| Content: |
Article 1
These Regulations are enacted pursuant to Paragraph 2, Article 4 of the Act Governing Issuance of Electronic Stored Value Cards. Article 2
Issuers shall establish security measures in accordance with the security requirements and design set forth in these Regulations to ensure the security of the electronic stored value cards so as to protect the interests of consumers. Article 3
The term "security requirements and design" mentioned in the preceding paragraph means the following:
1. For card transactions, an issuer shall implement the requirements set forth in these Regulations for the confidentiality, integrity, authentication and non-repeatability of transaction information in accordance with the level of card applications
2. For card management, an issuer shall take measures to protect its transaction system and the transaction systems of its contracted merchants and recharge institutions from the threat of unauthorized access or intrusion, and attack, and to effectively uphold the integrity and confidentiality of the transaction system, protect its operational security and maintain high level of availability.
3. For terminal equipment and user environment, an issuer shall implement security control and strengthen the security of terminal equipment to protect it from illegal transaction or tampering.
4. For the issuance of electronic stored value cards, an issuer shall choose proper type of card based on the level of applications. Article 4
The terms as used in this Act shall have the following meanings:
1. "Recharge institution" means a certain institution that provides the card recharge services on behalf of an issuer at its request.
2. "Online transaction" means a cardholder using an electronic equipment or communication equipment to instantly connect directly with the issuer or via a contracted merchant or a recharge institution through any type of network to carry out a transaction, which includes instant message transmission between a contracted merchant and the issuer, between a recharge institution and the issuer, and between a recharge institution or a contracted merchant with its terminal equipment.
3. The term "type of network" referred to in the preceding subparagraph includes:
(1) Dedicated network: Using an electronic equipment or communication equipment to carry out message transmission directly via dial-up, leased line or virtual private network (VPN) connection.
(2) Internet: Using an electronic equipment or communication equipment to carry out message transmission through an Internet service provider.
(3) Mobile network: Using an electronic equipment or communication equipment to carry out message transmission through a telecommunication service provider.
4. "Off-line transaction" means a cardholder of electronic stored value card carrying out transaction at the terminal equipment of a contracted merchant or recharge institution through all kinds of interface without connecting instantly with the issuer.
5. The term "kinds of interface" referred to in the preceding subparagraph includes:
(1) Contact interface: Using magnetic, optical or electronic type of stored value card to carry out message transmission with the terminal equipment of a contracted merchant or recharge institution by means of direct contact.
(2) Contactless interface: Using an electronic stored value card produced with radio frequency, infrared or other wireless communication technology to carry out message transmission with the terminal equipment of a contracted merchant or recharge institution without direct contact.
(3) Network and other offline manners: Using an electronic stored value card to carry out message transmission with a remote contracted merchant or recharge institution via a network, communication equipment or other means without connecting instantly with the issuer for authorization.
6. Types of transaction:
(1) "Online purchase transaction" means when a purchase transaction takes place, the authentication of the transaction is carried out by transmitting the related information to the issuer for processing through connection.
(2) "Offline purchase transaction" means when a purchase transaction takes place, the authentication of the transaction does not require the transmission of related information to the issuer for processing through connection.
(3) "Online recharge transactions" means when a recharge transaction takes place, the authorization of the transaction is carried out by transmitting the related information to the issuer for processing through connection.
(4) "Offline recharge transaction" means when a recharge transaction takes place, the authorization of recharge does not require the transmission of related information to the issuer for processing through connection.
(5) "Clearing and settlement transaction" includes the transmission of batch accounting information between a contracted merchant or recharge institution and its terminal equipment, the batch accounting information between a contracted merchant or recharge institution and the issuer, and offline recharge amount authorization request between a recharge institution and the issuer. Article 5
For the different types of transactions to which an electronic stored value card may use for, an issuer shall classify the card's application level (see table below) in accordance with these Regulations in consideration of the nature of product or service and amount of transaction involved.
