Select Page

X9F Data and Information Security Subcommittee – Project Status

Call For Experts

TR 61 PQC Assessment Guideline

Project Description| The technical report for a Post-Quantum Cryptography (PQC) Assessment Guideline will provide objectives and criteria, without specifying details that will be addressed in other industry standards. The guideline might be used by an organization as a self-assessment tool, an informal assessment of a third party service provider, or an independent assessment by a qualified information security professional.

Stakeholders| Financial institutions, regional banks, credit unions, retail merchants, service providers, cloud providers, mobile operators, etc. will need to transition to PQC algorithms, and possibly alternative key management methods. Note that this guideline might be used by an organization as a self-assessment tool, an informal assessment of a third party service provider, or an independent assessment by a qualified information security professional.

To participate in the development of this standard click here.


X9.84 Biometric Information Management and Security

Project Description| This standard describes the security framework for using biometrics for authentication of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. This standard also describes the architectures for implementation, specifies the minimum-security requirements for effective management, and provides control objectives and recommendations suitable for use by a professional practitioner. Within the scope of this Standard the following topics are addressed:

  • Security for the collection, distribution, and processing, of biometric data, encompassing data integrity, authenticity, and non-repudiation
  • Management of biometric data across its life cycle comprised of the enrollment, transmission and storage, verification, identification, and termination processes
  • Usage of biometric technology, including one-to-one and one-to-many matching, for the identification and authentication of banking customers and employees
  • Application of biometric technology for internal and external, as well as logical and physical access control
  • Encapsulation and cryptographic protection of biometric information for security, interoperability, and data confidentiality
  • Secure transmission and storage of biometric information during its life cycle
  • Security of the physical hardware used throughout the biometric data life cycle
  • Cryptographic techniques for data integrity, authenticity, and data confidentiality of biometric information
  • Validation of credentials presented at enrollment to support authentication as required by risk management
  • Surveillance to protect the financial institution and its customers

Stakeholders| Developers, service providers, financial institutions, regulators, and auditors.

To participate in the development of this standard click here.


X9.111 Penetration Testing within the Financial Services Industry

Project Description| This standard specifies recommended processes for conducting penetration testing with financial service organizations. This standard describes a framework for specifying, describing and conducting penetration testing, and then relating the results of the penetration testing. This standard allows an entity interested in obtaining penetration testing services to identify the objects to be tested, specify a level of testing to occur, and to set a minimal set of testing expectations.

Stakeholders| Financial services industry

To participate in the development of this standard click here.

X9.112-3 Wireless Management and Security – Part 3: Mobile

Project Description| The mobile environment represents a challenging interplay between the financial services, mobile manufacturers and mobile carriers industries. Financial institutions, merchants, payment providers and consumers all need a level of assurance the following are reliable:

Mobile transactions can be conducted securely and reliably among merchants, payment providers and financial institutions.
SE can operate securely on any mobile platform independently of the hardware, operating system and software environment.
TSM can be relied upon to provide interoperable services to the various mobile participants, including mobile component and platform manufacturers, mobile carriers and operators, merchants, payment providers, and financial institutions.

Stakeholders| Financial institutions, Merchants, Payment providers, Phone manufacturers, SIM manufacturers, Software manufacturers, Mobile carriers

To participate in the development of this standard click here

X9.24-4 Retail Financial Services Symmetric Key Management Part 4: Host-to-Host Key Management using Unique Key Per Transaction (UKPT)

Project Description| Provides a standard supporting automated method(s) for the management of Symmetric keys between hosts on a per-transaction basis. Without a standard, organizations have created proprietary key management solutions for managing host keys.

Project Need| This standard will provide an interoperable solution for automating management of Symmetric keys on a per-transaction basis between Hosts. Existing key management methods like DUKPT are focused on payment originating device to host models which do not translate well to managing keys between hosts.

Stakeholders| SCD vendors, Transaction processing hosts, Key loading facilities, Networks, PCI SSC

To participate in the development of this standard click here.

X9.148 QR Code Protection using Cryptographic Solutions

Project Description| QR Codes (Quick Response code) are a type of matrix barcode (or 2-D barcode) standardized per ISO/IEC 18004 that became popular due to fast readability and greater storage capacity compared to standard 1-D Universal Product Code (UPC) barcodes. Applications include product tracking, item identification, time tracking, document management, general marketing, and even payments. For example, EMV employs QR Codes as a merchant payment scheme.

Project Need| Develop a new standard for QR Codes management and security for use within the financial services industry. Untrusted QR Cords are vulnerable to modification, duplication, and masquerading, whereas a trusted QR Code protected using cryptographic solutions would be protected against modification, duplication, and masquerading by unauthorized service providers. Trusted QR Codes would be an identity theft and transaction fraud deterrent.

