This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTEÂ Â Â Â Â Â This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Draft
    40 pages
    English language
    sale 15% off

ISO/IEC 30163:2021 specifies the system requirements of an Internet of Things (IoT)/Sensor Network (SN) technology-based platform for chattel asset monitoring supporting financial services, including: - System infrastructure that describes functional components; - System and functional requirements during the entire chattel asset management process, including chattel assets in transition, in/out of warehouse, storage, mortgage, etc.; - Performance requirements and performance specifications of each functional component; - Interface definition of the integrated platform system. This document is applicable to the design and development of IoT/SN system for chattel asset monitoring supporting financial services.

  • Standard
    20 pages
    English language
    sale 15% off

ISO/IEC 30163:2021 specifies the system requirements of an Internet of Things (IoT)/Sensor Network (SN) technology-based platform for chattel asset monitoring supporting financial services, including:
- System infrastructure that describes functional components;
- System and functional requirements during the entire chattel asset management process, including chattel assets in transition, in/out of warehouse, storage, mortgage, etc.;
- Performance requirements and performance specifications of each functional component;
- Interface definition of the integrated platform system.
This document is applicable to the design and development of IoT/SN system for chattel asset monitoring supporting financial services.

  • Standard
    20 pages
    English language
    sale 15% off

This document discusses the threats, risks, and controls related to: — systems that provide digital asset custodian services and/or exchange services to their customers (consumers and businesses) and management of security when an incident occurs; — asset information (including the signature key of the digital asset) that a custodian of digital assets manages. This document is addressed to digital asset custodians that manage signature keys associated with digital asset accounts. In such a case, certain specific recommendations apply. The following is out of scope of this document: — core security controls of blockchain and DLT systems; — business risks of digital asset custodians; — segregation of customer's assets; — governance and management issues.

  • Technical report
    35 pages
    English language
    sale 15% off
  • Draft
    35 pages
    English language
    sale 15% off

This document provides fundamental terminology for blockchain and distributed ledger technologies.

  • Standard
    10 pages
    English language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off

This document provides an overview of privacy and personally identifiable information (PII) protection as applied to blockchain and distributed ledger technologies (DLT) systems.

  • Technical report
    17 pages
    English language
    sale 15% off

This document defines the framework, function and protocols for an API ecosystem that will enable online synchronised interaction. Specifically, the document: — defines a logical and technical layered approach for developing APIs, including transformational rules. Specific logical models (such as ISO 20022 models) are not included, but they will be referenced in the context of specific scenarios for guidance purposes; — will primarily be thought about from a RESTful design point of view, but will consider alternative architectural styles (such as WebSocket and Webhook) where other blueprints or scenarios are offered; — defines for the API ecosystem design principles of an API, rules of a Web-service-based API, the data payload and version control; — sets out considerations relevant to security, identity and registration of an API ecosystem. Specific technical solutions will not be defined, but they will be referenced in the context of specific scenarios for guidance purposes; — defines architectural usage beyond query/response asynchronous messaging towards publish/subscribe to support advanced and existing business models. This document does not include: — a specific technical specification of an API implementation in financial services; — the development of JSON APIs based on the ISO 20022 specific message formats, such as PAIN, CAMT and PACS; — a technical specification that is defined or determined by specific legal frameworks.

  • Technical specification
    52 pages
    English language
    sale 15% off

This document describes a data element related to key management which can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. This document addresses the requirements for the use of the data element related to key management within ISO 8583-1, using the following two ISO 8583-1 data elements for DEA and TDEA: — security related control information (data element 53); — key management data (data element 96). The data element related to key management for DEA and TDEA is constructed from the concatenation of two ISO 8583-1 message elements, data element 53 — security related control information, and data element 96 — key management data. It conveys information about the associated transaction's cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and additional optional information. For AES implementations, the data elements are summarized in one field. This document is applicable to either symmetric or asymmetric cipher systems.

  • Standard
    14 pages
    English language
    sale 15% off

This document provides an overview of smart contracts in BC/DLT systems; describing what smart contracts are and how they work. It also discusses methods of interaction between multiple smart contracts. This document focuses on technical aspects of smart contracts. Smart contracts for legally binding use and applications will only be briefly mentioned in this document.

  • Technical report
    42 pages
    English language
    sale 15% off

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

  • Standard
    108 pages
    English language
    sale 15% off

ISO 20038:2017 defines a method for packaging cryptographic keys for transport. This method can also be used for the storage of keys under an AES key. The method uses the block cipher AES as the wrapping cipher algorithm. Other methods for wrapping keys are outside the scope of this document but can use the authenticated encryption algorithms specified in ISO/IEC 19772.