1. Nature of product or servic
┌────────┬───────────────────┐
│Nature of │Description │
│product or │ │
│service │ │
├────────┼───────────────────┤
│Type 1 │To pay for government fees and service│
│ │fees of public utilities (as defined │
│ │in Article 2 of Act for the │
│ │Supervision of Privately Run Public │
│ │Utilities), school tuition and fees, │
│ │medical expenses, public │
│ │transportation services (as defined in│
│ │Article 2 of Mass Transportation │
│ │Development Act, and gondola, taxi and│
│ │public bicycle), and parking, or other│
│ │types of services that support │
│ │government policy, are offered for │
│ │public interest and have been approved│
│ │by the Competent Authority. │
├────────┼───────────────────┤
│Type 2 │To pay for all kinds of products or │
│ │services. │
└────────┴───────────────────┘
2. Amount of transaction
┌──────┬─────────────────────┐
│Amount of │Description │
│transaction │ │
├──────┼─────────────────────┤
│Small-sum │The electronic stored value card can be │
│transaction │used to pay for purchase transaction under│
│ │NT$1,000 only. │
├──────┼─────────────────────┤
│Unlimited- │The electronic stored value card is not │
│sum │limited to paying small-sum transactions. │
│transaction │ │
└──────┴─────────────────────┘
3. Application level
┌────────────┬───────┬───────┐
│Nature of product or │Type 1 │Type 2 │
│service │ │ │
├────┬───────┼───────┼───────┤
│Transac-│Small-sum │Level 1 │Level 1 │
│ │transaction │ │ │
│tion ├───────┼───────┼───────┤
│amount │Unlimited-sum │Level 1 │Level 2 │
│ │transaction │ │ │
└────┴───────┴───────┴───────┘ Article 6
For card transactions, an issuer shall ensure that the electronic stored value cards it issues meet the following security requirements:
1. Online purchase transaction
┌────────────┬───────┬───────┐
│Type of connection │Dedicated │Internet/ │
│ │network │mobile network│
├────────────┼───┬───┼───┬───┤
│ Application level│Level │Level │Level │Level │
│Protective measure │1 │2 │1 │2 │
├────────────┼───┼───┼───┼───┤
│Confidentiality │Not │Not │ A │ A │
│ │requi-│requi-│ │ │
│ │red │red │ │ │
├────────────┼───┼───┼───┼───┤
│Integrity │ B1 │ B1 │ B2 │ B2 │
├─────┬──────┼───┼───┼───┼───┤
│Authentic-│Authenticat-│ C1 │ C2 │ C1 │ C2 │
│ation │ion of │ │ │ │ │
│ │message or │ │ │ │ │
│ │cardholder │ │ │ │ │
├─────┴──────┼───┼───┼───┼───┤
│Non-repeatability │ F │ F │ F │ F │
└────────────┴───┴───┴───┴───┘
2. Off-line purchase transaction
┌────────────┬───────┬───────┐
│Type of interface │Contact/ │Network and │
│ │contactless │other offline │
│ │ │means │
├────────────┼───┬───┼───┬───┤
│ Application level│Level │Level │Level │Level │
│Protective measure │1 │2 │1 │2 │
├────────────┼───┼───┼───┼───┤
│Confidentiality │Not │Not │ A │ A │
│ │requi-│requi-│ │ │
│ │red │red │ │ │
├────────────┼───┼───┼───┼───┤
│Integrity │ B1 │ B2 │ B2 │ B2 │
├─────┬──────┼───┼───┼───┼───┤
│Authentic-│Authenticat-│ D1 │ D2 │ D2 │ D2 │
│tion │ion of │ │ │ │ │
│ │stored value│ │ │ │ │
│ │card │ │ │ │ │
│ ├──────┼───┼───┼───┼───┤
│ │Authenticat-│ E1 │ E2 │ E2 │ E2 │
│ │ion of │ │ │ │ │
│ │terminal │ │ │ │ │
├─────┴──────┼───┼───┼───┼───┤
│Non-repeatability │ F │ F │ F │ F │
└────────────┴───┴───┴───┴───┘
3. Online recharge transaction
┌────────────┬───────┬───────┐
│Type of connection │Contact/ │Internet/ │
│ │contactless │mobile network│
├────────────┼───┬───┼───┬───┤
│ Application level│Level │Level │Level │Level │
│Protective measure │1 │2 │1 │2 │
├────────────┼───┼───┼───┼───┤
│Confidentiality │Not │Not │ A │ A │
│ │requi-│requi-│ │ │
│ │red │red │ │ │
├────────────┼───┼───┼───┼───┤
│Integrity │ B1 │ B1 │ B2 │ B2 │
├─────┬──────┼───┼───┼───┼───┤
│Authentic-│Authenticat-│ E1 │ E2 │ E2 │ E2 │
│tion │ion of │ │ │ │ │
│ │issuer* │ │ │ │ │
├─────┴──────┼───┼───┼───┼───┤
│Non-repeatability │ F │ F │ F │ F │
└────────────┴───┴───┴───┴───┘
(*: Applicable to electronic stored value cards with authentication and value storage functions only)
4. Off-line recharge transaction
┌────────────┬───────┬───────┐
│Type of interface │Contact/ │Network and │
│ │contactless │other offline │
│ │ │means │
├────────────┼───┬───┼───┬───┤
│ Application level│level │level │level │level │
│Protective measure │1 │2 │1 │2 │
├────────────┼───┼───┼───┼───┤
│Confidentiality │Not │Not │ A │ A │
│ │requi-│requi-│ │ │
│ │red │red │ │ │
├────────────┼───┼───┼───┼───┤
│Integrity │ B1 │ B3 │ B3 │ B3 │
├─────┬──────┼───┼───┼───┼───┤
│Authentic-│Authenticat-│ E1 │ E2 │ E2 │ E2 │
│tion │ion of │ │ │ │ │
│ │terminal │ │ │ │ │
├─────┴──────┼───┼───┼───┼───┤
│Non-repeatability │ F │ F │ F │ F │
└────────────┴───┴───┴───┴───┘
五、帳務清算及結算交易
┌────────────┬───────┬───────┐
│Type of connection │Contact/ │Network and │
│ │contactless │other offline │
│ │ │means │
├────────────┼───┬───┼───┬───┤
