Document from CIS Legislation database © 2003-2020 SojuzPravoInform LLC

It is registered

Ministry of Justice

Russian Federation

On June 14, 2012 No. 24575

PROVISION OF CENTRAL BANK OF THE RUSSIAN FEDERATION

of June 9, 2012 No. 382-P

About requirements to ensuring information security when implementing money transfers and about procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers

(as amended on 07-05-2018)

Chapter 1. General provisions

1.1. Based on the Federal Law of June 27, 2011 No. 161-FZ "About national payment system" (The Russian Federation Code, 2011, No. 27, of the Art. 3872) (further - the Federal Law No. 161-FZ) this Provision establishes requirements according to which operators on money transfer, bank payment agents (subagents), operators of payment service providers, operators of services of payment infrastructure provide information security when implementing money transfers (further - requirements to ensuring information security when implementing money transfers), and also establishes procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers within the supervision exercised by the Bank of Russia in national payment system.

1.2. The operator on money transfer provides accomplishment by bank payment agents (subagents) involved in activities for rendering services in money transfer, requirements to ensuring information security when implementing money transfers taking into account the list of the transactions which are carried out by bank payment agents (subagents), and the used automated systems, the software, computer aids, the telecommunication equipment which operation is provided with bank payment agents (subagents).

The operator on money transfer provides control of observance by bank payment agents (subagents) involved in activities for rendering services in money transfer, requirements to information security when implementing money transfers.

1.3. For work on ensuring information security when implementing money transfers operators on money transfer, bank payment agents (subagents), operators of payment service providers, operators of services of payment infrastructure can attract the organizations having licenses for activities for technical protection of confidential information and (or) for activities for development and production of remedies of confidential information.

Chapter 2. Requirements to ensuring information security when implementing money transfers

2.1. Requirements to ensuring information security when implementing money transfers are applied to ensuring protection of the following information (further - the protected information):

information on balances in cash on bank accounts;

information on remaining balance of electronic money;

information on committed money transfers, including information containing in notices (confirmations) concerning acceptance to execution of orders of members of payment service provider and also in notices (confirmations) concerning execution of orders of members of payment service provider; the requirement about reference of information on committed money transfers to the protected information which is stored in the operational centers of payment systems with use of payment cards or being outside the Russian Federation, is established by the operator of payment system;

information containing in the orders of clients of operators which are drawn up within the applied form of clearing settlements on money transfer (further - clients), orders of members of payment service provider, orders of payment clearing center;

information on payment clearing line items;

information necessary for the certificate clients of the right of the order money, including these holders of payment cards;

key information of the means of cryptographic information security (further - SKZI) used when implementing money transfers (further - cryptographic keys);

information on the configuration determining parameters of work of the automated systems, the software, computer aids, the telecommunication equipment which operation is provided with the operator on money transfer, the operator of services of payment infrastructure, the bank payment agent (subagent), and used for implementation of money transfers (further - objects of information infrastructure), and also information on the configuration determining parameters of operation of technical means of information security;

information of limited access, including personal data and other information which is subject to the obligatory protection in accordance with the legislation of the Russian Federation processed when implementing money transfers.

2.2. Requirements to ensuring information security when implementing money transfers include:

the requirements to ensuring information security when implementing money transfers applied to information security in case of appointment and distribution of the functional rights and obligations (further - roles) the faces tied with implementation of money transfers;

the requirements to ensuring information security when implementing money transfers applied to information security at stages of creation, operation (proper use, maintenance and repair), upgrades, removals from operation of objects of information infrastructure;

the requirements to ensuring information security when implementing money transfers applied to information security when implementing access to objects of information infrastructure including the requirements to ensuring information security when implementing money transfers applied to information security from unauthorized access;

the requirements to ensuring information security when implementing money transfers applied to information security from impact of the program codes leading computer aids to violation of regular functioning (further - malicious code);

requirements to ensuring information security when implementing money transfers with use of the Internet (further - Internet network);

the requirements to ensuring information security when implementing money transfers applied to information security when using SKZI;

