ASC X9 Releases Standards for Secure Online Authentication, Addressing Transaction Issues Experienced during the Coronavirus Shutdown
New Version of X9.117 for Mutual Authentication; All-new X9.122 Standard for Customer Authentication for Internet Payments
ANNAPOLIS, Md. – April 28, 2020 — The Accredited Standards Committee X9 Inc. (X9) today announced that it has published two standards in the area of secure online authentication. These standards address improved security for the increasing number of online transactions, such as those being made during coronavirus stay-at-home orders.
X9.117-2020, “Mutual Authentication for Secure Remote Access,” is a risk-based standard addressing authentication factors within any environment. X9.122-2020, “Secure Consumer Authentication for Internet Payments,” is a new standard that addresses internet-based authentication using established techniques with existing standards and provides requirements for new techniques. Both standards are now available for download.
X9.117-2020 — Mutual Authentication for Secure Remote Access
The financial services industry employs a number of methods of electronically authorizing and authenticating entities and protecting financial transactions, such as Personal Identification Numbers (PINs) and Message Authentication Codes (MACs) for retail and wholesale financial transactions, user IDs and passwords for network and computer access, and key management for network connectivity.
X9.117 creates an authentication framework for using these methods that can be adopted by both financial institutions and their customers, allowing them to achieve a higher level of confidence that they are communicating and transacting with the appropriate party. The resulting reduction of risk benefits all parties to a transaction — financial institutions, vendors and consumers alike.
Changes from the 2012 version of X9.117 include updated terms, definitions and descriptions for clarity, re-alignment with authentication methods in other X9 standards, an expanded scope to directly address mutual authentication, and modernized requirements and recommendations.
X9.122-2020 — Secure Consumer Authentication for Internet Payments
Security issues with internet-based payments are a concern for consumers, in the face of threats such as eavesdropping, phishing, counterfeit websites, malware, spyware, screen scraping, keystroke loggers and so on, especially now, as criminals attempt to take advantage of coronavirus lockdowns. Although there are methods in use for authenticating internet transactions, including dynamic floating PINs, one-time passwords and authenticating the cardholder via financial institutions’ online banking sites, there had previously been no standards for internet-based consumer authentication of the increasing number of these transactions.
This new X9.122 standard defines requirements for providing secure consumer authentication for internet-based payments, and it also provides guidance for using other industry standards online, where applicable. By providing secure internet payment options with which consumers can be comfortable and confident, financial institution will strengthen their relationships with consumers, and all parties will benefit.
“Availability of these two new authentication standards will help financial services providers develop more secure transaction systems, delivering increased safety and peace of mind to their customers during future periods of crisis,” said X9 Executive Director Steve Stevens. “X9 is constantly working to create and update standards that enhance security and protection for online financial transactions, aiming to stay ahead of the many threats proliferating on the internet, particularly today – X9.117 and X9.122 represent only the latest part of our ongoing efforts,”
About the Accredited Standards Committee X9 Inc.
The Accredited Standards Committee X9 Inc. is a non-profit organization accredited by the American National Standards Institute (ANSI) to develop and maintain national and – through ISO — international standards for the financial services industry. The subjects of X9’s standards include: retail, mobile and business payments; corporate treasury functions; block chain technology; processing of electronic legal orders issued to financial institutions; tracking of financial transactions and instruments; financial transaction messaging (ISO 8583 and 20022); quantum computing; PKI; checks; cloud; data breach notification and more.
X9 acts as the U.S. Technical Advisory Group (TAG) for ISO TC68 (Financial), TC321 (E-Commerce) and TC322 (Sustainable Finance) and performs the secretariat functions for ISO TC68. Please visit our website (www.x9.org) for more information.
ASC X9 TR 48-2018 Card-Not-Present (CNP) Fraud Mitigation in the United States
ANSI X9.124-2-2018 Financial Services – Symmetric Key Cryptography for the Financial Services Industry – Format
Preserving Encryption- Part 2: Key Stream with Counter Mode
ANSI X9.129-2017 (Version 01) Legal Order Exchange
ANSI X9.69-2017 Framework for Key Management Extensions