│ Application level│level │level │level │level │
│Protective measure │1 │2 │1 │2 │
├────────────┼───┼───┼───┼───┤
│Confidentiality │Not │Not │ A │ A │
│ │requi-│requi-│ │ │
│ │red │red │ │ │
├────────────┼───┼───┼───┼───┤
│Integrity │ B1 │ B1 │ B2 │ B2 │
├─────┬──────┼───┼───┼───┼───┤
│Authentic-│Authenticat-│Not │Not │ C2 │ C2 │
│tion │ion of │requi-│requi-│ │ │
│ │message │red │red │ │ │
├─────┴──────┼───┼───┼───┼───┤
│Non-repeatability │ F │ F │ F │ F │
└────────────┴───┴───┴───┴───┘
6. Where the transaction information in Subparagraphs 1 ~ 5 above contains personal data as defined in the Computer-Processed Personal Data Protection Act, the issuer shall adopt symmetric or asymmetric cryptographic system to encrypt such personal data to ensure their confidentiality and prevent unauthorized access. The level of cryptographic strength of the cryptographic system shall not be lower than that required for confidentiality set out in Article 7 (A) herein. Article 7
The security design for confidentiality, integrity, authentication, and non-repeatability of transactions mentioned in the preceding articles shall meet the following requirements:
┌─────────────┬────────────────┐
│Protective measure │Basic principles of security │
│ │design │
├───────────┬─┼────────────────┤
│Confidentiality │A │Employ symmetric or asymmetric │
│ │ │cryptographic system to encrypt │
│ │ │the full text of message to │
│ │ │prevent unauthorized access to │
│ │ │the plaintext of message: │
│ │ │1. The symmetric cryptographic │
│ │ │ system shall adopt one of the │
│ │ │ algorithms below: │
│ │ │(1) The Triple Data Encryption │
│ │ │ Algorithm (TDEA), Two Key │
│ │ │ Triple Data Encryption │
│ │ │ Algorithm (2TDEA) with 112 │
│ │ │ key bits, or Three Key Triple│
│ │ │ Data Encryption Algorithm │
│ │ │ (3TDEA) with 168 key bits │
│ │ │ published by the U.S. │
│ │ │ National Institute of │
│ │ │ Standards and Technology │
│ │ │ (NIST); or │
│ │ │(2) The NIST Advanced Encryption│
│ │ │ Standard (AES Algorithm) with│
│ │ │ key size of 128, 192, or 256 │
│ │ │ bits. │
│ │ │2. The asymmetric cryptographic │
│ │ │ system shall adopt one of the │
│ │ │ algorithms below: │
│ │ │(1) The Rivest, Shamir, and │
│ │ │ Adleman Encryption Standard │
│ │ │ (RSA Algorithm) with key size│
│ │ │ of 1024 or 2048 bits; or │
│ │ │(2) The Elliptic Curve Digital │
│ │ │ Signature Algorithm (ECDSA │
│ │ │ Algorithm) with 256 bits │
│ │ │ prime modulus (P-256). │
├───────────┼─┼────────────────┤
│Integrity │B1│Employ one of the check sum │
│ │ │technologies below to prevent │
│ │ │malicious alteration of message:│
│ │ │1. Longitudinal Redundancy Check│
│ │ │(LRC). │
│ │ │2. Cyclic Redundancy Check │
│ │ │ (CRC). │
│ │ │3. Hashing algorithm to generate│
│ │ │ a message digest. │
│ ├─┼────────────────┤
│ │B2│Employ encryption/decryption │
│ │ │technology that can prevent │
│ │ │malicious alteration of message,│
│ │ │using, for example, Message │
│ │ │Authentication Code (MAC) for │
│ │ │symmetric system or Digital │
│ │ │Signature for asymmetric system.│
│ │ │1. The symmetric cryptographic │
│ │ │ system shall adopt one of the │
│ │ │ algorithms below: │
│ │ │(1) TDEA, 2TDEA with key size of│
│ │ │ 112 bits or 3TDEA with key │
│ │ │ size of 168 bits. │
│ │ │(2) AES Algorithm with key size │
│ │ │ of 128, 192, or 256 bits. │
│ │ │2. The asymmetric cryptographic │
│ │ │ system shall adopt one of the │
│ │ │ algorithms below: │
│ │ │(1) RSA Algorithm with key size │
│ │ │ of 1024 or 2048 bits. │
│ │ │(2) ECDSA Algorithm with 256 │
│ │ │ bits prime modulus (P-256). │
│ ├─┼────────────────┤
│ │B3│Besides the security │
│ │ │requirements set forth for B2, │
│ │ │the amount of recharge in the │
│ │ │recharge transaction message │
│ │ │must be included in the │
│ │ │computing of message integrity. │
├─────┬─────┼─┼────────────────┤
│Authenti- │Authenti- │C1│To ensure the accuracy of │
│cation │cation of │ │cardholder, any of the following│
│ │message or│ │methods can be used for │
│ │cardholder│ │authentication of cardholder: │
│ │ │ │1. User ID + fixed password. │
│ │ │ │2. Magnetic card + magnetic card│
│ │ │ │ password. │
│ │ │ │3. User ID + one-time password: │
│ │ │ │ One-time password (OTP) is │
│ │ │ │ generated using a one-time │
│ │ │ │ password generator, short │
│ │ │ │ message or other means. OTP is│
│ │ │ │ randomly generated and can be │
│ │ │ │ used only once. │
│ │ │ │4. Provide chip-based electronic│
│ │ │ │ stored value card with │
│ │ │ │ authentication function on the│
│ │ │ │ basis of cryptography. │
│ │ ├─┼────────────────┤
│ │ │C2│Employ chip-based electronic │
│ │ │ │stored value card or terminal │
│ │ │ │security module with │
│ │ │ │authentication function to │
│ │ │ │ensure the accuracy of message │
│ │ │ │source, using, for example, │
│ │ │ │Message Authentication Code │
│ │ │ │(MAC) for symmetric system or │
│ │ │ │Digital Signature for asymmetric│
│ │ │ │system. │
│ │ │ │1. The symmetric cryptographic │
│ │ │ │ system shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) TDEA, 2TDEA with key size of│
│ │ │ │ 112 bits or 3TDEA with key │
│ │ │ │ size of 168 bits. │
│ │ │ │(2) AES Algorithm with key size │
│ │ │ │ of 128, 192, or 256 bits. │
│ │ │ │2. The asymmetric cryptographic │
│ │ │ │ system shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) RSA Algorithm with key size │
│ │ │ │ of 1024 or 2048 bits. │
│ │ │ │(2) ECDSA Algorithm with 256 │
│ │ │ │ bits prime modulus (P-256). │
│ ├─────┼─┼────────────────┤
│ │Authenti- │D1│Employ symmetric or asymmetric │
│ │cation of │ │cryptographic system to │
│ │stored │ │authenticate the electronic │
│ │value card│ │stored value card from the │
│ │ │ │terminal equipment to prevent │
│ │ │ │the use of fraudulent electronic│
│ │ │ │stored value card. │
│ │ ├─┼────────────────┤
│ │ │D2│Employ symmetric or asymmetric │
│ │ │ │cryptographic system to │
│ │ │ │authenticate the electronic │
│ │ │ │stored value card with the │
│ │ │ │terminal equipment to prevent │
│ │ │ │the use of fraudulent electronic│
│ │ │ │stored value card. │
│ │ │ │1. The symmetric cryptographic │
│ │ │ │ system shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) TDEA, 2TDEA with key size of│
│ │ │ │ 112 bits or 3TDEA with key │
│ │ │ │ size of 168 bits. │
│ │ │ │(2) AES Algorithm with key size │
│ │ │ │ of 128, 192, or 256 bits. │
│ │ │ │2. The asymmetric cryptographic │
│ │ │ │ system shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) RSA Algorithm with key size │
│ │ │ │ of 1024 or 2048 bits. │
│ │ │ │(2) ECDSA Algorithm with 256 │
│ │ │ │ bits prime modulus (P-256). │
│ ├─────┼─┼────────────────┤
│ │Authenti- │E1│Employ symmetric or asymmetric │
│ │cation of │ │cryptographic system to verify │
│ │terminal/│ │the legality of terminal │
│ │issuer │ │equipment or issuer from the │
│ │ │ │electronic stored value card to │
│ │ │ │prevent unauthorized terminal │
│ │ │ │equipment from processing │
│ │ │ │transactions. │
│ │ ├─┼────────────────┤
│ │ │E2│Employ symmetric or asymmetric │
│ │ │ │cryptographic system to verify │
│ │ │ │the legality of terminal │
│ │ │ │equipment or issuer from the │
│ │ │ │electronic stored value card to │
│ │ │ │prevent unauthorized terminal │
│ │ │ │equipment from processing │
│ │ │ │transactions. │
│ │ │ │1. The symmetric cryptographic │
│ │ │ │ system shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) NIST TDEA, 2TDEA with key │
│ │ │ │ size of 112 bits or 3TDEA │
│ │ │ │ with key size of 168 bits. │
│ │ │ │(2) NIST AES Algorithm with key │
│ │ │ │ size of 128, 192, or 256 │
│ │ │ │ bits. │
│ │ │ │2. The asymmetric │
│ │ │ │ encryption/decryption system │
│ │ │ │ shall adopt one of the │
│ │ │ │ algorithms below: │
│ │ │ │(1) RSA Algorithm with key size │
│ │ │ │ of 1024 or 2048 bits. │
│ │ │ │(2) ECDSA Algorithm with 256 │
│ │ │ │ bits prime modulus (P-256). │
├─────┴─────┼─┼────────────────┤
│Non-repeatability │F │Use the mechanism of sequence │
│ │ │number, date and time, time │
│ │ │series or cryptographic │
│ │ │challenge-response protocol to │
│ │ │prevent using the message of an │
│ │ │earlier successful transaction │
│ │ │to complete another transaction.│
└───────────┴─┴────────────────┘ Article 8
For card management, an issuer shall adopt the following protective measures:
┌─────────┬────────────────────┐
│Protective │Security requirements │
│measures │ │
├─────────┼────────────────────┤
│Establishing │1. Establish computer resources access │
│security │ control mechanism and security │
│strategies │ protection measures. │
│ │2. The transactions must be traceable. │
│ │3. Monitor illegal transactions. │
│ │4. Prevent small contracted merchants │
│ │ from making unwarranted payment │
│ │ deductions. │
│ │5. Sound key management. │
├─────────┼────────────────────┤
│Enhancing system │Enhance the security and availability of│
│security │the computer systems. │
├─────────┼────────────────────┤
│Drafting │Draft operations management rules. │
│operations │ │
│management rules │ │
└─────────┴────────────────────┘ Article 9
The security design to address the security requirements for an issuer with respect to card management as provided in the preceding article shall meet the following criteria:
┌─────────┬────────────────────┐
│Security │Security design │
│requirements │ │
├─────────┼────────────────────┤
│Establishing │Able to prevent unauthorized access to │
│computer resources│system resources and minimize the │
│access control │possibility of illegal entry by │
│mechanism and │implementing the following measures and │
│security │controls: │
│protection │1. Establish the hardware or software │
│measures. │ security systems, such as firewall, │
│ │ security software and detection │
│ │ software. │
│ │2. Control the number of wrong password │
│ │ entries. │
│ │3. Encrypt the password file of computer│
│ │ system. │
│ │4. Save the transaction log and audit │
│ │ trail. │
│ │5. Design access control, using, for │
│ │ example, password or ID card. │
│ │6. Implement login time control. │
│ │7. Use VPN for remote access. │
│ │8. Tiered management of system resources│
│ │ based on their significance and │
│ │ sensitivity. │
│ │9. Enforce the change of preset │
│ │ passwords for application software and│
│ │ network operating systems. │
│ │10. Ensure personal data protection when│
│ │ the system provides all kinds of │
│ │ service functions. │
├─────────┼────────────────────┤
│The transactions │The transaction log shall contain the │
│must be traceable │following information and be saved in │
│ │the mainframe of the issuer for future │
│ │reference: │
│ │1. User ID or card number. │
│ │2. Amount of transaction. │
│ │3. The ID of terminal equipment. │
│ │4. Transaction sequence number or │
│ │ transaction date and time. │
├─────────┼────────────────────┤
│Monitoring illegal│The issuer shall monitor illegal │
│transactions │transactions. │
├─────────┼────────────────────┤
│Prevent small │A contracted merchant with paid-in │
│contracted │capital less than NT$80,000,000 and │
│merchants from │annual revenue less than NT$60,000,000 │
│making unwarranted│shall allow cardholders to confirm a │
│payment deductions│transaction by any of the following │
│ │means, with the exceptions to │
│ │transactions involving Type 1 products │
│ │or services: │
│ │1. Card swiping or card insertion. │
│ │2. Input of password. │
│ │3. Any other system designs for │
│ │ cardholder to confirm a transaction. │
├─────────┼────────────────────┤
│Sound key │Key management shall give the following │
│management │security considerations: │
│ │1. Ensure the quality of keys (prevent │
│ │ the use of weak keys). │
│ │2. Ensure that the leak of key content │
│ │ will not occur during the use, │
│ │ storage, transfer or destruction of │
│ │ key. │
│ │3. Make duplicate of keys to ensure │
│ │ their usability. │
│ │4. Implement proper access control │
│ │ procedure for the upgrade or disposal │
│ │ of key storage equipment or medium to │
│ │ ensure that leakage of keys will not │
│ │ occur. │
├─────────┼────────────────────┤
│Enhance the │Offsite redundancy and failure │
│security and │prevention measures shall be │
│availability of │established, including: │
│the computer │1. Prepare backup mainframe, server, │
│systems │ communication equipment, networks, and│
│ │ peripheral equipment. │
│ │2. Install virus detection software to │
│ │ scan the network nodes and servers │
│ │ periodically. │
│ │3. Install the patches or hotfixes of │
│ │ systems if necessary. │
│ │4. Ensure the physical security of │
│ │ servers and network equipment. │
├─────────┼────────────────────┤
│Draft operations │The internal accountability system and │
│management rules │approval procedure of the issuer, │
│ │contracted merchants and recharge │
│ │institutions and attribution of │
│ │responsibility between them and the │
│ │cardholders shall include: │
│ │1. Security policy, standard, procedure │
│ │ or guidelines, including the equipment│
│ │ specifications. │
│ │2. Descriptions of security mechanisms │
│ │ and security procedures. │
│ │3. Key management measure or rules. │
│ │4. Security instructions for cardholders│
│ │ and a complete contract. │
└─────────┴────────────────────┘ Article 10
For terminal equipment and user environment, an issuer shall adopt the following protective measures:
┌─────────┬────────────────────┐
│Protective │Security requirements │
│measures │ │
├─────────┼────────────────────┤
│Establishing │1. Maintain the physical integrity of │
│security │ terminal and equipment and user │
│strategies │ environment. │
│ │2. Ensure the transaction security of │
│ │ terminal equipment. │
│ │3. Establish an effective or real-time │
│ │ blacklist management mechanism. │
│ │4. Reduce the probability of accidental │
│ │ trigger of transaction for contactless│
│ │ electronic stored value cards. │
│ │5. Design terminal security module for │
│ │ off-line recharge transactions. │
│ │6. Install surveillance equipment if │
│ │ Level 1 electronic stored value card │
│ │ is used for off-line transactions at a│
│ │ contracted merchant providing Type 2 │
│ │ products or services. │
│ │7. Directions for the development of │
│ │ Internet application systems. │
├─────────┼────────────────────┤
│Enhancing the │Implement measures to enhance the system│
│system │availability. │
