Standards

X9F Data and Information Security Subcommittee – Project Status

 

X9.24-1 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques

This standard has completed its 5 year review with revisions made by the X9F6 Cardholder Authentication and ICC’s work group. The revised standard was published June 8, 2017. This part of this standard deals exclusively with management of symmetric keys using symmetric techniques using TDES and AES algorithms. These symmetric algorithms are defined in other American National Standards Institute standards and are also in the public domain. Addressed herein are activities and requirements related to each stage or event within the key life cycle including generation, distribution, utilization, storage, archiving, replacement and destruction of the keying material. This standard is arguably the most important security standard for the financial services industry, established to keep payment data, including PIN and card holder account information, secure.

 

X9.73 Cryptographic Message Syntax – ASN.1 and XML

X9.73 is currently being revised by the X9F4 Cryptographic Protocols and Application Security work group. The proposed revisions are currently being voted on at the subcommittee level. This standard defines a cryptographic message syntax which can be used to protect financial transactions and other information from the threats described above. The syntax is easily extensible in design to allow the use of any cryptographic algorithm defined in current or future standards appropriate for use by the financial services. The cryptographic syntax is suitable for the protection of the identity and rights management information critical for secure access control.

 

X9.111 Penetration Testing Within the Financial Services Industry

This standard was reviewed by the X9F4 Cryptographic Protocols and Application Security work group and has been reaffirmed with a publication date of April 14, 2017. This standard specifies recommended processes for conducting penetration testing with financial service organizations. It also describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. X9.111 allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations.

 

X9.119-1 Retail Financial Services – Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods

The X9F6 Cardholder Authentication and ICC’s work group has revised this standard by adding clarity to the encryption of the middle digits of the PAN. This revised standard was published on May 27, 2016. The card payments industry has had a series of robust standards for decades addressing the security of PINs and the techniques for their protection. Theft of sensitive card data during a retail payment transaction is increasingly becoming a major source of financial fraud. Besides an optional encrypted PIN, this data includes magnetic stripe track 2 data: PAN, expiration date, card verification value, and issuer private data. While thefts of this data at all segments of the transaction processing system have been reported, the most vulnerable segments are between the point of transaction device capturing the magnetic stripe data and the processing systems at the acquirer. This document standardizes the security requirements and implementation for a method for protecting this sensitive card data over these segments. Several implementations exist to address this situation. This document provides guidance for evaluating these implementations.

 

X9.119-2 Requirements for Protection of Sensitive Payment Card Data-Part 2 Using Tokenization Methods

This standard was submitted as a new work item on September 25, 2012. Recently, it went to subcommittee ballot and the comments received on the ballot are currently under review. This document would standardize the security requirements and implementation for a method for protecting this sensitive card data over these segments using tokenization and would be a companion standard to X9.119 part 1. Several implementations exist to address this situation. This document would provide guidance for evaluating these implementations.

 

TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms

This technical report is currently under revision by the X9F6 Data and Information Security work group. It has been voted on at the subcommittee level and comments are being reviewed. X9 TR-31 describes a method consistent with the requirements of ANS X9.24 Retail Financial Services Symmetric Key Management Part 1 for the secure exchange of keys and other sensitive data between two devices that share a symmetric key exchange key. This method may also be used for the storage of keys under a symmetric key.

 

TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 Using Factoring-Based Public Key Cryptography Unilateral Key Transport

This technical report  is currently under revision by the X9F6 Data and Information Security work group. A new work item was submitted on February 5, 2016. Once the revised draft has been received it will proceed to a subcommittee ballot. This document describes a method consistent with the requirements of ANS X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry.