iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 11568:2023

(Main)

Financial services — Key management (retail)

Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

Services financiers — Gestion de clés (services aux particuliers)

General Information

Status
Published
Publication Date
16-Feb-2023
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2/WG 13 - Security in retail banking
Current Stage
6060 - International Standard published
Start Date
17-Feb-2023
Due Date
06-Mar-2022
Completion Date
17-Feb-2023
Ref Project

Relations

Revises
ISO 11568-2:2012 - Financial services — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle
Effective Date
17-Jun-2017
Revises
ISO 11568-1:2005 - Banking — Key management (retail) — Part 1: Principles
Effective Date
17-Jun-2017
Revises
ISO 11568-4:2007 - Banking — Key management (retail) — Part 4: Asymmetric cryptosystems — Key management and life cycle
Effective Date
17-Jun-2017

Buy Standard

ISO 11568:2023 - Financial services — Key management (retail) Released:17. 02. 2023ISO 11568:2023 - Financial services — Key management (retail) Released:17. 02. 2023
PreviousNext
Standard
ISO 11568:2023 - Financial services — Key management (retail) Released:17. 02. 2023
English language
115 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO
STANDARD 11568
First edition
2023-02
Financial services — Key management
(retail)
Services financiers — Gestion de clés (services aux particuliers)
Reference number
ISO 11568:2023(E)
© ISO 2023

---------------------- Page: 1 ----------------------
ISO 11568:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2023 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 11568:2023(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
1.1 General . 1
1.2 Scope exclusions . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Key management requirements .12
4.1 General .12
4.1.1 Key management strategy .12
4.1.2 Dual control and split knowledge of secret or private keys .12
4.1.3 Permissible key forms . 13
4.1.4 Logging. 14
4.1.5 Cryptographic strength .15
4.1.6 Key locations .15
4.1.7 Single-purpose key usage . 15
4.2 Secure cryptographic device . 17
4.2.1 General requirements . 17
4.2.2 Additional SCD requirements for devices used in SKDAT . 18
4.3 Additional CA requirements . 19
4.4 Additional RA requirements . 19
4.5 Key blocks . 20
4.5.1 Overview of key blocks .20
4.5.2 Key attributes. 21
4.5.3 Integrity of the key block . 21
4.5.4 Key and sensitive attributes field . 21
4.6 Key creation .22
4.6.1 Symmetric key creation . 22
4.6.2 Asymmetric key creation . 23
4.7 Key component and key share creation . 24
4.8 Check values . 24
4.8.1 Introduction . 24
4.8.2 Symmetric key check value calculation . 25
4.8.3 Asymmetric key check value calculation . 25
4.9 Key distribution . 25
4.9.1 Symmetric key distribution . 25
4.9.2 SKDAT asymmetric key distribution .29
4.10 Key loading . 30
4.10.1 General .30
4.10.2 Loading key components or shares . 31
4.11 Key utilization . 32
4.11.1 General key utilization requirements. 32
4.11.2 Additional key utilization requirements for SKDAT . 33
4.12 Key storage . 33
4.12.1 Cleartext key component and share storage . 33
4.12.2 Public key storage .34
4.13 Key replacement .34
4.14 Key destruction . 35
4.14.1 General . 35
4.14.2 Key destruction from an SCD .36
4.14.3 Destruction of a key in cryptogram form .36
4.14.4 Component and share destruction .36
4.15 Key backup .36
iii
© ISO 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO 11568:2023(E)
4.16 Key archiving .36
4.17 Key compromise . 37
5 Transaction key management techniques .38
5.1 General .38
5.2 Method: master keys or transaction keys .38
5.3 Derived unique key per transaction . 39
5.3.1 General .39
5.3.2 DUKPT key management .39
5.3.3 Unique initial keys . 42
5.3.4 AES DUKPT . 43
5.3.5 KSN compatibility mode .46
5.3.6 Derived key OIDs . 47
5.3.7 Keys and key sizes . 47
5.3.8 Helper functions and definitions .48
5.3.9 Key derivation function algorithm .49
5.3.10 Derivation data . 50
5.3.11 “Create Derivation Data” (local subroutine) . 51
5.3.12 Security considerations . 52
5.3.13 Host security module algorithm .54
5.3.14 General .54
5.3.15 "Derive Initial Key" . . .54
5.3.16 "Host Derive Working Key" . 55
5.3.17 Intermediate derivation key derivation data examples .55
5.3.18 Working key derivation data examples .56
5.3.19 Transaction-originating device algorithm . 57
5.4 Host-to-host UKPT . . 62
Annex A (informative) Key and component check values .64
Annex B (normative) Split knowledge during transport .68
Annex C (informative) Trust models and key establishment .70
Annex D (informative) Symmetric key life cycle .78
Annex E (informative) Asymmetric key life cycle phases .80
Annex F (normative) Approved algorithms .83
Annex G (informative) AES DUKPT pseudocode notation .84
Annex H (informative) AES DUKPT test vectors .87
Annex I (informative) TDEA-derived unique key per transaction .88
Annex J (informative) Roles in payment environment . 109
Annex K (informative) Roles in symmetric key distribution using asymmetric techniques . 112
Bibliography . 115
iv
  © ISO 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 11568:2023(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Financial services, security.
This document cancels and replaces the former ISO 11568 series, which has been technically revised.
The main changes are as follows:
— all parts of the series combined into a single document;
— fixed key no longer included in the permissible methods of transaction key management;
— required key replacement policy (see 4.13) added;
— cleartext key injection removed;
— AES DUKPT introduced as a key management method.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2023 – All rights reserved

