ISO/TR 17944:2002

TECHNICAL ISO/TR
REPORT 17944
First edition
2002-08-01
Banking — Security and other financial
services — Framework for security in
financial systems
Banque — Sécurité et autres services financiers — Cadre pour la sécurité
dans les systèmes financiers
Reference number
ISO/TR 17944:2002(E)
©
ISO 2002

---------------------- Page: 1 ----------------------
ISO/TR 17944:2002(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO 2002
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56• CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO 2002 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 17944:2002(E)
Contents Page
Foreword.iv
Introduction.v
1 Scope .1
2 Areas for standardization .1
2.1 General.1
2.2 Identification and authentication .1
2.3 Data integrity.3
2.4 Privacy and confidentiality .4
2.5 Non-repudiation .4
2.6 Availability of service.5
2.7 Accountability and audit.6
2.8 Interoperability.7
2.9 Security management .8
2.10 Cryptographic algorithms.10
3 Open issues .11
Annex A (informative) Complementary information.12
Bibliography.13
© ISO 2002 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TR 17944:2002(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has
the right to be represented on that committee. International organizations, governmental and non-governmental, in
liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical
Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
The main task of technical committees is to prepare International Standards. Draft International Standards adopted
by the technical committees are circulated to the member bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example), it may decide by a simple majority
vote of its participating members to publish a Technical Report. A Technical Report is entirely informative in nature
and does not have to be reviewed until the data it provides are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this Technical Report may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TR 17944 was prepared by Technical Committee ISO/TC 68, Banking, securities and other financial services,
Subcommittee SC 2, Security management and general banking operations.
iv © ISO 2002 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 17944:2002(E)
Introduction
The main goal of this Technical Report is to give guidance to Technical Committee ISO/TC 68, Banking, securities
and other financial services, on the areas for standardization in the financial industry on IT security. Technical
Committee ISO/TC 68 can, on the basis of this Technical Report, take initiatives to review, update or rewrite
existing standards and/or to prepare new standards in these areas.
The financial industry has a basic need for securing financial transactions. For reasons of interoperability,
certification and availability of off-the-shelf products, standards are necessary. These standards will be in the fields
of cryptography, key management, application programming interfaces (API), protocols etc.
© ISO 2002 – All rights reserved v