requirements to ensuring information security when implementing money transfers with use of interconnected set of organizational measures of protection of information and the technical means of information security used to control of accomplishment of technology of processing of the protected information when implementing money transfers (further - technological measures of protection of information);

requirements to the organization and functioning of the division (workers) responsible (responsible) for the organization and control of ensuring information security (further - service of information security);

requirements to increase in awareness of employees of operator on money transfer, the bank payment agent (subagent) who is the legal entity, the operator of services of payment infrastructure and clients (further - increase in awareness) in the field of ensuring information security;

requirements to identification of the incidents connected with violations of requirements to ensuring information security when implementing money transfers and to response to them;

requirements to determination and realization of procedure for ensuring information security when implementing money transfers;

requirements to assessment of accomplishment by the operator of payment system, the operator on money transfer, the operator of services of payment infrastructure of requirements to ensuring information security when implementing money transfers;

requirements to finishing by the operator on money transfer, the operator of services of payment infrastructure to the operator of payment system of information on providing in payment system of information security when implementing money transfers;

requirements to enhancement of payment system by the operator, operator on money transfer, the operator of services of payment infrastructure of information security when implementing money transfers.

The operator on money transfer, the operator of payment service provider, operator of services of payment infrastructure shall carry events which brought to the incidents connected with violations of requirements to ensuring information security when implementing money transfers or can lead to implementation of money transfers without the consent of the client, to non-rendering of services in money transfer, including included in the list of types of incidents approved with the federal executive body authorized in the field of safety, and posted by the Bank of Russia on the official site of the Bank of Russia on the Internet (further - the list of types of incidents).

Paragraphs the seventeenth - the nineteenth voided according to the Instruction of the Central bank of the Russian Federation of 07.05.2018 No. 4793-U

Requirements to ensuring information security when implementing money transfers in addition to the requirements specified in paragraphs the second - the fifteenth this Item, include:

requirements to ensuring information security when implementing money transfers using ATMs and payment terminals;

requirements to ensuring information security when implementing money transfers using payment cards.

2.3. Fulfillment of requirements to ensuring information security when implementing money transfers is provided taking into account parameters and statistics of the carried-out transactions connected with implementation of money transfers, quantity and nature of the revealed incidents connected with violation of requirements to ensuring information security when implementing money transfers, way:

2.3.1. choice of organizational measures of protection of information; determinations in internal documents of the operator on money transfer, the bank payment agent (subagent), the operator of payment service providers, operator of services of payment infrastructure of procedure for application of organizational measures of protection of information; determinations of persons responsible for application of organizational measures of protection of information; applications of organizational measures of protection; realization of control of application of organizational measures of protection of information; accomplishment of other necessary actions connected using organizational measures of protection of information;

2.3.2. choice of technical means of information security; determinations in internal documents of the operator on money transfer, the bank payment agent (subagent), the operator of payment service providers, operator of services of payment infrastructure of procedure for use of technical means of information security including information on configuration determining parameters of operation of technical means of information security; appointments of persons responsible for use of technical means of information security; uses of technical means of information security; realization of control of use of technical means of information security; accomplishment of other necessary actions connected with use of technical means of information security;

2.3.3. applications of the objects of information infrastructure having the functional and design features connected with ensuring information security when implementing money transfers and realization of control of their functioning.

2.4. The structure of requirements to ensuring information security when implementing the money transfers applied to information security in case of appointment and cast of faces tied with implementation of money transfers joins the following requirements.

2.4.1. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide registration of persons having rights:

on implementation of access to the protected information;

on management of cryptographic keys;

on impact on objects of information infrastructure which can lead to violation of provision of services on implementation of money transfers, except for ATMs, payment terminals and electronic instruments of payment.

The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide registration of the workers having rights on forming of the electronic messages containing orders about implementation of money transfers (further - electronic messages).

2.4.2. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide realization of prohibition of accomplishment by one person at once to time of the following roles:

the roles connected with creation (upgrade) of object of information infrastructure and operation of object of information infrastructure;

the roles connected with operation of object of information infrastructure regarding its proper use and operation of object of information infrastructure regarding its maintenance and repair.

2.4.3. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide control and registration of actions of persons which appoints the roles determined in subitem 2.4.1 of this Item.