  • Standard
    22 pages
    English language
    sale 15% off

ISO 9564-1:2017 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2017 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2017 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

  • Standard
    32 pages
    English language
    sale 15% off

ISO 13491-2:2017 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, ISO 11568‑1, ISO 11568‑2, and ISO 11568‑4 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue after which they are to be regarded as a "personal" device and outside of the scope of this document. ISO 13491-2:2017 does not address issues arising from the denial of service of an SCD. In the checklists given in Annex A to Annex H, the term "not feasible" is intended to convey the notion that although a particular attack might be technically possible, it would not be economically viable since carrying out the attack would cost more than any benefits obtained from a successful attack. In addition to attacks for purely economic gain, malicious attacks directed toward loss of reputation need to be considered.

  • Standard
    39 pages
    English language
    sale 15% off

ISO 13491-1:2016 specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609, and ISO 11568. ISO 13491-1:2016 has two primary purposes: - to state the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle; ? to provide guidance for methodologies to verify compliance with those requirements. This information is contained in Annex A. ISO 13491-2 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564-1, ISO 9564-2, ISO 16609, ISO 11568-1, ISO 11568-2, ISO 11568-3, ISO 11568-4, ISO 11568-5, and ISO 11568-6 in the financial services environment. Annex A provides an informative illustration of the concepts of security levels described in this part of ISO 13491 as being applicable to SCDs. ISO 13491-1:2016 does not address issues arising from the denial of service of an SCD. Specific requirements for the security characteristics and management of specific types of SCD functionality used in the retail financial services environment are contained in ISO 13491‑2.

  • Standard
    33 pages
    English language
    sale 15% off

ISO 9564-4:2016 provides requirements for the use of personal identification numbers (PIN) in eCommerce. The PINs in scope are the same cardholder PINs used as a means of cardholder verification in card-based financial transactions; notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, and vending machines. It is applicable to financial card-originated transactions requiring verification of the PIN and to those organizations responsible for implementing techniques for the management of the PIN in eCommerce. The provisions of this part of ISO 9564 are not intended to cover - passwords, passcodes, pass phrases and other shared secrets used for customer authentication in online banking, telephone banking, digital wallets, mobile payment, etc., - management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems, which are covered in ISO 9564‑1, - card proxies such as mobile phones or key fobs, - approved algorithms for PIN encipherment, which are covered in ISO 9564‑2, - the protection of the PIN against loss or intentional misuse by the customer or authorized employees of the issuer, - privacy of non-PIN transaction data, - protection of transaction messages against alteration or substitution, e.g. an online authorization response, - protection against replay of the transaction, - functionality of devices used for PIN entry which is related to issuer functions other than PIN entry, - specific key management techniques, and - access to, and storage of, card data other than the PIN by applications such as wallets.

  • Standard
    14 pages
    English language
    sale 15% off

ISO/IEC 8484:2014 specifies the characteristics and location of a magnetic stripe on a savingsbook and the use of such savingsbooks for international interchange. Compatibility with international interchange systems is provided through the requirements of ISO/IEC 8484:2014, enabling a savingsbook with a magnetic stripe to be read and possibly encoded in a device that is compatible with reading identification cards used in international interchange. ISO/IEC 8484:2014 specifies requirements for a magnetic stripe (including any protective overlay) on a savingsbook, the encoding technique, and coded character sets. It also specifies the characteristics of the savingsbook cover such as stiffness, minimum size, surface irregularities, roughness, and interaction between the cover material and the magnetic stripe. It takes into consideration both human and machine aspects and states minimum requirements. Coercivity influences many of the quantities specified in ISO/IEC 8484:2014 but is not itself specified. Exposure of the savingsbook to a magnetic field is likely to destroy the recorded data. ISO/IEC 8484:2014 defines performance criteria for savingsbooks. No consideration is given within ISO/IEC 8484:2014 to the amount of use, if any, experienced by the savingsbook prior to test.

  • Standard
    16 pages
    English language
    sale 15% off

ISO 9564-2:2014 specifies approved algorithms for the encipherment of Personal Identification Numbers (PINs).

  • Standard
    2 pages
    English language
    sale 15% off

ISO 1004-2:2013 specifies the shapes, dimensions and tolerances for the 10 digits 0 to 9, five symbols, and 26 letters, to be printed with magnetic ink for the purpose of character recognition. It describes the various types of printing defects and other printing considerations, together with the tolerances permitted, and also contains specifications to signal level measurement.

