ISO 13492:2019

INTERNATIONAL ISO
STANDARD 13492
Third edition
2019-10
Financial services — Key-
management-related data element —
Application and usage of ISO 8583-1
data elements for encryption
Reference number
ISO 13492:2019(E)
©
ISO 2019

---------------------- Page: 1 ----------------------
ISO 13492:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 13492:2019(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Data representation . 3
6 Requirements for key-management-related data element . 3
6.1 Introduction . 3
6.2 Data element structure . 4
6.2.1 Data element structure for field 53 and 96 . 4
6.2.2 Data element structure for field 50, 110, 111. 6
6.3 Key-set identifier concepts .10
7 Security related control information usage format .11
7.1 Control field format.11
7.2 Key-set identifier .11
7.2.1 Format A .11
7.2.2 Format B .11
7.3 Algorithm field .11
7.4 Key length (in bytes) field .12
7.5 Key protection field .12
7.6 Padding method field .12
7.7 Encrypted data format field .13
Bibliography .14
© ISO 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 13492:2019(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial services, security.
This third edition cancels and replaces the second edition (ISO 13492:2007), which has been technically
revised.
The main changes compared to the previous edition are as follows:
— introduction of the support of the AES encryption algorithm, resulting in a complete restructuring
and editing of the previous edition.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 13492:2019(E)

Introduction
This document describes the structure and contents of a data element related to key management which
can be conveyed in electronically transmitted messages within the financial services environment
to support the secure management of cryptographic keys, where the financial services environment
involves the communications between a card-accepting device and an acquirer, and between an acquirer
and a card issuer. Key management of keys used in an Integrated Circuit Card (ICC) and the related data
elements are not covered in this document. Key management procedures for the secure management of
the cryptographic keys within the financial services environment are described in ISO 11568. Security-
related data, such as Personal Identification Number (PIN) data and MACs, are described in ISO 9564
and ISO 16609, respectively.
This document provides key management information, including that related to the use and application
of ISO 8583-1, i.e. the interchange messages used in processing card transactions, which are referenced
in ISO 8583-1. However, the data elements assigned in ISO 8583-1 were built to accommodate earlier
encryption technologies (e.g. data encryption standard, triple data encryption standard) and they are
not long enough to accommodate the advanced encryption standard (AES) and/or other encryption
methods for encrypting sensitive payment card data, which require longer data fields. Accordingly,
in order to facilitate the use of AES for key management purposes related to ISO 8583-1, it has been
proposed to expand the relevant data element fields in ISO 8583-1.
Although ISO 8583-1 is the most recent standard, in practice, many card processing parties still
use older documents, either ISO 8583:1987 or ISO 8583:1993. Both of these documents have been
withdrawn and replaced by the ISO 8583 series.
This document accommodates data encryption algorithm (DEA), triple data encryption algorithm
(TDEA) and AES as encryption technologies. For DEA and TDEA, fields 52, 53 and 96 are used. For AES,
depending on the key management and data encryption processes, fields 110, 111 or 50 can be used.
This document provides compatibility with the existing ISO standard on bank card originated messages
(ISO 8583-1).
© ISO 2019 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 13492:2019(E)
Financial services — Key-management-related data
element — Application and usage of ISO 8583-1 data
elements for encryption
1 Scope
This document describes a data element related to key management which can be transmitted either
in transaction messages to convey information about cryptographic keys used to secure the current
transaction, or in cryptographic service messages to convey information about cryptographic keys to
be used to secure future transactions.
This document addresses the requirements for the use of the data element related to key management
within ISO 8583-1, using the following two ISO 8583-1 data elements for DEA and TDEA:
— security related control information (data element 53);
— key management data (data element 96).
The data element related to key management for DEA and TDEA is constructed from the concatenation
of two ISO 8583-1 message elements, data element 53 — security related control information, and
data element 96 — key management data. It conveys information about the associated transaction's
cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and
additional optional information. For AES implementations, the data elements are summarized in one field.
This document is applicable to either symmetric or asymmetric cipher systems.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 8583-1,Financial transaction card originated messages — Interchange message specifications —
Part 1: Messages, data elements and code values
ISO/IEC 8825-1, Information technology — ASN.1 encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) — Part 1
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 8583-1 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
asymmetric cipher
cipher in which the encipherment key and the decipherment key are different and it is computationally
infeasible to deduce the (private) decipherment key from the (public) encipherment key
© ISO 2019 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO 13492:2019(E)

