iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 13492:2007

(Main)

Financial services — Key management related data element — Application and usage of ISO 8583 data elements 53 and 96

Financial services — Key management related data element — Application and usage of ISO 8583 data elements 53 and 96

ISO 13492:2007 describes a key management related data element that can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. ISO 13492:2007 addresses the requirements for the use of the key management related data element within ISO 8583, using the following two ISO 8583 data elements: security related control information (data element 53), or key management data (data element 96). However, these data elements can be usefully employed in other messaging formats, given that the transportation of key management related data is not limited to ISO 8583. ISO 13492:2007 is applicable to either symmetric or asymmetric cipher systems. Key management procedures for the secure management of the cryptographic keys within the financial services environment are described in ISO 11568. Security related data, such as PIN data and MACs, are described in ISO 9564 and ISO 16609, respectively.

Services financiers — Élément de données lié à la gestion des clés — Application et utilisation des éléments de données 53 et 96 de l'ISO 8583

General Information

Status
Withdrawn
Publication Date
05-Dec-2007
Withdrawal Date
05-Dec-2007
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
9599 - Withdrawal of International Standard
Completion Date
25-Oct-2019
Ref Project

Relations

Revised
ISO 13492:2019 - Financial services — Key-management-related data element — Application and usage of ISO 8583-1 data elements for encryption
Effective Date
17-Jun-2017
Revises
ISO 13492:1998 - Banking — Key management related data element (retail)
Effective Date
15-Apr-2008

Buy Standard

ISO 13492:2007 - Financial services -- Key management related data element -- Application and usage of ISO 8583 data elements 53 and 96ISO 13492:2007 - Financial services -- Key management related data element -- Application and usage of ISO 8583 data elements 53 and 96
PreviousNext
Standard
ISO 13492:2007 - Financial services -- Key management related data element -- Application and usage of ISO 8583 data elements 53 and 96
English language
10 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO
STANDARD 13492
Second edition
2007-12-15

Financial services — Key management
related data element — Application
and usage of ISO 8583 data elements
53 and 96
Services financiers — Élément de données lié à la gestion des clés —
Application et utilisation des éléments de données 53 et 96 de l'ISO 8583




Reference number
ISO 13492:2007(E)
©
ISO 2007

---------------------- Page: 1 ----------------------
ISO 13492:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2007 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 13492:2007(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Abbreviated terms .2
5 Data representation.3
6 Requirements for key management related data element .4
6.1 Introduction.4
6.2 Data element structure.4
6.3 Key-set identifier concepts.5
7 Security related control information usage (data element 53) .5
7.1 Format.5
7.2 Assignment of key-set identifiers.9
8 Key management data (data element 96).9
Bibliography.10

© ISO 2007 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 13492:2007(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 13492 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
This second edition cancels and replaces the first edition (ISO 13492:1998), which has been technically
revised.
iv © ISO 2007 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 13492:2007(E)
Introduction
This International Standard describes the structure and contents of a key management related data element
that can be conveyed in electronically transmitted messages within the financial services environment to
support the secure management of cryptographic keys, where the financial services environment involves the
communications between a card-accepting device and an acquirer, and between an acquirer and a card
issuer. Key management of keys used in an Integrated Circuit Card (ICC) and the related data elements are
not covered in this International Standard.
This International Standard provides compatibility with the existing ISO standard on bank card originated
messages (see ISO 8583).

© ISO 2007 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 13492:2007(E)