│availability │ │
├─────────┼────────────────────┤
│Drafting │Draft operations management rules, which│
│operations │should be implemented in internal │
│management rules │environment management as well. │
└─────────┴────────────────────┘ Article 11
The security design to address the security requirements for an issuer with respect to terminal equipment and user environment as provided in the preceding article shall meet the following criteria:
┌─────────┬────────────────────┐
│Security │Security design │
│requirements │ │
├─────────┼────────────────────┤
│Maintain the │Adopt the following security designs: │
│physical integrity│1. Check periodically the quantity of │
│of terminal and │ relevant devices: │
│equipment and user│(1) Make sure each original facility is │
│environment │ properly numbered. │
│ │(2) Check the onsite facilities and │
│ │ devices to see if they are consistent│
│ │ with the original state. │
│ │(3) Create a checklist, conduct review │
│ │ regularly and follow up. │
│ │2. Make sure to sign a non-disclosure │
│ │ agreement with the terminal equipment │
│ │ supplier, and ask the supplier to │
│ │ create a list of terminal equipment │
│ │ installation and maintenance │
│ │ personnel, and automatically notify │
│ │ the issuer whenever the list is │
│ │ updated. │
│ │3. Make sure the personnel of terminal │
│ │ equipment supplier show identification│
│ │ document when they work onsite. │
│ │ Besides the installation and │
│ │ maintenance operations, the terminal │
│ │ equipment supplier shall readily │
│ │ support the issuer's needs to inspect │
│ │ whether a terminal equipment is being │
│ │ tampered with or has a skimmer │
│ │ installed. │
│ │4. The issuer shall from time to time │
│ │ dispatch personnel to inspect the │
│ │ terminal equipment installed at the │
│ │ contracted merchants or recharge │
│ │ institutions to see whether the │
│ │ equipment is being improperly tampered│
│ │ with and check whether its software is│
│ │ being altered without authorization. │
├─────────┼────────────────────┤
│Ensure the │The processing of transactions with │
│transaction │terminal equipment shall comply with the│
│security of │following rules: │
│terminal equipment│1. For information contained in the │
│ │ electronic stored value card, except │
│ │ for account number, card number, │
│ │ expiration date, transaction sequence │
│ │ number, and other data necessary for │
│ │ verifying whether a transaction │
│ │ occurs, no other data may be stored in│
│ │ the terminal equipment. │
│ │2. To ensure the validity of terminal │
│ │ equipment, each terminal equipment │
│ │ shall have a unique ID number. │
│ │3. For Level 2 transactions, the │
│ │ security module of the terminal │
│ │ equipment should be individualized │
│ │ (that is, the keys for each terminal │
│ │ equipment are different) │
├─────────┼────────────────────┤
│Establish an │To effectively prevent the transaction │
│effective or │of invalid electronic stored value │
│real-time │cards, an issuer should establish a │
│blacklist │blacklist management mechanism. The │
│management │blacklist for online transactions shall │
│mechanism │be updated in real-time, and the │
│ │blacklist for off-line transactions │
│ │shall be updated at least daily. │
├─────────┼────────────────────┤
│Reduce the │The terminal equipment should implement │
│probability of │the following design to minimize the │
│accidental trigger│probability of accidental trigger when │
│of transaction for│the cardholder of a contactless │
│contactless │electronic stored value card has no │
│electronic stored │intention to make a transaction: │
│value cards │1. The sensing distance is kept below 6 │
│ │ cm (inclusive); and │
│ │2. A transaction is prompted by sound, │
│ │ light signal or graphic image. │
├─────────┼────────────────────┤
│Design terminal │The terminal equipment for off-line │
│security module │recharge transactions should be equipped│
│for off-line │with security module and the following │
│recharge │designs for recharge transaction: │
│transactions │1. Recharge transactions are │
│ │ individually authorized. │
│ │2. The amount per recharge is limited. │
│ │3. The cumulative recharge amount is │
│ │ limited (e.g. daily limit). If the │
│ │ limit is reached, request for │
│ │ authorization of additional amount │
│ │ from the issuer can be made through │
│ │ the terminal equipment. │
│ │4. The security modules should be │
│ │ properly managed, e.g. implementing │
│ │ the production, issuance, and delivery│
│ │ process, production operation control,│
│ │ and security control of security │
│ │ modules. │
├─────────┼────────────────────┤
│Install │If Level 1 electronic stored value card │
│surveillance │is used for off-line transactions at a │
