标准编号:	JR/T 0185-2020
中文名称:	商业银行应用程序接口安全管理规范
英文名称:	Commercial bank application programming interface secure management specification
中标分类:	A11    金融、保险
行业分类:	JR    金融行业标准
ICS分类:	35.240.40 35.240.40    信息技术在银行中的应用 35.240.40
发布机构:	中国人民银行
发布日期:	2020-02-13
实施日期:	2020-2-13
标准状态:	valid
翻译语言:	英文
文件格式:	PDF
中文字符数:	19000 字
翻译价格(元):	1330.0
交付时间:	付款后 1 个工作日

JR/T 0185-2020 Commercial bank application programming interface secure management specification 1 Scope This standard specifies the types and security levels, security design, security deployment, security integration, security operation & maintenance, service termination and system offline, security management and other security technical and security guarantee requirements of commercial bank application programming interface. This standard is applicable to the design and application of commercial bank application programming interface for the external interconnection, to guide banking financial institutions engaged in or participating in the commercial bank application programming interface services, application agency of integrated interface services to carry out relevant works, and to provide references for third-party security assessment institutions and other units to conduct security inspection and assessment works (for the interface type relationship, please refer to Annex A). This standard may also serve as a reference for the design and application of other types of application programming interfaces. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 25069 Information security techniques - Terminology JR/T 0071 Implementation guidelines for classified protection of cybersecurity of financial industry JR/T 0124-2014 Specification for financial organization code 3 Terms and definitions For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply. 3.1 application programming interface set of pre-defined functions, through which or whose combination developers can conveniently access related services, without focusing on the design and implementation of the services 3.2 application agency institutions that invoke the commercial bank application programming interface 3.3 application programming interface unique ID unique ID defined by commercial banks themselves to distinguish the functions of commercial bank application programming interfaces 3.4 uniform application programming interface ID commercial bank uniform application programming interface ID generated by commercial banks according to the coding rules issued by the industry's competent departments Note: It is used to identify the organization code, interface type, service category, interface sequence number and other contents of commercial banks. 3.5 software development kit collection of software development tools used when building applications based on specific software packages, software frameworks, hardware platforms, operating systems, etc. 3.6 application unique ID unique ID granted by a commercial bank based on the type of financial products and services invoked by the application agency after the identity verification of the application agency is passed Note: It includes two types: server-side application ID and mobile terminal application software ID. 3.7 application secret application legitimacy authentication credentials, used in conjunction with the application unique ID, to verify the legitimacy of applications accessed via API. Once the access verification is successful, the system connection can be completed, and the application programming interface can be invoked or the functions and data provided by the application programming interface can be used 3.8 financial mobile application software application software that provides financial transaction services to users on mobile terminals Note: Including but not limited to executable files, components, etc. 3.9 personal financial information personal information obtained, processed and retained by financial institutions through providing financial products and services or other channels Note 1: Including account information, authentication information, financial transaction information, personal identity information, property information, loan information, and other information that reflects certain circumstances of a specific individual. Note 2: It is revised from Definition 3.1, GB/T 35273-2017.

Contents Foreword i 1 Scope 2 Normative references 3 Terms and definitions 4 Acronym 5 General 6 Interface types and security levels 7 Security design 8 Security deployment 9 Security integration 10 Security operation & maintenance 11 Service termination and system offline 12 Security management Annex A (Normative) Schematic diagram of commercial bank application programming interface relationships Annex B (Normative) Coding rules for the commercial bank uniform application programming interface ID Bibliography