Chapter VI – Security Control and Management of Identity verification for Electronic Trading |
Article 32 | (Definition of identity verification for electronic trading)
Verification of information about a user’s identification prior to electronic consigned trading agreed to by an organization.
|
|
Article 33 | (Electronic trading)
Electronic trading refers to the electronic consigned trading by a client under Article 75 of the Operating Rules Of the Taiwan Stock Exchange Corporation, Article 48 of the Operating Rules of the Taiwan Futures Exchange Corporation, Article 2 of the Operating Guidelines for Electronic Trading by Domestic Securities Investment Trust Funds of the Securities Investment Trust and Consulting Association of R.O.C., and Article 2 of the Operating Guidelines for Electronic Trading by Offshore Funds of the Securities Investment Trust and Consulting Association of R.O.C.
|
Info |
Article 34 | (Scope of application for directions on identity verification for electronic trading)
The identity verification for electronic trading as defined under these directions applies only to the systems processing trading via the Internet, not including services enabled by telephone calls, Direct Market Access (DMA), or Co-Location.
|
|
Article 35 | (Information protection measures for electronic trading)
Information protection measures should have the security designs that ensure confidentiality, integrity, authentication, and non-duplication, and should satisfy with the following requirements:
- Confidentiality: Information should be encrypted using the algorithm with a security level at or above AES 128bits, RSA2048bits or ECC 256bits. The communication protocol at or above TLS 1.2 should be adopted, and key exchanges should be made via Elliptic Curve Diffie-Hellman Exchange.
- Integrity: Information should have a message authorization code (MAC) or be encrypted using the algorithm with a security level at or above SHA 256bits, AES 128bits, RSA 2048bits or ECC 256bits.
- Authentication: Information should have a message authorization code (MAC), be encrypted or contain a digital signature using the algorithm with a security level at or above SHA 256 bits, AES 128bits, RSA 2048bits or ECC 256bits.
- Non-duplication:Information shall be generated by using methods such as serial number, one-time random number, and time stamp.
- Non-repudiation: Information should have a message authorization code (MAC)using the algorithm with a security level at or aboveSHA256, and contain a digital signature using the algorithm with a security level at or above RSA 2048bits or ECC 256bits.
|
|
Article 36 | (Management of identity verificationmethod for electronic trading)
- Except for the methods otherwise provided under the Guidelines for Security Control and Management of Use of Fast Identity Verification Methods by Financial Institutions, when an organization allows log-in for electronic trading, its security design should implement any two or more of the following three technologies:
- Information agreed with the organization not known to a third party (e.g. PIN, pattern lock or gesture lock).
- The organization shall verity the physical device (e.g. password generator, PIN card, chip card, computer, mobile device, certification carrier) held by the client is the device agreed to by the client and the organization.
- The organization shall directly or indirectly verify the biometrics (e.g. fingerprints, face, iris, voice, palm prints, vein, signature) owned and provided by the client to the organization. Indirect verification means authentication by the device at the client (e.g. mobile device) or verification by an appointed third party, in which case the organization accesses only the results of verification and may add an authentication where necessary. In the case of indirect verification, the organization shall first review the validity of the client’s identity verification method.
- Where an organization uses PIN as the verification method, the organization shall apply irreversible computing (such as hash function) prior to storing the PIN. Further, to prevent guessing of a PIN by using pre-generated hash values, information should be encrypted or added with unknown data in the computing.
- When an organization directly verifies biometrics and stores the biometric data in its internal system, it should deidentify the original biometric data, makedata difficult to be reversed, store the data by encrypting the original biometric data and alia ID, and store different parts of the biometric data separately on different storage media (e.g. databases). When data is stored at a terminal equipment provided by the organization, the equipment should meet the FIPS 140-2 Level 3 standards or higher standards.
- When directly verifying the biometric data, an organization shall adjust the tolerance of errors in biometrics based on its risk capacityin order toeffectively identify the client. In the case of indirect verification, it should first review the validity of the client’s identity verification method.
- When using the certificate as the verification method, an organization shall accept only the certificates issued by a certification agency approved by the Ministry of Economic Affairs, and strengthen the verification for issue of certificates to ensure only the client him/herself may log in the system.
|
|
Article 37 | (Control and management of identity verification of electronic trading)
- An organization shall establish regulations governing applications, delivery, use, update and verification of identity of electronic trading.
- An organization shall encrypt all information relating to identity verification for electronic trading transmitted via the Internet throughout the whole transmission.
- An organization shall store information relating to identity verification for electronic trading after information has been hashed or encrypted.
- An organization shall verify the identity for electronic trading at its server to avoid the risks of verification being tampered with if it is performed on the client’s device.
- An organization shall use enhanced password functionality and conduct control and management, andshall always lock an account after three failed attempts toenter the correct password have taken place.
- An organization shall provide a method allowing periodic changes of password to its clients and implement enhanced password functionality (e.g. reminding a client to change his/her password via the method for changing the password when the same password has been in use for more than three months).
- An organization shall monitor and analyze the records of failed attempts to log in an account in the core system and attempts to log in a non-client account on a daily basis.
|
|
Article 38 | (Audit trail of electronic trading)
- An organization shall keep the audit trail (e.g. login accounts, system functions, time, system names, inquiry instructions or results) or identification system of uses of personal information to facilitate tracking of uses of personal information when unauthorized disclosure occurs.
- An organization shall notify the account owner of account logins and trading records and keep the relevant records.
|
|