  • Standard
    32 pages
    English language
    sale 15% off

ISO 1004-1:2013 specifies the shape, dimensions, magnetic signal level, and tolerances for the E-13B characters which include 10 numerals and four special symbols printed in magnetic ink and used for the purpose of character recognition. It describes the various known types of printing defects and other printing considerations, together with the tolerances permitted.

  • Standard
    45 pages
    English language
    sale 15% off

1 Scope This part of ISO 11568 specifies techniques for the protection of symmetric and asymmetric cryptographic keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1. The techniques described are applicable to any symmetric key management operation. The notation used in this part of ISO 11568 is given in Annex A. Algorithms approved for use with the techniques described in this part of ISO 11568 are given in Annex B.

  • Standard
    29 pages
    English language
    sale 15% off

ISO/TR 14742:2010 provides a list of recommended cryptographic algorithms for use within applicable financial services standards prepared by ISO/TC 68. It also provides strategic guidance on key lengths and associated parameters and usage dates. The focus is on algorithms rather than protocols, and protocols are in general not included in ISO/TR 14742:2010. ISO/TR 14742:2010 deals primarily with recommendations regarding algorithms and key lengths. The categories of algorithms covered in ISO/TR 14742:2010 are: block ciphers; stream ciphers; hash functions; message authentication codes (MACs); asymmetric algorithms; digital signature schemes giving message recovery, digital signatures with appendix, asymmetric ciphers; authentication mechanisms; key establishment and agreement mechanisms; key transport mechanisms. ISO/TR 14742:2010 does not define any cryptographic algorithms; however, the standards to which ISO/TR 14742:2010 refers may contain necessary implementation information as well as more detailed guidance regarding choice of security parameters, security analysis, and other implementation considerations.

  • Technical report
    31 pages
    English language
    sale 15% off

ISO 19092:2008 describes the security framework for using biometrics for authentication of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. ISO 19092:2008 also describes the architectures for implementation, specifies the minimum security requirements for effective management, and provides control objectives and recommendations suitable for use by a professional practitioner. The following are within the scope of ISO 19092:2008: usage of biometrics for the authentication of employees and persons seeking financial services by: verification of a claimed identity; identification of an individual; validation of credentials presented at enrolment to support authentication as required by risk management; management of biometric information across its life cycle comprised of the enrolment, transmission and storage, verification, identification and termination processes; security of biometric information during its life cycle, encompassing data integrity, origin authentication and confidentiality; application of biometrics for logical and physical access control; surveillance to protect the financial institution and its customers; security of the physical hardware used throughout the biometric information life cycle. ISO 19092:2008 provides the mandatory means whereby biometric information may be encrypted for data confidentiality or other reasons.

  • Standard
    77 pages
    English language
    sale 15% off

ISO 11568-4:2007 specifies techniques for the protection of symmetric and asymmetric cryptographic keys in a retail financial services environment using asymmetric cryptosystems and the life-cycle management of the associated asymmetric keys. The techniques described in this part of ISO 11568 enable compliance with the principles described in ISO 11568-1. For the purposes of this document, the retail financial services environment is restricted to the interface between: a card-accepting device and an acquirer; an acquirer and a card issuer; an ICC and a card-accepting device.

  • Standard
    22 pages
    English language
    sale 15% off

ISO 11568-1:2005 specifies the principles for the management of keys used in cryptosystems implemented within the retail-banking environment. The retail-banking environment includes the interface between a card accepting device and an acquirer, an acquirer and a card issuer, an ICC and a card-accepting device. An example of this environment and threats associated with the implementation of ISO 11568-1:2005 in the retail-banking environment are also described. ISO 11568-1:2005 is applicable both to the keys of symmetric cipher systems, where both originator and recipient use the same secret key(s), and to the private and public keys of asymmetric cryptosystems, unless otherwise stated. The procedure for the approval of cryptographic algorithms used for key management is specified. The use of ciphers often involves control information other than keys, e.g. initialization vectors and key identifiers. This other information is collectively called "keying material". Although ISO 11568-1:2005 specifically addresses the management of keys, the principles, services, and techniques applicable to keys may also be applicable to keying material. ISO 11568-1:2005 is appropriate for use by financial institutions and other organizations engaged in the area of retail financial services, where the interchange of information requires confidentiality, integrity, or authentication. Retail financial services include but are not limited to such processes as POS debit and credit authorizations, automated dispensing machine and ATM transactions, etc. ISO 9564 and ISO 16609 specify the use of cryptographic operations within retail financial transactions for personal identification number (PIN) encipherment and message authentication, respectively. The ISO 11568 series of standards is applicable to the management of the keys introduced by those standards. Additionally, the key management procedures may themselves require the introduction of further keys, e.g. key encipherment keys. The key management procedures are equally applicable to those keys.

  • Standard
    16 pages
    English language
    sale 15% off

ISO/TR 19038:2005 provides the user with technical support and details for the safe and efficient implementation of the Triple Data Encryption Algorithm (TDEA) modes of operation for the enhanced cryptographic protection of digital data. The modes of operation described therein are specified for both enciphering and deciphering operations. The modes described in this Technical Report are implementations of the block cipher modes of operation specified in ISO/IEC 10116 using the Triple DEA algorithm (TDEA) specified in ISO/IEC 18033-3. The TDEA modes of operation may be used in both wholesale and retail financial applications. The use of ISO/TR 19038:2005 provides the basis for the interoperability of products and facilitates the development of application standards that use the TDEA modes of operation. This Technical Report is intended for use with other ISO standards using DEA.

  • Technical report
    54 pages
    English language
    sale 15% off

Content-Type: text/html;charset=ISO-8859-1 Pragma: no-cache      .browseRow1 { background-color: #FFFFFF; } .browseRow2

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    13 pages
    French language
    sale 15% off
  • Standard
    13 pages
    French language
    sale 15% off

Specifies the definition of the data encryption algorithm (DEA) as given in ANSI X3.92:1981.

  • Standard
    1 page
    English language
    sale 15% off
  • Standard
    4 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    1 page
    French language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off

Specifies the minimum security measures required for effective international PIN management. Annexes A and B form an integral part of this standard. Annexes C, D, E, F, G and H are for information only.

  • Standard
    28 pages
    English language
    sale 15% off
  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    29 pages
    French language
    sale 15% off
  • Standard
    29 pages
    French language
    sale 15% off

Defines: the location and size of one or more areas on the securities for the printing of a line of characters; the position of this line; the structure and the contents of this line. Annexes A, B, C and D form an integral part of this standard.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    13 pages
    French language
    sale 15% off
  • Standard
    13 pages
    French language
    sale 15% off

This document discusses the threats, risks, and controls related to:
— systems that provide digital asset custodian services and/or exchange services to their customers (consumers and businesses) and management of security when an incident occurs;
— asset information (including the signature key of the digital asset) that a custodian of digital assets manages.
This document is addressed to digital asset custodians that manage signature keys associated with digital asset accounts. In such a case, certain specific recommendations apply.
The following is out of scope of this document:
— core security controls of blockchain and DLT systems;
— business risks of digital asset custodians;
— segregation of customer's assets;
— governance and management issues.

  • Technical report
    35 pages
    English language
    sale 15% off
  • Draft
    35 pages
    English language
    sale 15% off

This document provides fundamental terminology for blockchain and distributed ledger technologies.

  • Standard
    10 pages
    English language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off

This document provides an overview of privacy and personally identifiable information (PII) protection as applied to blockchain and distributed ledger technologies (DLT) systems.

  • Technical report
    17 pages
    English language
    sale 15% off

This document provides an overview of smart contracts in BC/DLT systems; describing what smart contracts are and how they work. It also discusses methods of interaction between multiple smart contracts. This document focuses on technical aspects of smart contracts. Smart contracts for legally binding use and applications will only be briefly mentioned in this document.

  • Technical report
    42 pages
    English language
    sale 15% off

Gives terms and definitions. Defines procedures in order to protect financial messages exchanged through any communications architecture. Annex A forms an integral part of this standard. Annexes B, C and D are for information only.

  • Standard
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    18 pages
    English language
    sale 15% off
  • Standard
    18 pages
    French language
    sale 15% off
  • Standard
    18 pages
    French language
    sale 15% off
  • Standard
    125 pages
    English and French language
    sale 10% off
    e-Library read for
    1 day

DEA may be used as a suitable algorithm to implement ISO 10126-1, and is specified in ANSI X3.92. Keys shall be managed in accordance with ISO 8732.

