This standard has completed its 5 year review with revisions made by the X9F6 Cardholder Authentication and ICC’s work group. The revised standard was published June 8, 2017. This part of this standard deals exclusively with management of symmetric keys using symmetric techniques using TDES and AES algorithms. These symmetric algorithms are defined in other American National Standards Institute standards and are also in the public domain. Addressed herein are activities and requirements related to each stage or event within the key life cycle including generation, distribution, utilization, storage, archiving, replacement and destruction of the keying material. This standard is arguably the most important security standard for the financial services industry, established to keep payment data, including PIN and card holder account information, secure.
X9.69 was revised and published on September 19, 2017. This standard defines methods for the generation and control of keys used in symmetric cryptographic algorithms. The standard defines a constructive method for the creation of symmetric keys, by combining two or more secret key components. The standard also defines a method for attaching a key usage vector to each generated key that prevents abuses and attacks against the key.
X9.73 was published with revisions on September 28, 2017. This standard defines a cryptographic message syntax which can be used to protect financial transactions and other information from the threats described above. The syntax is easily extensible in design to allow the use of any cryptographic algorithm defined in current or future standards appropriate for use by the financial services. The cryptographic syntax is suitable for the protection of the identity and rights management information critical for secure access control.
This standard was reviewed by the X9F4 Cryptographic Protocols and Application Security work group and has been reaffirmed with a publication date of April 14, 2017. This standard specifies recommended processes for conducting penetration testing with financial service organizations. It also describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. X9.111 allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations.
The X9F6 Cardholder Authentication and ICC’s work group has revised this standard by adding clarity to the encryption of the middle digits of the PAN. This revised standard was published on May 27, 2016. The card payments industry has had a series of robust standards for decades addressing the security of PINs and the techniques for their protection. Theft of sensitive card data during a retail payment transaction is increasingly becoming a major source of financial fraud. Besides an optional encrypted PIN, this data includes magnetic stripe track 2 data: PAN, expiration date, card verification value, and issuer private data. While thefts of this data at all segments of the transaction processing system have been reported, the most vulnerable segments are between the point of transaction device capturing the magnetic stripe data and the processing systems at the acquirer. This document standardizes the security requirements and implementation for a method for protecting this sensitive card data over these segments. Several implementations exist to address this situation. This document provides guidance for evaluating these implementations.
This standard was published on August 3, 2017. This document would standardize the security requirements and implementation for a method for protecting this sensitive card data over these segments using tokenization and would be a companion standard to X9.119 part 1. Several implementations exist to address this situation. This document would provide guidance for evaluating these implementations.
TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms
This technical report is currently under revision by the X9F6 Data and Information Security work group. It has been voted on at the subcommittee level and comments are being reviewed. X9 TR-31 describes a method consistent with the requirements of ANS X9.24 Retail Financial Services Symmetric Key Management Part 1 for the secure exchange of keys and other sensitive data between two devices that share a symmetric key exchange key. This method may also be used for the storage of keys under a symmetric key.
TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 Using Factoring-Based Public Key Cryptography Unilateral Key Transport
This technical report is currently under revision by the X9F6 Data and Information Security work group. A new work item was submitted on February 5, 2016. Once the revised draft has been received it will proceed to a subcommittee ballot. This document describes a method consistent with the requirements of ANS X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry.
TR-50 Quantum Techniques in Cryptographic Messaging Syntax (CMS)
This technical report is being developed by the X9F4 Cryptographic Protocols and Application Security work group. There are a number of cryptographic algorithms and protocols under study by academia that are deemed safe against the current set of quantum based attacks (i.e., Shors Algorithm). Some of these are being considered for standardization. As the financial services industry begins to explore alternatives to quantum-vulnerable control solutions based on CMS, they need guidance on how these new techniques should be integrated with the currently defined X9.73 schema, & how this integration will affect current message processing. The resulting TR will enable financial services institutions to begin preparing for migrations to quantum-safe control solutions that rely on CMS and enable the industry to pursue proof-of-concept and testing activities.