---------------------- Page: 5 ----------------------
ISO 11568:2023(E)
Introduction
Retail financial transactions are often transmitted over potentially non-secure channels, which,
if exploited, can result in fraud. The vast range in value and volume of such transactions exposes
participants to severe risks, which can be uninsurable. To protect against these risks, many institutions
are employing encryption. The encryption algorithms used are in the public domain. The security and
reliability of any process based on these algorithms is directly dependent on the protection afforded to
secrets called cryptographic keys.
This document describes requirements and provides guidance for the secure management of
cryptographic keys used to protect sensitive information in a retail financial services environment, for
example in messages between a card acceptor and an Acquirer. Typical services in the retail financial
services domain include point-of-sale (POS) debit and credit authorizations and automated teller
machine (ATM) transactions. While it is designed with these environments in mind, it may also be used
in unrelated applications. For example, such keys could be used for:
— encrypting Personal Identification Numbers (PIN) (see ISO 9564-1);
— authenticating messages;
— encrypting other data;
— encrypting or deriving cryptographic keys;
— automated symmetric key distribution using asymmetric techniques.
vi
  © ISO 2023 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 11568:2023(E)
Financial services — Key management (retail)
1 Scope
1.1 General
This document describes the management of symmetric and asymmetric cryptographic keys that can
be used to protect sensitive information in financial services related to retail payments. The document
covers all aspects of retail financial services, including connections between a card-accepting device
and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device.
It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving,
replacement and destruction of the keying material. This document covers manual and automated
management of keying material, and any combination thereof, used for retail financial services. It
includes guidance and requirements related to key separation, substitution prevention, identification,
synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key
management events.
Requirements associated with hardware used to manage keys have also been included in this document.
1.2 Scope exclusions
This document does not specifically address internet banking services offered by an Issuer to their own
customers through that financial institution's website or applications.
This document does not address using asymmetric keys to encrypt the Personal Identification Number
(PIN) or any other data and does not address asymmetric keys managed with asymmetric keys.
This document is not intended to apply to the management of the keys installed in an ICC during
manufacturing or the initial key established in an ICC during card personalization.
This document is not intended to address post-quantum encryption considerations. Key management
using quantum technologies is out of scope of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 9797 (all parts), Information technology — Security techniques — Message Authentication Codes
(MACs)
ISO/IEC 11770 (all parts), Information security — Key management
ISO 13491 (all parts), Financial services — Secure cryptographic devices (retail)
ISO 16609, Financial services — Requirements for message authentication using symmetric techniques
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
ISO/IEC 18032, Information security — Prime number generation
ISO/IEC 18033 (all parts), Information security — Encryption algorithms
ISO/IEC 19592-2, Information technology — Security techniques — Secret sharing — Part 2: Fundamental
mechanisms
1
© ISO 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO 11568:2023(E)
ISO/IEC 19772, Information security — Authenticated encryption
ISO 20038, Banking and related financial services — Key wrap using AES
ISO 21188:2018, Public key infrastructure for financial services — Practices and policy framework
ANSI X9.63, Public Key Cryptography for the Financial Services Industry — Key Agreement and Key
Management Using Elliptic Curve-Based Cryptography
ANSI X9.143, Retail Financial Services — Interoperable Secure Key Block Specification
RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework,
Internet Request for Comments 3647, S. Chokhani, W. Ford, R. Sabett, C. Merrill, S. Wu, November 2003