  • Standard
    6 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    3 pages
    English language
    sale 15% off
  • Standard
    3 pages
    French language
    sale 15% off
  • Standard
    3 pages
    French language
    sale 15% off

Describes the process whereby cryptographic keys and initialisation vectors (keying material) are provided for use by two parties and continue to be subject to secure handling procedures until they have been destroyed. Has been divided into sections as follows: One: General, Two: Manual distributionof keying material, Three: Automatic distribution of keying material. Annex A gives an example of the implementation of the requirements for manual distribution of keying material.

  • Standard
    87 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    82 pages
    English language
    sale 15% off
  • Standard
    82 pages
    French language
    sale 15% off
  • Standard
    82 pages
    French language
    sale 15% off

Specifies the elements and structure of a universal bank identifier code (BIC) for use in automated processing in banking and related financial environments. The BIC consists of 8 or 11 contiguous characters (letters and/or digits without special characters such as blanks, separators, punctuation, etc.) and comprises the first three or all four of the following four components: bank code, country code, location code, branch code.

  • Standard
    4 pages
    English language
    sale 15% off
  • Standard
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    4 pages
    French language
    sale 15% off
  • Standard
    4 pages
    French language
    sale 15% off

ISO 13491-2:2016 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in H.5, ISO 9564‑2, ISO 16609, ISO 11568‑1, ISO 11568‑2, and ISO 11568‑4 in the financial services environment. IC payment cards are subject to the requirements identified in this part of ISO 13491 up until the time of issue after which they are to be regarded as a "personal" device and outside of the scope of this part of ISO 13491. ISO 13491-2:2016 does not address issues arising from the denial of service of an SCD. In the checklists given in Annexes A to H, the term "not feasible" is intended to convey the notion that although a particular attack might be technically possible, it would not be economically viable since carrying out the attack would cost more than any benefits obtained from a successful attack. In addition to attacks for purely economic gain, malicious attacks directed toward loss of reputation need to be considered.

  • Standard
    39 pages
    English language
    sale 15% off
  • Standard
    6 pages
    English language
    sale 15% off

ISO 9564-1:2011 specifies the basic principles and techniques which provide the minimum security measures required for effective international personal identification number (PIN) management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2011 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2011 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping; b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in integrated circuit (IC) cards.

  • Standard
    29 pages
    English language
    sale 15% off

ISO 15782-1:2009 defines a certificate management system for financial industry use for legal and natural persons that includes credentials and certificate contents, Certification Authority systems, including certificates for digital signatures and for encryption key management, certificate generation, distribution, validation and renewal, authentication structure and certification paths, and revocation and recovery procedures. ISO 15782-1:2009 also recommends some useful operational procedures (e.g. distribution mechanisms, acceptance criteria for submitted credentials). Implementation of ISO 15782-1:2009 will also be based on business risks and legal requirements. ISO 15782-1:2009 does not include the protocol messages used between the participants in the certificate management process, requirements for notary and time stamping, Certificate Policy and Certification Practices requirements, or Attribute Certificates. While ISO 15782-1:2009 provides for the generation of certificates that could include a public key used for encryption key management, it does not address the generation or transport of keys used for encryption.

  • Standard
    49 pages
    English language
    sale 15% off

ISO 13492:2007 describes a key management related data element that can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. ISO 13492:2007 addresses the requirements for the use of the key management related data element within ISO 8583, using the following two ISO 8583 data elements: security related control information (data element 53), or key management data (data element 96). However, these data elements can be usefully employed in other messaging formats, given that the transportation of key management related data is not limited to ISO 8583. ISO 13492:2007 is applicable to either symmetric or asymmetric cipher systems. Key management procedures for the secure management of the cryptographic keys within the financial services environment are described in ISO 11568. Security related data, such as PIN data and MACs, are described in ISO 9564 and ISO 16609, respectively.

