凡是存在有金钱交易的无线电设备,不管是现金还是虚拟货币,该设备都需要满足反欺诈的能力要求,比如:设备是否有用到加密机制、保密机制、完整性保护机制。是否有银行卡信息、交易密码等数据泄露等问题。
EN 18031-3(3.3.f):针对电子支付
处理虚拟货币或货币价值的互联网连接的无线电设备
Reduce the risk of monetary fraud (§3.3.f): Wireless devices and products will have to include features to minimise the risk of fraud when making electronic payments. For example, they will need to ensure better authentication control of the user in order to avoid fraudulent payments.
EN 18031-3: 11 Categories
ACM: Access control mechanism 访问控制机制
AUM: Authentication mechanism 授权认证机制
SUM: Secure update mechanism 安全更新机制
SSM: Secure storage mechanism 安全存储机制
SCM: Secure communication mechanism安全通信机制
LGM: Logging mechanism 日志机制
CCK: Confidential cryptographic keys加密密钥机密性
GEC: General equipment capabilities通用设备要求
CRY: Cryptography 加密方法评估
EN 18031-3: 34 cases
[ACM-1] Applicability of access control mechanisms
[ACM-2] Appropriate access control mechanisms
[AUM-1] Applicability of authentication mechanisms
[AUM-2] Appropriate authentication mechanisms
[AUM-3] Authenticator validation
[AUM-4] Changing authenticators
[AUM-5] Password strength
[AUM-6] Brute force protection
[SUM-1] Applicability of update mechanisms
[SUM-2] Secure updates
[SUM-3] Automated updates
[SSM-1] Applicability of secure storage mechanisms
[SSM-2] Appropriate integrity protection for secure storage mechanisms
[SSM-3] Appropriate confidentiality protection for secure storage mechanisms
[SCM-1] Applicability of secure communication mechanisms
[SCM-2] Appropriate integrity and authenticity protection for securecommunication mechanisms
[SCM-3] Appropriate confidentiality protection for secure communication mechanisms
[SCM-4] Appropriate replay protection for secure communication mechanisms
[LGM-1] Applicability of logging mechanisms
[LGM-2] Persistent storage of log data
[LGM-3] Minimum number of persistently stored events
[LGM-4] Time-related information of persistently stored dog data
[CCK-1] Appropriate CCKs
[CCK-2] CCK generation mechanisms
[CCK-3] Preventing static default values for preinstalled CCKs
[GEC-1] Up-to-date software and hardware with no publicly known exploitable vulnerabilities
[GEC-2] Limit exposure of services via related network interfaces
[GEC-3] Configuration of optional services and the related exposed network interfaces
[GEC-4] Documentation of exposed network interfaces and exposed services via network interfaces
[GEC-5] No unnecessary external interfaces
[GEC-6] Input validation
[GEC-8] Equipment Integrity
[CRY-1] Best practice cryptography
适用范围:
涉及金融交易或虚拟货币的设备,包括:支付终端:POS 机、ATM 机。加密货币设备:冷钱包、虚拟货币交易终端。金融服务设备:支持转账的智能卡读卡器。
典型案例:支持比特币交易的硬件钱包、银行自助终端。