Standards

X9F Data and Information Security Subcommittee – Project Status

 

X9.24-1 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques

This standard is currently being reviewed by the X9F6 work group. The subcommittee ballot for this item closed on May 20, 2016 and the comments are currently under review. This part of this standard deals exclusively with management of symmetric keys using symmetric techniques using TDES and AES algorithms. These symmetric algorithms are defined in other American National Standards Institute standards and are also in the public domain. This standard is arguably the most important security standard for the financial services industry, established to keep payment data, including PIN and card holder account information, secure.

 

X9.111 Penetration Testing Within the Financial Services Industry

This standard is currently being reaffirmed by the X9F committee and the X9F4 workgroup. A BSR8 form was submitted on December 12, 2016 with a comment deadline of February 6, 2017. This standard specifies recommended processes for conducting penetration testing with financial service organizations. It also describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. X9.111 allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations.

 

X9.119-1 Retail Financial Services – Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods

This standard has been under its five year review and has been voted on both at the subcommittee and Board level. It is currently under public review in the standards action. The card payments industry has had a series of robust standards for decades addressing the security of PINs and the techniques for their protection. However to date no X9 standards exist for protection of sensitive card payment data as it travels through payment networks. X9.119 is proposed as a standard for the protection of sensitive card payment data through the use of encryption.

 

X9.119-2 Requirements for Protection of Sensitive Payment Card Data-Part 2 Using Tokenization Methods

This standard was submitted as a new work item on September 25, 2012. Recently, it went to subcommittee ballot and the comments received on the ballot are currently under review. This document would standardize the security requirements and implementation for a method for protecting this sensitive card data over these segments using tokenization and would be a companion standard to X9.119 part 1. Several implementations exist to address this situation. This document would provide guidance for evaluating these implementations.

 

TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms

This standard is currently under revision by X9F subcommittee and X9F6. A new work item was submitted on February 5, 2016 and once the revised draft is received it will be submitted for subcommittee ballot. This Technical Report is intended to give the reader an implementation that meets the requirements for secure key management as set forth in ANS X9.24 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques.

 

TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 Using Factoring-Based Public Key Cryptography Unilateral Key Transport

This standard is currently under revision by X9F subcommittee and X9F workgroup. A new work item was submitted on February 5, 2016. Once the revised draft has been received it will proceed to a subcommittee ballot. This Technical Report is intended to give the reader an implementation that meets the requirements for secure key distribution as set forth in ANS X9.24 Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys.