X9F Data and Information Security Subcommittee – Project Status
Call For Experts
X9.135 Secret Sharing Schemes
Project Description| Secret sharing schemes includes cryptographic methods for distributing a secret amongst a group of participants, such that no one person has access to the secret. Each participant is allocated a share of the secret, so that working in concert some subgroup can recreate the secret, such as a symmetric key or asymmetric private key. Secret sharing is an important dual control with split knowledge security method, commonly referred to as an N of M scheme.
Project Need| Due to the lack of standards, there are misconceptions and misinformation about secret sharing methods, what they are, where to store them, how they work, and when to use them in a secure fashion. A new standard addressing secret sharing would provide valuable information to product manufactures, service providers (including cloud services) and end-users attempting to secure their cryptographic systems.
Stakeholders| Product manufacturers, Application manufacturers, Service (cloud) providers, Security professionals
To participate in the development of this standard click here.
X9.141 Financial and Personal Data Protection and Breach Notification Standard
Project Description| This standard is intended to ensure all entities that handle sensitive financial data and PII have in place a robust process to protect this data and prevent breaches from happening. This standard should apply to all organizations that handle sensitive payment information and it would provide a consistent breach notification process to protect consumers and other stakeholders nationwide. Our existing payment systems serves hundreds of millions of consumers, retailers, financial institutions, and the economy well. Protecting the U.S. payment systems is a shared responsibility of all parties involved. We must work together and invest the necessary resources to combat increasingly sophisticated threats to the payments system.
Project Need| This standard should also provide a consistent breach notification process to protect customers and other stakeholders nationwide. We must work together and invest the necessary resources to combat increasingly sophisticated threats.
Stakeholders| All organizations that handle sensitive consumer payment information and customer identifiable information including: Financial institutions, Credit Bureaus, Merchants/Retailers, Consumers, Application manufacturers, Service providers, Security professionals
To participate in the development of this standard click here.
TR 56 Crypto-Agility: A Method for Remote Upgrade to Stronger Terminal Master Keys
An important principle of key management is that cryptographic keys should only be protected/encrypted with keys of equal or greater strength. This principle ensures that the bit-strength of a key is maintained. As most deployed devices have a TDES or RSA key installed as their root of trust, one of the bigger challenges facing the financial industry in our move to stronger crypto like AES and ECC is the question of how you get these new keys into a deployed device without returning it to the ESO/manufacturer. This method will document a means to upgrade the existing top-level TDES or RSA terminal master keys to stronger AES or ECC keys. The method will use existing industry algorithms (e.g. SP800-56A compliant key establishment schemes, and TR-31 or TR-34 key transfer methods). For more information on this initiative contact us.
X9.125 Cloud Management & Security
The goal of this standard is to describe a common set of data needed for automating internal control and compliance testing of cloud service infrastructures. The data standard would be designed to support standard control frameworks, including ISO 2700x, COSO/COBIT, PCI DSS, and others. This standard will assist in the orderly transition to enterprise grade cloud services by creating the data requirements and related specifications necessary for managing compliance reporting by cloud service providers. For more information on this initiative contact us.
X9.139 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport
X9 has published a technical report, TR-34, which describes a method consistent with the requirements of ANSI X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry. This technical report has grown in popularity with the growth of remote key distribution technology. Due to increased usage of TR-34, the X9F subcommittee will be standardizing the methods included in TR-34 to improve industry interoperability. For more information on this initiative contact us.
X9.124 Parts 1, 3, 4 and 5 Format Preserving Encryption of Financial Information
X9.124 Parts 1-5 define requirements for using ciphers in Format Preserving Encryption (FPE) modes and specify approved FPE modes. Using an FPE mode encrypts data strings of a specific length and character set into cipher-text of the same length using the same character set. X9.124 Part 1 provides a set of recommendations for use of these techniques within financial systems and defines a baseline set of security parameters that other standards organizations can use. X9.124 Part 3 will cover FF1 Feistel-Based Mode 1 while X9.124 Part 4 will cover FF1 Feistel-Based Mode 2 and X9.124 Part 5 will cover FF3, Feistel-Based Mode 3. To participate in the development of these standards click here.
TR-34 Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 Using Factoring-Based Public Key Cryptography Unilateral Key Transport
This technical report is currently under revision by the X9F6 Data and Information Security workgroup. This document describes a method consistent with the requirements of ANS X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry.
ASC X9 TR 48-2018 Card-Not-Present (CNP) Fraud Mitigation in the United States
ANSI X9.124-2-2018 Financial Services – Symmetric Key Cryptography for the Financial Services Industry – Format
Preserving Encryption- Part 2: Key Stream with Counter Mode
ANSI X9.129-2017 (Version 01) Legal Order Exchange
ANSI X9.69-2017 Framework for Key Management Extensions