3.2
cipher
pair of operations that effect transformations between plaintext and ciphertext under the control of a
parameter called a key
Note 1 to entry: The encipherment operation transforms data (plaintext) into an unintelligible form (ciphertext).
The decipherment operation restores the original text.
3.3
cryptographic algorithm
set of rules for the transformation of data using a cryptographic key
EXAMPLE The transformation of plaintext to ciphertext and vice versa (i.e. a cipher); generation of keying
material; digital signature computation or validation.
3.4
cryptographic key
key
parameter that determines the operation of a cryptographic algorithm
3.5
cryptographic service message
message for transporting cryptographic keys or related information used to control a keying
relationship
3.6
derived unique key per transaction
DUKPT
key management method which uses a unique key for each transaction and prevents the disclosure of
any past key used by the transaction-originating secure cryptographic device (SCD)
Note 1 to entry: The receiving SCD can derive the unique transaction keys from a base derivation key using only
non-secret data transmitted as part of each transaction.
3.7
symmetric cipher
cryptographic algorithm using the same secret cryptographic key for both encipherment and
decipherment
3.8
transaction message
message used to convey information related to a financial transaction
4 Abbreviated terms
AES advanced encryption standard
BCD binary coded decimal
CBC cipher block chaining
DEA data encryption algorithm
ECB electronic code book
ECIES elliptic curve integrated encryption scheme
IIN issuer identification number
MAC message authentication code
2 © ISO 2019 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 13492:2019(E)

PIN personal identification number
RSA The Rivest, Shamir and Adleman public key cryptosystem
SCD secure cryptographic device
TDEA triple data encryption algorithm
TLV tag length value
UKPT unique key per transaction
5 Data representation
Data fields described in this document are represented as shown in Table 1.
Table 1 — Data representation
Abbreviation Definition
The alphabetic data element contains a single character per byte. The permitted characters
a
are alphabetic only (a to z and A to Z, uppercase and lowercase).
The alphanumeric data element contains a single character per byte. The permitted characters
an
are alphabetic (a to z and A to Z, uppercase and lowercase) and numeric (0 to 9).
ans The alphanumeric special data element contains a single character per byte.
ansb The alphanumeric special data element consists of binary.
The data element consists of either unsigned binary numbers or bit combinations that are
defined elsewhere in the specification.
b
EXAMPLE A field defined as “b 2” has a length of two bytes such that a value of 19 is stored
as Hex '00 13'.
LL The length of variable data element follows, 01 to 99. This length format is specific to
bitmap usage.
LLL The length of variable data element follows, 001 to 999. This length format is specific to
bitmap usage.
LLLL The length of variable data element follows, 0001 to 9999. This length format is specific to
bitmap usage.
Numeric data elements. The permitted values are numeric only (0 to 9).
In the case of tag length value (TLV) structure, numeric values have to be implemented in
binary coded decimal (BCD), which consists of two numeric digits (having values in the range
Hex '0'–'9') per byte. These digits are right justified and padded with leading hexadecimal
n
zeroes. Other specifications sometimes refer to this data format as BCD or unsigned packed.
EXAMPLE A field defined as “n 12” has a length of six bytes such that a value of 12345 is
stored as Hex '00 00 00 01 23 45'.
For bitmap structure it is up to the implementer to use either standard numeric or BCD.
6 Requirements for key-management-related data element
6.1 Introduction
The data element related to key management for DEA and TDEA is constructed from the concatenation
of two ISO 8583-1 message elements, data element 53 — security related control information, and
data element 96 — key management data. It conveys information about the associated transaction's
cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and
additional optional information.
© ISO 2019 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO 13492:2019(E)

The structure for all these fields will utilize data set, TLV or bitmap structure, (referred to as composite
data element in ISO 8583-1:2003, 5.4.4).
Regardless of algorithm used, the control field identifies the key management scheme and associated
structure of the remainder of the data element. The use of key-set identifiers provides a standardized
way to uniquely identify the institution and key-set for a given operation. For key management
messages, the key-set identifier specifies the key-set that will be affected by the current operation (e.g.
load key-set 2 with key contained in data element 96). For financial transaction messages containing
encrypted data, the key-set identifier specifies the key-set that was used.
Key-management-related information that does not change from one transaction to the next need not be
conveyed with every transaction. Rather, it may be implicitly known, or it may be installed concurrent
with, and stored in association with, the corresponding key. Examples of information that need not be
explicitly identified in the key-management-related data element include the following:
— key management technique used for the transaction's keys [e.g. static key, unique key per transaction
(UKPT)];
— format of enciphered or authenticated data (e.g. PIN block format);
— encipherment algorithm used;
— number of different keys used with the transaction and the purpose of each such key.
Table 2 describes usages of the fields relevant for key management and data encryption.
Table 2 — Field usage
Field Data element name Usage
50 Encryption data Includes PIN encryption Data, MAC security related information,
(see ISO 8583-1) sensitive encryption data and key management encryption data.
52 PIN data Is not
...