│equipment or adopt│contracted merchant providing Type 2 │
│other necessary │products or services, the issuer shall │
│measures to reduce│demand that the contracted merchant │
│the incidence of │installs surveillance equipment and │
│faked card │keeps recording all the time during the │
│transaction if │business hours, or takes other necessary│
│Level 1 electronic│measures to minimize faked card │
│stored value card │transactions. │
│is used for │ │
│off-line │ │
│transactions at a │ │
│contracted │ │
│merchant providing│ │
│Type 2 products or│ │
│services │ │
├─────────┼────────────────────┤
│Directions for the│If the electronic stored value card │
│development of │holders conduct transactions over the │
│Internet │Internet using a browser, the network │
│application │application system shall have the │
│systems │following designs: │
│ │1. The website shall adopt Secure │
│ │ Sockets Layer (SSL) mechanism or │
│ │ encrypt the transmissions in other │
│ │ manners with the level of │
│ │ cryptographic strength not lower than │
│ │ that specified in Article 7 (A) on │
│ │ confidentiality. │
│ │2. The check code of terminal equipment │
│ │ for each transaction shall be │
│ │ generated dynamically and randomly, or│
│ │ protected by cryptographic operations.│
│ │3. The system should be designed with │
│ │ Graphic One Time Password (GOTP) with │
│ │ masking function or random buttons. │
│ │4. The system should have the design of │
│ │ dynamic page presentation or │
│ │ restricting selection by mouse click │
│ │ only to prevent the simulation of │
│ │ SendKey Control. │
│ │5. The system should have session │
│ │ control and timeout mechanism. │
│ │6. In the case of multi-page design, the│
│ │ system should verify the authenticity │
│ │ of the previous webpage. │
│ │7. The client-side component should │
│ │ verify the authenticity of website. │
│ │8. The client-side component should have│
│ │ anti-theft mechanism to verify the │
│ │ validity or authenticity of website. │
│ │9. The client-side component should have│
│ │ a CodeSign to ensure the integrity of │
│ │ the component. │
│ │10. The client-side component should │
│ │ have the implementation of exclusive │
│ │ mode when accessing card. │
│ │11. The client-side component should │
│ │ have the design that allows │
│ │ cardholder to confirm a transaction │
│ │ manually. │
│ │12. When the system is hacked, the │
│ │ issuer shall immediately shut down │
│ │ the network service to ensure the │
│ │ security of transactions. │
├─────────┼────────────────────┤
│Implement measures│System availability should be managed │
│to enhance the │and controlled with the following │
│system │measures: │
│availability │1. Planning network redundancy. │
│ │2. Planning redundant circuitry or │
│ │ uninterruptible power supply (UPS). │
├─────────┼────────────────────┤
│Draft operations │Draft terminal equipment management │
│management rules │rules, including description of │
│ │equipment specifications and security │
│ │mechanism, description of security │
│ │procedures, principles for the security │
│ │module control operation, blacklist │
│ │management mechanism, and measures for │
│ │contract signing with contracted │
│ │merchants and recharge institutions, and│
│ │their management. │
└─────────┴────────────────────┘ Article 12
An issuer shall choose the proper types of electronic stored value card based on the intended application level:
┌─────────┬────────────────────┐
│Application level │Applicable types of electronic stored │
│ │value card │
├─────────┼────────────────────┤
│Level 1 │The electronic stored value card must be│
│ │one of the following types; electronic │
│ │stored value cards with features in │
│ │Point 3, 4, or 5 can be used for online │
│ │transactions only: │
│ │1. Smart card with cryptographic │
│ │ operation capability. │
│ │2. Memory IC card + fixed password. │
│ │3. User ID + one-time password. │
│ │4. Magnetic strip card + fixed password.│
│ │5. User ID + fixed password. │
├─────────┼────────────────────┤
│Level 2 │The electronic stored value card must be│
│ │one of the following types: │
│ │1. Smart card that meets the security │
│ │ requirements set forth in Article 6 │
│ │ herein and has had security certified.│
│ │2. User ID + security-certified one-time│
│ │ password generator (e.g. OTP Token) │
│ │ (transactions can be carried out │
│ │ online and on real-time basis only. │
└─────────┴────────────────────┘
The term "security certified" means that as confirmed by the competent authority, the security level has passed the third-party evaluation of an institution recognized by the National Communication Commission of Executive Yuan or the Common Criteria Recognition Arrangement (CCRA) as meeting or on a par with any of the following criteria:
1. ISO/IEC15408 Common Criteria v2.3 EAL4+ (augmented by AVA_VLA.4 and ADV_IMP.2)
2. ISO/IEC15408 Common Criteria v3.1 EAL4+ (augmented by AVA_VAN.5).
3. CNS 15408 EAL4+(augmented by AVA_VLA.4 and ADV_IMP.2).
4. Other evaluation criteria accepted by the competent authority. Article 13
An issuer shall adopt the following protective measures for the electronic stored value cards it issues:
┌────────────┬─────────────────┐
│Protective measures │Security requirements │
├────────────┼─────────────────┤
│Establishing security │1. Verify the validity of │
│strategies │ electronic stored value card. │
│ │2. Incorporate specific security │
│ │ design if user ID + fixed │
│ │ password are adopted. │
│ │3. Personal data stored in the │
│ │ electronic stored value cards │
│ │ must be protected. │
├────────────┼─────────────────┤
│Drafting operations │Draft the electronic stored value │
│management rules │card delivery control process. │
└────────────┴─────────────────┘ Article 14
The security design to address the security requirements for an issuer with respect to electronic stored value cards it issues as provided in the preceding article shall meet the following criteria:
┌────────────┬─────────────────┐
│Security requirements │Security design │
├────────────┼─────────────────┤
│Verify the validity of │Ensure the validity of electronic │
│electronic stored value │stored value card by any of the │
│card. │following means: │
│ │1. The card has an independent and│
│ │ unique ID. │
│ │2. The card has the function of │
│ │ authentication. │
├────────────┼─────────────────┤
│Incorporate specific │Electronic stored value card that │
│security design if user │adopts user ID + fixed password │
│ID + fixed password are │shall have the following security │
│adopted │designs: │
│ │1. Security design for user ID: │
│ │(1) If the issuer uses the │
│ │ explicit data of customers │
│ │ (e.g. Uniform Business No., ID │
│ │ No., and account number) for │
│ │ user ID, a cardholder ID shall │
│ │ also be used for identification│
│ │ purpose. │
│ │(2) The user ID shall not have │
│ │ less than six digits. │
│ │(3) The user ID may not be │
│ │ identical English alphabets or │
│ │ numbers, or consecutive English│
│ │ alphabets or sequential │
│ │ numbers. │
│ │(4) If a customer did not change │
│ │ the password in one month │
│ │ (calendar days) after receiving│
│ │ the user ID, the customer may │
│ │ not use the same user ID for │
│ │ sign-in. │
│ │(5) A customer may log in with the│
│ │ password once at a time. │
│ │(6) The use of cardholder ID shall│
│ │ at least follow the rules │
│ │ below: │
│ │a. The cardholder ID may not be │
│ │ the explicit data of customer. │
│ │b. If wrong ID is entered five │
│ │ times, the issuer should take │
│ │ proper action. │
│ │c. The cardholder ID may not be │
│ │ identical to the user ID when │
│ │ first established; the same rule│
│ │ applies to change of cardholder │
│ │ ID. │
│ │2. Security design for password: │
│ │(1) The password shall not be less│
│ │ than six digits. If it is used │
│ │ in combination with transaction│
│ │ password, the password shall │
│ │ not be less than four digits. │
│ │(2) Suggest the use of combination│
│ │ of English alphabets and │
│ │ numerals for password, and │
│ │ preferably include upper case │
│ │ and lower case English │
│ │ alphabets or signs. │
│ │(3) The password may not use │
│ │ identical English alphabets or │
│ │ numbers, or consecutive English│
│ │ alphabets or sequential │
│ │ numbers. │
│ │(4) The password and user ID may │
│ │ not be identical. │
│ │(5) The transaction may not │
│ │ continue if wrong password is │
│ │ entered five times │
│ │ consecutively. │
│ │(6) The new password may not be │
│ │ identical to the one just used.│
│ │(7) Make change of preset password│
│ │ compulsory during the │
│ │ first-time login. │
├────────────┼─────────────────┤
│Personal data stored in │If personal data are stored in │
│the electronic stored │electronic stored value cards, │
│value cards must be │access control or cardholder │
│protected │verification mechanism shall be │
│ │implemented to restrict access. │
├────────────┼─────────────────┤
│Draft the electronic │The issuer should properly manage │
│stored value card │the life cycle of electronic │
│delivery control process│stored value cards, including: │
│ │1. Drafting electronic stored │
│ │ value card production, issuance,│
│ │ and delivery control processes. │
│ │2. Implementing control of card │
│ │ production outsource operation. │
│ │3. Implementing physical security │
│ │ control of electronic stored │
│ │ value cards. │
└────────────┴─────────────────┘ Article 15
An issuer shall file quarterly reports on the amount of irregular transactions with the Competent Authority, and submit an improvement plan with the Competent Authority if the cumulative amount (of irregular transactions) for the year exceeds one percent (1%) of its paid-in capital. Article 16
An issuing transaction shall file statistical data on card transactions by the nature of products or services and transaction amount as provided in Article 5 herein with the Competent Authority or an institution designated by the Competent Authority every quarter. Article 17
An issuer shall engage an accountant to audit its status of compliance with these Regulations, and submit the audit report to the Competent Authority for reference in two (2) months after the end of each fiscal year. Article 18
Issuer that are currently issuing electronic stored value cards and have been approved to engage in electronic stored value card business and banks that are currently engaging in electronic stored value card business shall make adjustment within six (6) months after the promulgation and implementation of these Regulations if they do not comply with the provision of "prevent small contracted merchants from making unwarranted payment deductions" in Article 9 herein. Article 19
These Regulations are in force from the date of promulgation. |