  • Standard
    10 pages
    English language
    sale 15% off

ISO/IEC 8484:2007 specifies the characteristics and location of a magnetic stripe on a savingsbook and the use of such savingsbooks for international interchange. Compatibility with international interchange systems is provided through the requirements of ISO/IEC 8484:2007, enabling a savingsbook with a magnetic stripe to be read and possibly encoded in a device that is compatible with reading identification cards used in international interchange. It takes into consideration both human and machine aspects and states minimum requirements. ISO/IEC 8484:2007 specifies requirements for a magnetic stripe (including any protective overlay) on a savingsbook, the encoding technique and coded character sets. It also specifies the characteristics of the savingsbook cover such as stiffness, minimum size, surface irregularities, roughness and interaction between the cover material and the magnetic stripe. Most of the magnetic characteristics are based on ISO/IEC 7811-2. The major changes from ISO 8484:1987 include the following. ISO/IEC 8484:2007 uses the same definitions, criteria and test methods as in ISO/IEC 7811-2. The reference material has changed from SRM 3200 to RM 7811/2. More complete requirements have been added for signal amplitude, flux transition spacing variation, magnetic stripe area surface profile and warpage. Classifications have been added for unused and returned savingsbooks. An optional high coercivity magnetic stripe has been added based on ISO/IEC 7811-6 and RM 7811/6. Because savingsbooks are generally paper-based documents, some criteria and test methods have been taken from ISO/IEC 15457-2. ISO/IEC 8484:2007 specifies the conditions for conformance; physical characteristics for the savingsbook (warpage, surface distortions, and stiffness) and the magnetic stripe area (location, height and surface profile, roughness, adhesion, wear, and resistance to environment), the signal amplitude performance characteristics of the magnetic stripe; the encoding specification, including technique, angle of recording, bit density, flux transition spacing variation, and signal amplitude; the data structure, including track format, coded character sets and use of error correction; the location of the encoded track. ISO/IEC 8484:2007, together with a standard for test methods, provides for interchange between various types of savingsbook processing devices and systems.

  • Standard
    15 pages
    English language
    sale 15% off

ISO 13491-1:2007 specifies the requirements for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609 and ISO 11568. ISO 13491-1:2007 has two primary purposes: to state the requirements concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle, and to standardize the methodology for verifying compliance with those requirements. Appropriate device characteristics are necessary to ensure that the device has the proper operational capabilities and provides adequate protection for the data it contains. Appropriate device management is necessary to ensure that the device is legitimate, that it has not been modified in an unauthorized manner (e.g. by “bugging”) and that any sensitive data placed within the device (e.g. cryptographic keys) has not been subject to disclosure or change. Absolute security is not achievable in practical terms. Cryptographic security depends upon each life cycle phase of the SCD and the complementary combination of appropriate management procedures and secure cryptographic characteristics. These management procedures implement preventive measures to reduce the opportunity for a breach of SCD security. These aim for a high probability of detection of any unauthorized access to sensitive or confidential data, should device characteristics fail to prevent or detect the security compromise. Annex A provides an informative illustration of the concepts of security levels described in ISO 13491-1:2007 as being applicable to SCDs.

  • Standard
    30 pages
    English language
    sale 15% off

ISO 19092-1:2006 describes the security framework for using biometrics for authentication of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. ISO 19092-1:2006 also describes the architectures for implementation, specifies the minimum security requirements for effective management, and provides control objectives and recommendations suitable for use by a professional practitioner. The following are within the scope of ISO 19092-1:2006: usage of biometrics for the authentication of employees and persons seeking financial services by: verification of a claimed identity; identification of an individual; validation of credentials presented at enrolment to support authentication as required by risk management; management of biometric information across its life cycle comprised of the enrolment, transmission and storage, verification, identification and termination processes; security of biometric information during its life cycle, encompassing data integrity, origin authentication and confidentiality; application of biometrics for logical and physical access control; surveillance to protect the financial institution and its customers; security of the physical hardware used throughout the biometric information life cycle. ISO 19092-1:2006 provides the mandatory means whereby biometric information may be encrypted for data confidentiality or other reasons.

  • Standard
    81 pages
    English language
    sale 15% off

ISO 21188:2006 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. ISO 21188:2006 draws a distinction between PKI systems used in open, closed and contractual environments. It further defines the operational practices relative to financial services industry accepted information systems control objectives. ISO 21188:2006 is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication and data encryption. ISO 21188:2006 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of ISO 21188:2006 is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of ISO 21188:2006.

  • Standard
    107 pages
    English language
    sale 15% off

ISO 11568-2:2005 specifies techniques for the protection of symmetric and asymmetric cryptographic keys in a retail banking environment using symmetric ciphers and the life-cycle management of the associated symmetric keys. The techniques described enable compliance with the principles described in ISO 11568-1. The techniques described are applicable to any symmetric key management operation.

  • Standard
    29 pages
    English language
    sale 15% off

ISO 13491-2:2005 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes, as specified in parts 1 and 2 of ISO 9564, ISO 16609 and parts 1 to 6 of ISO 11568, in the financial services environment. IC payment cards are subject to the requirements identified in this part of ISO 13491 up until the time of issue, after which they are to be regarded as a "personal" device and outside of the scope of this document. ISO 13491-2:2005 does not address issues arising from the denial of service of an SCD.

  • Standard
    31 pages
    English language
    sale 15% off