---------------------- Page: 5 ----------------------
TECHNICAL REPORT ISO/TR 17944:2002(E)
Banking — Security and other financial services — Framework for
security in financial systems
1 Scope
This Technical Report provides a framework for standards dealing with security that are deemed necessary for the
financial industry.
This Technical Report consists of an inventory of the key security issues which arise in the financial industry and,
for each of these issues, the titles of the relevant existing standards are given.
2 Areas for standardization
2.1 General
In the financial industry, the need for IT security signifies the use of standards in the fields of tokens, devices,
cryptography, key management, application programming interfaces (API), protocols etc. These different fields can
be grouped on the basis of business needs in the following basic areas.
In most areas, various standards are already available. In other areas standards are either being developed or
there is a need for (new) standards. In clause 2, the main areas for standardization in IT security for financial
institution are mentioned; Tables 1 to 9 contain the available (and sometimes necessary) standards in these areas,
first the International Standards from ISO itself, followed by relevant standards from other standards
1)
organizations . Based on the missing standards in these tables, clause 3 summarizes the open issues for
standardization.
NOTE For further details on the mentioned standards, the referenced standards organization can be contacted (see
annex 1).
2.2 Identification and authentication
The identity of all entities involved in a financial transaction has to be established. Authentication ensures that the
identity of an entity is that which is claimed. A financial institution has to be certain that only authorized users can
access their IT systems.
Mechanisms used for identification and authentication are based on the use of identifiers, tokens, pass-phrases,
personal identification numbers (PIN), biometrics, digital signatures and certificates.
1) The references in this Technical Report to non-ISO standards are for informative purposes only; they should be the result of
a consensus procedure and should be published or publicly available. References to non-ISO standards do not constitute an
endorsement by ISO of these non-ISO standards.
© ISO 2002 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/TR 17944:2002(E)
Table 1 — Identification and authentication
What is required What is available Title/Description
Identification and ISO/IEC 9798 Information technology — Security techniques — Entity authentication —
authentication
Part 1: General
Part 2: Mechanisms using symmetric encipherment algorithms
Part 3: Mechanisms using digital signature techniques
Part 4: Mechanisms using a cryptographic check function
Part 5: Mechanisms using zero knowledge techniques
Banking and related financial services — Sign-on authentication
ISO 11131:1992
ISO/IEC 9594-8:2001 Information technology — Open Systems Interconnection — The
Directory: Public-key and attribute certificate frameworks — Part 8
Business entity identifier — —
Tokens ISO 10202 Financial transaction cards — Security architecture of financial transaction
systems using integrated circuit cards —
Part 1: Card life cycle
Part 2: Transaction process
Part 3: Cryptographic key relationships
Part 4: Secure application modules
Part 5: Use of algorithms
Part 6: Cardholder verification
Part 7: Key management
Part 8: General principles and overview
European Banking Standard: The Interoperable Financial Sector
EBS 111-1999
Electronic Purse
Pass-phrases — —
Banking — Personal Identification Number (PIN) management and
Personal Identification ISO 9564
Numbers (PIN) security —
Part 1: Basic principles and requirements for online PIN handling in ATM
and POS systems
Part 2: Approved algorithm(s) for PIN encipherment
Part 3: PIN protection requirements for offline PIN handling in ATM and
a
POS systems
a
ISO/TR 9564 Part 4: Best practices for PIN handling in open networks
EBS 105-1998 PIN-based POS systems (version 2) —
Part 1: Minimum Criteria for Certification Procedures
Part 2: POS Systems with Online PIN Verification — Minimum Security
and Evaluation Criteria
Part 3: POS Systems with Offline PIN Verification — Minimum Security
and Evaluation Criteria
Biometrics ANSI X9.84-2001 Biometric Information Management and Security
a
To be published.
2 © ISO 2002 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/TR 17944:2002(E)
2.3 Data integrity
Data integrity is the property that data has not been altered or destroyed in an unauthorized manner. Within the
financial industry, data integrity is a necessary requirement.
Mechanisms used to ensure data integrity are based on message authentication, hash-functions and digital
signatures.
Table 2 — Data integrity
What is required What is available Title/Description
Banking — Requirements for message authentication (wholesale)
Message ISO 8730
authentication
Information technology — Security techniques — Message Authentication Codes
ISO/IEC 9797
(MACs) —
Part 1: Mechanisms using a block cipher
Part 2: Mechanisms using a dedicated hash-function
ISO 9807:1991 Banking and related financial services — Requirements for message
authentication (retail)
a
Banking — Requirements for message authentication using symmetric techniques
ISO 16609
Keyed Hash Message Authentication Code (MAC)
ANSI X9.71-2000
Hash-functions ISO/IEC 10118 Information technology — Security techniques — Hash-functions —
Part 1: General
Part 2: Hash-functions using an n-bit block cipher
Part 3: Dedicated hash-functions
Part 4: Hash-functions using modular arithmetic
a
To be published.
© ISO 2002 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/TR 17944:2002(E)
2.4 Privacy and confidentiality
Privacy is the right of an individual to have his personal information kept confidential. Confidentiality is the property
that information is not made available or disclosed to unauthorized individuals, entities, or processes. Privacy and
confidentiality is more and more becoming an issue in the financial industry.
The mechanism used to ensure privacy and confidentiality is encipherment.
Table 3 — Privacy and confidentiality
What is required What is available Title/Description
Banking — Procedures for message encipherment (wholesale) —
Encipherment ISO 10126
Part 1: General principles
Part 2: DEA algorithm
2.5 Non-repudiation
Repudiation (denial) of a financial transaction is to be prevented.
The mechanisms used to prevent repudiation are based on time stamping, digital signatures, certificates and public
key infrastructures (PKI).
Table 4 — Non-repudiation
What is required What is available Title/Description
Non-repudiation ISO/IEC 13888 Information technology — Security techniques — Non-repudiation —
Part
...