Stakeholders| Merchants Financial institutions Regulatory organizations Service providers Hardware and software manufacturers Auditors and assessors

To participate in the development of this standard click here.


X9.8-2 Approved Algorithms for PIN Encipherment

Project Description| ISO 9564 is the series of international standards that govern security of the accountholder PIN used in retail payment transactions (e.g., at an ATM or merchant). ANSI X9.8 Part 1 exists as the U.S. version of ISO 9564 Part 1. This project will adopt ISO 9564 Part 2, which identifies the algorithms permitted for use to encrypt PINs. The ANSI version (adoption with modification) would be X9.8 Part 2.

Project Need| Part 2 of the series for protecting PINs includes the permitted algorithms. A U.S. standard is needed that addresses this.

Stakeholders| Banks, Software and Hardware Developers, Payment Networks, Service Providers, Merchants, Auditors

To participate in the development of this standard click here.


TR 57 Methods of Hybrid use of Post-Quantum Cryptography with Classical Cryptography Techniques

Project Description| As we transition from classical cryptography to post-quantum cryptography (PQC), there is a need to understand the proper ways to use both methods simultaneously. PQC methods will not be able to be used as a direct replacement in all cases. And the confidence and broad acceptance of PQC methods will not be as great as classical cryptography. Simultaneous use of both classical cryptography and PQC methods for both security and acceptance is required during a transition and may be required long term as well. There are improper and insecure ways of implementing a hybrid of classical and PQC methods. Specifying the proper methods of using both are required.

Project Need| There are no standards for how to use classical cryptography and PQC simultaneously. Users of X9 standards need guidance for how to properly use a hybrid of classical and PQC methods when implementing solutions.

Stakeholders| Stakeholders include financial institutions, vendors, and auditors.

To participate in the development of this standard click here.


X9.135 Secret Sharing Schemes

Project DescriptionSecret sharing schemes includes cryptographic methods for distributing a secret amongst a group of participants, such that no one person has access to the secret. Each participant is allocated a share of the secret, so that working in concert some subgroup can recreate the secret, such as a symmetric key or asymmetric private key. Secret sharing is an important dual control with split knowledge security method, commonly referred to as an N of M scheme.

Project NeedDue to the lack of standards, there are misconceptions and misinformation about secret sharing methods, what they are, where to store them, how they work, and when to use them in a secure fashion. A new standard addressing secret sharing would provide valuable information to product manufactures, service providers (including cloud services) and end-users attempting to secure their cryptographic systems.

StakeholdersProduct manufacturers, Application manufacturers, Service (cloud) providers, Security professionals

To participate in the development of this standard click here.


Current Work

TR 56 Crypto-Agility: A Method for Remote Upgrade to Stronger Terminal Master Keys

An important principle of key management is that cryptographic keys should only be protected/encrypted with keys of equal or greater strength. This principle ensures that the bit-strength of a key is maintained. As most deployed devices have a TDES or RSA key installed as their root of trust, one of the bigger challenges facing the financial industry in our move to stronger crypto like AES and ECC is the question of how you get these new keys into a deployed device without returning it to the ESO/manufacturer. This method will document a means to upgrade the existing top-level TDES or RSA terminal master keys to stronger AES or ECC keys. The method will use existing industry algorithms (e.g. SP800-56A compliant key establishment schemes, and TR-31 or TR-34 key transfer methods). For more information on this initiative contact us.

X9.125 Cloud Management & Security

The goal of this standard is to describe a common set of data needed for automating internal control and compliance testing of cloud service infrastructures. The data standard would be designed to support standard control frameworks, including ISO 2700x, COSO/COBIT, PCI DSS, and others. This standard will assist in the orderly transition to enterprise grade cloud services by creating the data requirements and related specifications necessary for managing compliance reporting by cloud service providers. For more information on this initiative contact us.

X9.139 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport

X9 has published a technical report, TR-34, which describes a method consistent with the requirements of ANSI X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry. This technical report has grown in popularity with the growth of remote key distribution technology. Due to increased usage of TR-34, the X9F subcommittee will be standardizing the methods included in TR-34 to improve industry interoperability. For more information on this initiative contact us.

X9.124 Parts 1, 3, 4 and 5 Format Preserving Encryption of Financial Information

X9.124 Parts 1-5 define requirements for using ciphers in Format Preserving Encryption (FPE) modes and specify approved FPE modes. Using an FPE mode encrypts data strings of a specific length and character set into cipher-text of the same length using the same character set. X9.124 Part 1 provides a set of recommendations for use of these techniques within financial systems and defines a baseline set of security parameters that other standards organizations can use. X9.124 Part 3 will cover FF1 Feistel-Based Mode 1 while X9.124 Part 4 will cover FF1 Feistel-Based Mode 2 and X9.124 Part 5 will cover FF3, Feistel-Based Mode 3. To participate in the development of these standards click here.