2.5. The structure of requirements to ensuring information security when implementing the money transfers applied to information security at stages of creation, operation, upgrade, removal from operation of objects of information infrastructure joins the following requirements.

2.5.1. The operator on money transfer, the operator of services of payment infrastructure provide inclusion in specifications on creation (upgrade) of objects of information infrastructure of requirements to ensuring information security when implementing money transfers.

2.5.2. The operator on money transfer, the bank payment agent (subagent) who is the legal entity, the operator of services of payment infrastructure provide participation of service of information security in development and coordination of specifications on creation (upgrade) of objects of information infrastructure.

2.5.3. The operator on money transfer, the bank payment agent (subagent) who is the legal entity, the operator of services of payment infrastructure provide control from service of information security of compliance of the created (modernized) objects of information infrastructure to requirements of specifications.

2.5.4. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide:

availability of operational documentation on the used technical means of information security;

control of fulfillment of requirements of operational documentation on the used technical means of information security during all term of their operation;

recovery of functioning of the technical means of information security used when implementing money transfers in cases of failures and (or) refusals in their work.

2.5.5. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure provide realization of prohibition of use of the protected information at stage of creation of objects of information infrastructure.

2.5.5.1. To the operator on money transfer, the operator of services of payment infrastructure at stages of creation and operation of objects of information infrastructure it is necessary to provide:

use for implementation of the money transfers of application software automated the systems and appendices certified in system of certification of the Federal Service for Technical and Export Control on compliance to requirements for safety of information, including requirements for the analysis of vulnerabilities and control of lack of not declared opportunities, in accordance with the legislation of the Russian Federation or concerning which the analysis of vulnerabilities according to requirements to estimative level of credibility not below than by OUD 4 according to requirements of the national standard of the Russian Federation state standard specification P ISO/MEK 15408-3-2013 "The national standard of the Russian Federation is carried out. Information technology. Methods and safety controls. Criteria for evaluation of safety of information technologies. Part 3. Trust components to safety", the Federal Agency for Technical Regulation and Metrology approved by the order of November 8, 2013 No. 1340 of St "About approval of the national standard" (M., Federal State Unitary Enterprise Standartinform, 2014) (further - state standard specification P ISO/MEK 15408-3-2013);

annual testing for penetration and analysis of vulnerabilities of information security of objects of information infrastructure.

For carrying out the analysis of vulnerabilities in application software of the automated systems and appendices to the operator on money transfer, the operator of services of payment infrastructure it is necessary to attract the organization having license for activities on technical protection of confidential information on work and the services provided by subitems "b", "d" or "e" of item 4 of the Regulations on licensing of activities for technical protection of confidential information approved by the order of the Government of the Russian Federation of February 3, 2012 No. 79 "About licensing of activities for technical protection of confidential information" (The Russian Federation Code, 2012, No. 7, Art. 863; 2016, No. 26, the Art. 4049) (further - the order of the Government of the Russian Federation No. 79).

In case of upgrade of objects of information infrastructure according to the decision of the operator on money transfer, the operator of services of payment infrastructure the analysis of vulnerabilities only of the objects of information infrastructure subjected to upgrade is carried out.

2.5.6. The operator on money transfer, the bank payment agent (subagent), the operator of services of payment infrastructure at stages of operation and removal from operation of objects of information infrastructure provide:

realization of prohibition of unauthorized copying of the protected information;

protection of backup copies of the protected information;

destruction of the protected information in cases when the specified information is not used any more, the information moved to archives, maintaining except for protected and which safety are provided by legal acts of the Russian Federation, regulations of the Bank of Russia, rules of payment system and (or) agreements signed by the operator on money transfer, the bank payment agent (subagent), the operator of payment service provider, operator of services of payment infrastructure;

destruction of the protected information including containing in archives, the method providing impossibility of its recovery;

2.5.7. In case of development of the software, held for use the client when implementing money transfers, independently or with attraction of third parties, and also in case of development of changes of the specified software the operator on money transfer provides realization in the specified software of functions, connected:

with fulfillment of requirements to information security when implementing money transfers;

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.