Standards

X9F Data and Information Security Subcommittee – Project Status

X9F Quantum Computing Study Group

The X9 Executive Committee created a quantum computing study group. This group will review the state of quantum computing and try to determine a time period for when it is most likely that a large-scale quantum computer will exist and, based on this prediction, propose a high-level roadmap for protecting information used by the financial services industry. The study group will also create a report as a result of their studies. If you are interested in participating in this study group click here.

 

X9.139 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport

X9 has published a technical report, TR-34, which describes a method consistent with the requirements of ANSI X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry. This technical report has grown in popularity with the growth of remote key distribution technology. Due to increased usage of TR-34, the X9F subcommittee will be standardizing the methods included in TR-34 to improve industry interoperability. For more information on this initiative contact us.

 

X9.141 Financial and Personal Data Protection and Breach Notification Standard

This is a new standard being developed by the X9F4 Cryptographic Protocols and Application Security workgroup. X9.141 is intended to ensure that all entities that handle sensitive financial data and PII have in place a robust process to protect this data and prevent breaches from happening. This standard should apply to all organizations that handle sensitive payment information and it would provide a consistent breach notification process to protect consumers and other stakeholders nationwide. Our existing payment systems serves hundreds of millions of consumers, retailers, financial institutions, and the economy well. Protecting the U.S. payment systems is a shared responsibility of all parties involved. We must work together and invest the necessary resources to combat increasingly sophisticated threats to the payments system. To participate in the development of this standard click here.

 

X9.124 Parts 1, 3, 4 and 5 Format Preserving Encryption of Financial Information

X9.124 Parts 1-5 define requirements for using ciphers in Format Preserving Encryption (FPE) modes and specify approved FPE modes. Using an FPE mode encrypts data strings of a specific length and character set into cipher-text of the same length using the same character set. X9.124 Part 1 provides a set of recommendations for use of these techniques within financial systems and defines a baseline set of security parameters that other standards organizations can use. X9.124 Part 3 will cover FF1 Feistel-Based Mode 1 while X9.124 Part 4 will cover FF1 Feistel-Based Mode 2 and X9.124 Part 5 will cover FF3, Feistel-Based Mode 3. To participate in the development of these standards click here.

 

TR-50 Quantum Techniques in Cryptographic Messaging Syntax (CMS)

This technical report is being developed by the X9F4 Cryptographic Protocols and Application Security workgroup. There are a number of cryptographic algorithms and protocols under study by academia that are deemed safe against the current set of quantum based attacks (i.e., Shors Algorithm). Some of these are being considered for standardization. As the financial services industry begins to explore alternatives to quantum-vulnerable control solutions based on CMS, they need guidance on how these new techniques should be integrated with the currently defined X9.73 schema, & how this integration will affect current message processing. The resulting TR will enable financial services institutions to begin preparing for migrations to quantum-safe control solutions that rely on CMS and enable the industry to pursue proof-of-concept and testing activities. To participate in the development of this technical report click here.

 

X9.69 Framework for Key Management Extensions

X9.69 was revised and published on September 19, 2017. This standard defines methods for the generation and control of keys used in symmetric cryptographic algorithms. The standard defines a constructive method for the creation of symmetric keys, by combining two or more secret key components. The standard also defines a method for attaching a key usage vector to each generated key that prevents abuses and attacks against the key.

 

X9.73 Cryptographic Message Syntax – ASN.1 and XML

X9.73 was published with revisions on September 28, 2017. This standard defines a cryptographic message syntax which can be used to protect financial transactions and other information from the threats described above. The syntax is easily extensible in design to allow the use of any cryptographic algorithm defined in current or future standards appropriate for use by the financial services. The cryptographic syntax is suitable for the protection of the identity and rights management information critical for secure access control.

 

X9.119-2 Requirements for Protection of Sensitive Payment Card Data-Part 2 Using Tokenization Methods

This standard was published on August 3, 2017. This document would standardize the security requirements and implementation for a method for protecting this sensitive card data over these segments using tokenization and would be a companion standard to X9.119 part 1. Several implementations exist to address this situation. This document would provide guidance for evaluating these implementations.

 

TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms

This technical report is currently under revision by the X9F6 Data and Information Security workgroup. It has been voted on at the subcommittee level and comments are being reviewed. X9 TR-31 describes a method consistent with the requirements of ANS X9.24 Retail Financial Services Symmetric Key Management Part 1 for the secure exchange of keys and other sensitive data between two devices that share a symmetric key exchange key. This method may also be used for the storage of keys under a symmetric key.

 

TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 Using Factoring-Based Public Key Cryptography Unilateral Key Transport

This technical report is currently under revision by the X9F6 Data and Information Security workgroup. A new work item was submitted on February 5, 2016. Once the revised draft has been received it will proceed to a subcommittee ballot. This document describes a method consistent with the requirements of ANS X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry.