automated systems and appendices extended to clients of operators on money transfer for making of the actions which are directly connected with implementation of money transfers;
the software operated on the sites used for documents acceptance, connected with implementation of the money transfers constituted in electronic form (further - electronic messages), to execution in the automated systems and appendices with use of the Internet (further - Internet network).
According to the decision of operators on money transfer, bank payment agents (subagents), operators of services of information exchange, operators of services of payment infrastructure, operators of the electronic platforms specified in subitem 1.4.3 of Item 1.4 of the Provision of the Bank of Russia of April 20, 2021 to No. 757-P, assessment of conformity of application software of the automated systems and appendices is conducted independently or with involvement of the checking organization.
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.