X9F Data and Information Security Subcommittee – Project Status

Call For Experts

X9.24-4 Retail Financial Services Symmetric Key Management Part 4: Host-to-Host Key Management using Unique Key Per Transaction (UKPT)

Project Description| Provides a standard supporting automated method(s) for the management of Symmetric keys between hosts on a per-transaction basis. Without a standard, organizations have created proprietary key management solutions for managing host keys.

Project Need| This standard will provide an interoperable solution for automating management of Symmetric keys on a per-transaction basis between Hosts. Existing key management methods like DUKPT are focused on payment originating device to host models which do not translate well to managing keys between hosts.

Stakeholders| SCD vendors, Transaction processing hosts, Key loading facilities, Networks, PCI SSC

To participate in the development of this standard click here.

X9.148 QR Code Protection using Cryptographic Solutions

Project Description| QR Codes (Quick Response code) are a type of matrix barcode (or 2-D barcode) standardized per ISO/IEC 18004 that became popular due to fast readability and greater storage capacity compared to standard 1-D Universal Product Code (UPC) barcodes. Applications include product tracking, item identification, time tracking, document management, general marketing, and even payments. For example, EMV employs QR Codes as a merchant payment scheme.

Project Need| Develop a new standard for QR Codes management and security for use within the financial services industry. Untrusted QR Cords are vulnerable to modification, duplication, and masquerading, whereas a trusted QR Code protected using cryptographic solutions would be protected against modification, duplication, and masquerading by unauthorized service providers. Trusted QR Codes would be an identity theft and transaction fraud deterrent.

Stakeholders| Merchants Financial institutions Regulatory organizations Service providers Hardware and software manufacturers Auditors and assessors

To participate in the development of this standard click here.


X9.8-2 Approved Algorithms for PIN Encipherment

Project Description| ISO 9564 is the series of international standards that govern security of the accountholder PIN used in retail payment transactions (e.g., at an ATM or merchant). ANSI X9.8 Part 1 exists as the U.S. version of ISO 9564 Part 1. This project will adopt ISO 9564 Part 2, which identifies the algorithms permitted for use to encrypt PINs. The ANSI version (adoption with modification) would be X9.8 Part 2.

Project Need| Part 2 of the series for protecting PINs includes the permitted algorithms. A U.S. standard is needed that addresses this.

Stakeholders| Banks, Software and Hardware Developers, Payment Networks, Service Providers, Merchants, Auditors

To participate in the development of this standard click here.


TR 57 Methods of Hybrid use of Post-Quantum Cryptography with Classical Cryptography Techniques

Project Description| As we transition from classical cryptography to post-quantum cryptography (PQC), there is a need to understand the proper ways to use both methods simultaneously. PQC methods will not be able to be used as a direct replacement in all cases. And the confidence and broad acceptance of PQC methods will not be as great as classical cryptography. Simultaneous use of both classical cryptography and PQC methods for both security and acceptance is required during a transition and may be required long term as well. There are improper and insecure ways of implementing a hybrid of classical and PQC methods. Specifying the proper methods of using both are required.

Project Need| There are no standards for how to use classical cryptography and PQC simultaneously. Users of X9 standards need guidance for how to properly use a hybrid of classical and PQC methods when implementing solutions.

Stakeholders| Stakeholders include financial institutions, vendors, and auditors.

To participate in the development of this standard click here.


X9.135 Secret Sharing Schemes

Project DescriptionSecret sharing schemes includes cryptographic methods for distributing a secret amongst a group of participants, such that no one person has access to the secret. Each participant is allocated a share of the secret, so that working in concert some subgroup can recreate the secret, such as a symmetric key or asymmetric private key. Secret sharing is an important dual control with split knowledge security method, commonly referred to as an N of M scheme.

Project NeedDue to the lack of standards, there are misconceptions and misinformation about secret sharing methods, what they are, where to store them, how they work, and when to use them in a secure fashion. A new standard addressing secret sharing would provide valuable information to product manufactures, service providers (including cloud services) and end-users attempting to secure their cryptographic systems.

StakeholdersProduct manufacturers, Application manufacturers, Service (cloud) providers, Security professionals

To participate in the development of this standard click here.


Current Work

TR 56 Crypto-Agility: A Method for Remote Upgrade to Stronger Terminal Master Keys

An important principle of key management is that cryptographic keys should only be protected/encrypted with keys of equal or greater strength. This principle ensures that the bit-strength of a key is maintained. As most deployed devices have a TDES or RSA key installed as their root of trust, one of the bigger challenges facing the financial industry in our move to stronger crypto like AES and ECC is the question of how you get these new keys into a deployed device without returning it to the ESO/manufacturer. This method will document a means to upgrade the existing top-level TDES or RSA terminal master keys to stronger AES or ECC keys. The method will use existing industry algorithms (e.g. SP800-56A compliant key establishment schemes, and TR-31 or TR-34 key transfer methods). For more information on this initiative contact us.

X9.125 Cloud Management & Security

The goal of this standard is to describe a common set of data needed for automating internal control and compliance testing of cloud service infrastructures. The data standard would be designed to support standard control frameworks, including ISO 2700x, COSO/COBIT, PCI DSS, and others. This standard will assist in the orderly transition to enterprise grade cloud services by creating the data requirements and related specifications necessary for managing compliance reporting by cloud service providers. For more information on this initiative contact us.

X9.139 Interoperable Method for Distribution of Symmetric Keys Using Asymmetric Techniques: Part 1 – Using Factoring-Based Public Key Cryptography Unilateral Key Transport

X9 has published a technical report, TR-34, which describes a method consistent with the requirements of ANSI X9.24-2 Retail Financial Services Symmetric Key Management – Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry. This technical report has grown in popularity with the growth of remote key distribution technology. Due to increased usage of TR-34, the X9F subcommittee will be standardizing the methods included in TR-34 to improve industry interoperability. For more information on this initiative contact us.

X9.124 Parts 1, 3, 4 and 5 Format Preserving Encryption of Financial Information

X9.124 Parts 1-5 define requirements for using ciphers in Format Preserving Encryption (FPE) modes and specify approved FPE modes. Using an FPE mode encrypts data strings of a specific length and character set into cipher-text of the same length using the same character set. X9.124 Part 1 provides a set of recommendations for use of these techniques within financial systems and defines a baseline set of security parameters that other standards organizations can use. X9.124 Part 3 will cover FF1 Feistel-Based Mode 1 while X9.124 Part 4 will cover FF1 Feistel-Based Mode 2 and X9.124 Part 5 will cover FF3, Feistel-Based Mode 3. To participate in the development of these standards click here.