| Article 36 |
(Management of identity verificationmethod for electronic trading)
- Except for the methods otherwise provided under the Guidelines for Security Control and Management of Use of Fast Identity Verification Methods by Financial Institutions, when an organization allows log-in for electronic trading, its security design should implement any two or more of the following three technologies:
- Information agreed with the organization not known to a third party (e.g. PIN, pattern lock or gesture lock).
- The organization shall verity the physical device (e.g. password generator, PIN card, chip card, computer, mobile device, certification carrier) held by the client is the device agreed to by the client and the organization.
- The organization shall directly or indirectly verify the biometrics (e.g. fingerprints, face, iris, voice, palm prints, vein, signature) owned and provided by the client to the organization. Indirect verification means authentication by the device at the client (e.g. mobile device) or verification by an appointed third party, in which case the organization accesses only the results of verification and may add an authentication where necessary. In the case of indirect verification, the organization shall first review the validity of the client’s identity verification method.
- Where an organization uses PIN as the verification method, the organization shall apply irreversible computing (such as hash function) prior to storing the PIN. Further, to prevent guessing of a PIN by using pre-generated hash values, information should be encrypted or added with unknown data in the computing.
- When an organization directly verifies biometrics and stores the biometric data in its internal system, it should deidentify the original biometric data, makedata difficult to be reversed, store the data by encrypting the original biometric data and alia ID, and store different parts of the biometric data separately on different storage media (e.g. databases). When data is stored at a terminal equipment provided by the organization, the equipment should meet the FIPS 140-2 Level 3 standards or higher standards.
- When directly verifying the biometric data, an organization shall adjust the tolerance of errors in biometrics based on its risk capacityin order toeffectively identify the client. In the case of indirect verification, it should first review the validity of the client’s identity verification method.
- When using the certificate as the verification method, an organization shall accept only the certificates issued by a certification agency approved by the Ministry of Economic Affairs, and strengthen the verification for issue of certificates to ensure only the client him/herself may log in the system.
|
|