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
Acquirer
institution (or its agent) which acquires from the card acceptor the data relating to the transaction
(3.84) and initiates the data into an Interchange (3.47) system
[SOURCE: ISO/IEC 7812-1:2017, 3.1]
3.2
Advanced Encryption Standard
AES
16-byte block cipher (3.3)
Note 1 to entry: This is defined in ISO/IEC 18033-3.
3.3
algorithm
specified mathematical process for computation or set of rules which, if followed, will give a prescribed
result
[SOURCE: ISO 16609:2022, 3.1]
3.4
archived key
inactive cryptographic key (3.28) that is being stored in a secure manner for a non-operational purpose
3.5
asymmetric algorithm
cryptographic algorithm (3.27) that uses two related keys, a public key (3.71) and a private key (3.69),
where the two keys have the property that, given the public key, it is computationally infeasible (3.25) to
derive the private key
3.6
asymmetric cryptosystem
cryptosystem using asymmetric algorithms (3.5)
2
  © ISO 2023 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 11568:2023(E)
3.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
[SOURCE: ISO/IEC 27000:2018, 3.5]
3.8
authentication element
message element that is to be protected by authentication (3.7)
[SOURCE: ISO 16609:2022, 3.12, modified — Term revised.]
3.9
Base Derivation Key
BDK
key used in derivation (3.32) to generate initial DUKPT keys (3.45) for installation into transaction
originating secure cryptographic devices (3.75) and for transaction processing
3.10
BDK ID
32-bit value that identifies the Base Derivation Key (3.9)
Note 1 to entry: This was formerly known as the Key Set Identifier (KSI) (3.57) in the TDEA DUKPT specification.
3.11
card acceptor
party accepting the card for the purpose of presenting transaction data to an Acquirer (3.1) or
intermediary facilitating the transaction flow
[SOURCE: ISO/IEC 7812-1:2017, 3.3]
3.12
certificate
digitally signed statement that binds the value of a public key to the identity of the person, device or
service that holds the corresponding private key
[SOURCE: ISO 20415:2019, 3.15, modified — Term revised.]
3.13
certificate authority
CA
entity that vouches for the binding between a device’s identity, its public key and associated keying
material
[SOURCE: ISO/IEC/IEEE 8802-11:2022, definition modified.]
3.14
certificate authority system
CA system
infrastructure required to manage, maintain and secure the key pairs and certificates of the certificate
authority (3.13)
Note 1 to entry: A CA system will typically include one or more Hardware Security Modules (3.42), firmware,
computer equipment, operating systems and software
3.15
certificate policy
CP
named set of rules that indicates the applicability of a certificate to a particular community and/or
class of application with common security requirements
[SOURCE: ISO 21188:2018, 3.13]
3
© ISO 2023 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 11568:2023(E)
3.16
certificate practice statement
CPS
statement of the practices which a certificate authority (3.13) employs in issuing certificates (3.12)
and which defines the equipment, policies and procedures the certificate authority uses to satisfy the
requirements specified in the certificate policies (3.15) that are supported by it
3.17
certificate subject
entity identified in a certificate (3.12)
EXAMPLE Secure cryptographic device (3.75).
3.18
chain of custody
demonstrable possession, movement, handling and location of material from one point in time until
another
[SOURCE: ISO/IEC 27050-1:2019, 3.1]
3.19
check value
key check value
KCV
component check value
CCV
non-secret value that is cryptographically related to the key (or component) and is used to verify that
the underlying value is as expected
Note 1 to entry: It is possible for different keys or components to have the same check value.
3.20
cipher
method for the transformation of data in order to hide its information content, prevent its undetected
modification and/or prevent its unauthorized use
3.21
ciphertext
data which has been transformed to hide its information content
[SOURCE: ISO/IEC 18033-1:2021, 3.7]
3.22
cleartext
plaintext
unencrypte
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
  • Draft
    67 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Draft
    40 pages
    English language
    sale 15% off
ISO
ISO 13492:2019(Main)
Financial services — Key-management-related data element — Application and usage of ISO 8583-1 data elements for encryption

