EURUSD
Your shopping cart is empty.
ISO

ISO/TS 14742:2025

(Main)

Financial services — Recommendations and requirements on cryptographic algorithms and their use

Financial services — Recommendations and requirements on cryptographic algorithms and their use

This document provides a list of recommended ISO cryptographic algorithms for use within applicable ISO TC 68, Financial services, standards. It also provides strategic guidance on key lengths and associated parameters and usage dates. This document focuses on core algorithms, key lengths and frequently used mechanisms. The included algorithms are considered to be fit for purpose for financial service use. For additional algorithms, see the body of standards produced by ISO/IEC JTC 1 SC 27, Information security, cybersecurity and privacy protection. For standards on key management, see ISO 11568. The categories of algorithms covered are: a) block ciphers and modes of operation; b) stream ciphers; c) message authentication codes (MACs); d) authenticated encryption algorithms; e) format preserving encryption; f) hash functions; g) asymmetric algorithms: 1) digital signature schemes giving message recovery; 2) digital signatures with appendix; 3) asymmetric ciphers. h) authentication mechanisms; i) key derivation, establishment and agreement mechanisms; j) key transport mechanisms: 1) key wrapping. This document does not define any cryptographic algorithms. However, the standards to which this document refers contain necessary implementation information as well as more detailed guidance regarding choice of security parameters, security analysis and other implementation considerations.

Services financiers — Recommandations et exigences relatives aux algorithmes cryptographiques et leur utilisation

General Information

Status
Published
Publication Date
20-Nov-2025
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2 - Financial Services, security
Current Stage
6060 - International Standard published
Start Date
21-Nov-2025
Due Date
29-Mar-2026
Completion Date
21-Nov-2025
Ref Project

Relations

Revises
ISO/TR 14742:2010 - Financial services — Recommendations on cryptographic algorithms and their use
Effective Date
06-Jun-2022
ISO/TS 14742:2025 - Financial services — Recommendations and requirements on cryptographic algorithms and their use Released:21. 11. 2025ISO/TS 14742:2025 - Financial services — Recommendations and requirements on cryptographic algorithms and their use Released:21. 11. 2025
PreviousNext
Technical specification
ISO/TS 14742:2025 - Financial services — Recommendations and requirements on cryptographic algorithms and their use Released:21. 11. 2025
English language
36 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


Technical
Specification
ISO/TS 14742
First edition
Financial services —
2025-11
Recommendations and
requirements on cryptographic
algorithms and their use
Services financiers — Recommandations et exigences relatives
aux algorithmes cryptographiques et leur utilisation
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Algorithm strength and key cryptoperiod . 2
4.1 Measuring bits of security .2
4.2 Cryptographic algorithm migration .3
4.3 Key cryptoperiod.5
5 Block ciphers . 5
5.1 General .5
5.2 Keying options .6
5.2.1 Keying options for TDEA .6
5.2.2 Keying options for AES .6
5.2.3 Keying options for Camellia .6
5.2.4 Keying options for SM4 . .6
5.3 Recommended block ciphers .6
5.4 Cipher block size and key use .7
5.5 Modes of operation .8
5.6 Enciphering small plaintexts .8
5.7 Migrating from TDEA to AES .8
6 Stream ciphers . 8
7 Message authentication codes (MACs) . 9
7.1 Recommended MAC algorithms .9
7.2 MAC algorithms based on block ciphers .9
7.3 MAC algorithms based on hash functions .9
7.4 Length of the MAC .10
7.5 Message span of the key .10
8 Authenticated encryption . 10
8.1 Recommended authenticated encryption methods .10
8.2 Key wrap .11
8.3 CCM . 12
8.4 EAX . 12
8.5 Encrypt-then-MAC . 12
8.6 Galois Counter Mode . . 12
9 Format preserving encryption .12
10 Hash functions .13
10.1 Hash functions and their properties . 13
10.2 Hash functions based on block ciphers. 13
10.3 Dedicated hash functions. 13
10.4 Hash functions using modular arithmetic .14
10.5 Migrating from one hash function to another .14
11 Asymmetric algorithms .15
11.1 General . 15
11.2 Factorization-based security mechanisms .18
11.3 Integer discrete logarithm-based security mechanisms .19
11.4 Elliptic curve discrete logarithm-based security mechanisms .19
11.5 Algorithm or key expiry . 20
11.6 Digital signature schemes giving message recovery. 20
11.7 Digital signatures with appendix . 20

iii
11.8 Post-quantum algorithms .21
11.9 Blind digital signatures .21
11.10 Asymmetric ciphers .21
11.10.1 Overview .21
11.10.2 Hybrid ciphers . 22
11.10.3 RSAES . 23
11.10.4 HIME(R) . 23
12 Random number generation .24
Annex A (informative) Entity authentication and key management mechanisms .25
Bibliography .32

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the late
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 9564-5:2025(Main)
Financial services — Personal identification number (PIN) management and security — Part 5: Methods for the generation, change, and verification of PINs

This document specifies cryptographic methods for: — PIN generation; — reference PIN change; — transaction PIN verification. These PIN management functions can be implemented using: — encryption using an approved algorithm (see REF Table_tab_1 \r \h Table 1 08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000C0000005400610062006C0065005F007400610062005F0031000000 ); — CMAC using an approved block cipher (see REF Table_tab_1 \r \h Table 1 08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000C0000005400610062006C0065005F007400610062005F0031000000 ); — HMAC using an approved hash algorithm (see REF Table_tab_1 \r \h Table 1 08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000C0000005400610062006C0065005F007400610062005F0031000000 ). Refer to ISO 9564-1 for basic principles & requirements regarding PIN establishment.

  • Standard
    21 pages
    English language
    sale 15% off
ISO
ISO 18960:2025(Main)
Security controls and implementation for third party payment service providers — Guidance and requirements

This document gives requirements and guidance on security controls and implementation for third-party payment service providers (TPPSPs). This document deals with the overall security controls of TPPSPs from developing and testing to installing, operating and auditing the system. These security controls consist of: — security governance controls; — cross-functional controls; — function-specific controls.

  • Standard
    24 pages
    English language
    sale 15% off
ISO
ISO 9564-2:2025(Main)
Financial services — Personal Identification Number (PIN) management and security — Part 2: Approved algorithms for PIN encipherment

This document specifies approved algorithms for the encipherment of personal identification numbers (PINs).

  • Standard
    13 pages
    English language
    sale 15% off
ISO
ISO/TS 9546:2024(Main)
Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

  • Technical specification
    24 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2024(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off