Financial services — Key management related data element —
Application and usage of ISO 8583 data elements 53 and 96
1 Scope
This International Standard describes a key management related data element that can be transmitted either
in transaction messages to convey information about cryptographic keys used to secure the current
transaction, or in cryptographic service messages to convey information about cryptographic keys to be used
to secure future transactions.
This International Standard addresses the requirements for the use of the key management related data
element within ISO 8583, using the following two ISO 8583 data elements:
⎯ security related control information (data element 53), or
⎯ key management data (data element 96).
However, these data elements can be usefully employed in other messaging formats, given that the
transportation of key management related data is not limited to ISO 8583.
This International Standard is applicable to either symmetric or asymmetric cipher systems. Key management
procedures for the secure management of the cryptographic keys within the financial services environment
are described in ISO 11568. Security related data, such as PIN data and MACs, are described in ISO 9564
and ISO 16609, respectively.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 7812-1, Identification cards — Identification of issuers — Part 1: Numbering system
ISO/IEC 7812-2, Identification cards — Identification of issuers — Part 2: Application and registration
procedures
ISO 8583-1, Financial transaction card originated messages — Interchange message specifications — Part 1:
Messages, data elements and code values
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 8583-1 and the following apply.
3.1
asymmetric cipher
cipher in which the encipherment key and the decipherment key are different and it is computationally
infeasible to deduce the (private) decipherment key from the (public) encipherment key
© ISO 2007 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 13492:2007(E)
3.2
cipher
pair of operations that effect transformations between plaintext and ciphertext under the control of a parameter
called a key
NOTE The encipherment operation transforms data (plaintext) into an unintelligible form (ciphertext). The
decipherment operation restores the original text.
3.3
cryptographic algorithm
set of rules for the transformation of data using a cryptographic key
EXAMPLE The transformation of plaintext to ciphertext and vice versa (i.e. a cipher); generation of keying material;
digital signature computation or validation.
3.4
cryptographic key
key
parameter that determines the operation of a cryptographic algorithm
3.5
cryptographic service message
message for transporting cryptographic keys or related information used to control a keying relationship
3.6
derived unique key per transaction
key management method which uses a unique key for each transaction and prevents the disclosure of any
past key used by the transaction-originating TRSM
NOTE The unique Transaction Keys are derived from a base derivation key using only non-secret data transmitted
as part of each transaction.
3.7
primary key
key for a transaction from which other keys for the transaction are produced
NOTE This can be done by means of variants or transformations.
3.8
symmetric cipher
cryptographic algorithm using the same secret cryptographic key for both encipherment and decipherment
3.9
transaction message
message used to convey information related to a financial transaction
4 Abbreviated terms
AES Advanced Encryption Standard
BCD Binary Coded Decimal
CAID Card Acceptor Identifier
CBC Cipher Block Chaining
DEA Data Encryption Algorithm
2 © ISO 2007 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 13492:2007(E)
DID Device Identifier
DUKPT Derived Unique Key per Transaction
ECB Electronic Code Book
ECIES Elliptic Curve Integrated Encryption Scheme
GID Group Identifier
IIC Institution Identification Code
IIN Issuer Identification Number
KSN Key Serial Number
MAC Message Authentication Code
PIN Personal Identification Number
RSA The Rivest, Shamir and Adleman Public Key Cryptosystem
TC Transaction Counter
TDEA Triple Data Encryption Algorithm
TRSM Tamper Resistant Security Module
5 Data representation
Data fields described in this International Standard are represented as shown in Table 1.
Table 1 — Data representation
Abbreviation Definition
Alphabetic data elements contain a single character per byte. The permitted characters are alphabetic
a
only (a to z and A to Z, upper and lower case).
Alphanumeric data elements contain a single character per byte. The permitted characters are alphabetic
an
(a to z and A to Z, upper and lowercase) and numeric (0 to 9).
ans Alphanumeric special data elements contain a single character per byte.
These data elements consist of either unsigned binary numbers or bit combinations that are defined
b elsewhere in the specification. Example: a field defined as “b 2” has a length of two bytes such that a
value of 19 is stored as Hex '00 13'.
LL Length of variable data element that follows, 01 through 99.
LLL Length of variable data element that follows, 001 through 999.
Numeric data elements consist of two numeric digits (having values in the range Hex '0' – '9') per byte.
These digits are right justified and padded with leading hexadecimal zeroes. Other specifications
n sometimes refer to this data format as Binary Coded Decimal (“BCD”) or unsigned packed. Example: a
field defined as “n 12” has a length of six bytes such that a value of 12345 is stored as Hex '00 00 00 01
23 45'.

© ISO 2007 – All rights reserved 3

---------------------- Page: 8 ---------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
  • Draft
    67 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Draft
    40 pages
    English language
    sale 15% off
ISO
ISO 13492:2019(Main)
Financial services — Key-management-related data element — Application and usage of ISO 8583-1 data elements for encryption

This document describes a data element related to key management which can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. This document addresses the requirements for the use of the data element related to key management within ISO 8583-1, using the following two ISO 8583-1 data elements for DEA and TDEA: — security related control information (data element 53); — key management data (data element 96). The data element related to key management for DEA and TDEA is constructed from the concatenation of two ISO 8583-1 message elements, data element 53 — security related control information, and data element 96 — key management data. It conveys information about the associated transaction's cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and additional optional information. For AES implementations, the data elements are summarized in one field. This document is applicable to either symmetric or asymmetric cipher systems.

  • Standard
    14 pages
    English language
    sale 15% off
ISO
ISO 21188:2018(Main)
Public key infrastructure for financial services — Practices and policy framework

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

  • Standard
    108 pages
    English language
    sale 15% off
ISO
ISO 20038:2017(Main)
Banking and related financial services — Key wrap using AES

ISO 20038:2017 defines a method for packaging cryptographic keys for transport. This method can also be used for the storage of keys under an AES key. The method uses the block cipher AES as the wrapping cipher algorithm. Other methods for wrapping keys are outside the scope of this document but can use the authenticated encryption algorithms specified in ISO/IEC 19772.

  • Standard
    22 pages
    English language
    sale 15% off
  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO 9564-1:2017(Main)
Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems

ISO 9564-1:2017 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2017 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2017 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

  • Standard
    32 pages
    English language
    sale 15% off