This document describes a data element related to key management which can be transmitted either in transaction messages to convey information about cryptographic keys used to secure the current transaction, or in cryptographic service messages to convey information about cryptographic keys to be used to secure future transactions. This document addresses the requirements for the use of the data element related to key management within ISO 8583-1, using the following two ISO 8583-1 data elements for DEA and TDEA: — security related control information (data element 53); — key management data (data element 96). The data element related to key management for DEA and TDEA is constructed from the concatenation of two ISO 8583-1 message elements, data element 53 — security related control information, and data element 96 — key management data. It conveys information about the associated transaction's cryptographic key(s) and is divided into subfields including a control field, a key-set identifier and additional optional information. For AES implementations, the data elements are summarized in one field. This document is applicable to either symmetric or asymmetric cipher systems.

  • Standard
    14 pages
    English language
    sale 15% off
ISO
ISO 21188:2018(Main)
Public key infrastructure for financial services — Practices and policy framework

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

  • Standard
    108 pages
    English language
    sale 15% off
ISO
ISO 20038:2017(Main)
Banking and related financial services — Key wrap using AES

ISO 20038:2017 defines a method for packaging cryptographic keys for transport. This method can also be used for the storage of keys under an AES key. The method uses the block cipher AES as the wrapping cipher algorithm. Other methods for wrapping keys are outside the scope of this document but can use the authenticated encryption algorithms specified in ISO/IEC 19772.

  • Standard
    22 pages
    English language
    sale 15% off
  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO 9564-1:2017(Main)
Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems

ISO 9564-1:2017 specifies the basic principles and techniques which provide the minimum security measures required for effective international PIN management. These measures are applicable to those institutions responsible for implementing techniques for the management and protection of PINs during their creation, issuance, usage and deactivation. ISO 9564-1:2017 is applicable to the management of cardholder PINs for use as a means of cardholder verification in retail banking systems in, notably, automated teller machine (ATM) systems, point-of-sale (POS) terminals, automated fuel dispensers, vending machines, banking kiosks and PIN selection/change systems. It is applicable to issuer and interchange environments. The provisions of ISO 9564-1:2017 are not intended to cover: a) PIN management and security in environments where no persistent cryptographic relationship exists between the transaction-origination device and the acquirer, e.g. use of a browser for online shopping (for these environments, see ISO 9564-4); b) protection of the PIN against loss or intentional misuse by the customer; c) privacy of non-PIN transaction data; d) protection of transaction messages against alteration or substitution; e) protection against replay of the PIN or transaction; f) specific key management techniques; g) offline PIN verification used in contactless devices; h) requirements specifically associated with PIN management as it relates to multi-application functionality in an ICC.

  • Standard
    32 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2016(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation methods

ISO 13491-1:2016 specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609, and ISO 11568. ISO 13491-1:2016 has two primary purposes: - to state the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle; ? to provide guidance for methodologies to verify compliance with those requirements. This information is contained in Annex A. ISO 13491-2 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564-1, ISO 9564-2, ISO 16609, ISO 11568-1, ISO 11568-2, ISO 11568-3, ISO 11568-4, ISO 11568-5, and ISO 11568-6 in the financial services environment. Annex A provides an informative illustration of the concepts of security levels described in this part of ISO 13491 as being applicable to SCDs. ISO 13491-1:2016 does not address issues arising from the denial of service of an SCD. Specific requirements for the security characteristics and management of specific types of SCD functionality used in the retail financial services environment are contained in ISO 13491‑2.

  • Standard
    33 pages
    English language
    sale 15% off