ANSI ASC X9 X9.119-1-2016 Retail Financial Services - Requirements for Protection of Sensitive Payment Card Data - Part 1 Using Encryption Methods.pdf

1、 American National Standard for Financial Services ANSI X9.119-1-2016 Retail Financial Services Requirements for Protection of Sensitive Payment Card Data Part 1: Using Encryption Methods Accredited Standards Committee X9, Incorporated Financial Industry Standards Date Approved: May 27, 2016 America

2、n National Standards Institute American National Standards, Technical Reports and Guides developed through the Accredited Standards Committee X9, Inc., are copyrighted. Copying these documents for personal or commercial use outside X9 membership agreements is prohibited without express written permi

3、ssion of the Accredited Standards Committee X9, Inc. For additional information please contact ASC X9, Inc., 275 West Street, Suite 107, Annapolis, MD 21401. This page left intentionally blank ANSI X9.119-1-2016 ASC X9, Inc. 2016 All rights reserved iii Contents Page Foreword . v Introduction vi 1 S

4、cope 1 2 Normative references 2 2.1 ANS INCITS 92-1981 (R2003) - Information Technology - Data Encryption Algorithm (DEA) . 2 2.2 ANS X9.24-1-2009 Retail Financial Services Symmetric Key Management part 1: Using Symmetric Techniques . 2 2.3 ANS X9.24-2-2006 Retail Financial Services Symmetric Key Ma

5、nagement part 2: Using Asymmetric Techniques . 2 2.4 ANS X9.52-1998 - Triple Data Encryption Algorithm (TDEA) Modes of Operation . 2 2.5 ANS X9.65-2004 - Triple Data Encryption Algorithm (TDEA) Implementation 2 2.6 ANS X9.82-1-2006 Random Number Generation . 2 2.7 ANS X9.97-1-2009 - Financial Servic

6、es Secure Cryptographic Devices (Retail) Part 1: Concepts, Requirements, and Evaluation Methods. 2 2.8 ANS X9.104 (all parts)-2004 Financial Transaction Card Originated Messages . 2 2.9 ISO Technical Report 14742 Financial services Recommendations on Cryptographic Algorithms and Their Use. 2 2.10 IS

7、O/IEC 7813:2006 Information Technology Identification cards Financial transaction cards . 2 2.11 ISO/IEC 18033: Information Technology- Security techniques Encryption algorithms Part 3: Block Ciphers . 2 3 Terms and definitions . 2 3.1 Acquirer 2 3.2 Algorithm 3 3.3 Authorization Transaction 3 3.4 C

8、iphertext . 3 3.5 Cleartext . 3 Data in original, unencrypted form. 3 3.6 Cryptographic Key A parameter that determines the operation of a cryptographic function such as: 3 3.7 Data Encryption Algorithm (DEA) 3 3.8 Data Encryption Standard (DES) 3 3.9 Decryption 3 3.10 Encryption 3 3.11 Encryption A

9、lgorithm 4 3.12 Format Preserving Encryption . 4 3.13 IC Card 4 3.14 Infeasible A condition whereby a particular attack, although it may be technically possible, is not economically viable. E.g. the cost of the attack exceeds the economic benefit 4 3.15 Institution . 4 3.16 Interchange 4 3.17 Issuer

10、 4 3.18 Key 4 3.19 Plaintext 4 3.20 Point of Entry (POE) 4 ANSI X9.119-1-2016 iv ASC X9, Inc. 2016 All rights reserved 3.21 Privacy 4 3.22 Protection . 5 3.23 Secure Cryptographic Device (SCD) . 5 3.24 Sensitive payment card data 5 3.25 Triple Data Encryption Algorithm (TDEA) . 5 3.26 Transaction .

11、5 3.27 Verification . 5 4 Symbols and abbreviated terms 5 5 Sensitive Payment Card Data Elements 6 6 Sensitive Payment Card Data Protection Requirements . 6 6.1 General 6 6.2 Data Element Specific Requirements 7 6.2.1 Cardholder Name . 7 6.2.2 Primary Account Number (PAN) 7 6.2.3 Expiration Date. 8

12、6.2.4 Service Code 8 6.2.5 Discretionary Data . 8 6.2.6 Track Data . 9 6.2.7 Manually Entered Security Validation Code . 9 6.2.8 Matrix of Security Requirements and Recommendations for Protection of Sensitive Payment Card Data outside of an SCD and prior to the point of decryption 10 6.3 Requirement

13、s When Employing Encryption Methods to Protect Sensitive Payment Card Data 11 6.3.1 Data Encryption Algorithm and Key Strength Requirements .11 6.3.2 Data Encryption Key Management Security Requirements 11 6.3.3 Prevention of Dictionary Attacks .11 6.3.4 Distinguishing Protected Data from Cleartext

14、Data When Employing Format Preserving Methods 12 Annex A (normative) Acceptable Data Encryption Algorithms .13 A.1 General 13 A.2 Approved Algorithms 13 A.2.1 TDEA .13 A.2.2 AES 13 A.2.3 RSAES using OAEP (Optimal Asymmetric Encryption Padding) .13 A.3 Minimum Security Level 13 ANSI X9.119-1-2016 ASC

15、 X9, Inc. 2016 All rights reserved v Foreword Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI

16、 Board of Standards Review, substantial agreement has been reached by directly and materially affected interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort b

17、e made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming

18、to the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name

19、of the American National Standards Institute. Requests for interpretation should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American N

20、ational Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by Accredited Standards Committee X9, Incorporated Financial Industry Standards 275 West Street, Suite 107 Annapolis, MD 21401 USA X9

21、Online http:/www.x9.org Copyright 2016 ASC X9, Inc. All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Published in the United States of America. ANSI X9.119-1-2016 vi ASC

22、X9, Inc. 2016 All rights reserved Introduction Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, Accredited Standards Committee X9, Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401 USA. Th

23、is Standard was processed and approved for submittal to ANSI by the Accredited Standards Committee on Financial Services, X9. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval. At the time this standard was approved, the X9 committee

24、had the following members: X9 Chairman Roy DeCicco X9 Vice-Chairman Claudia Swendseid Executive Director- Steve Stevens Organization Represented Representative ACI Worldwide Doug Grote ACI Worldwide Dan Kinney American Bankers Association Diane Poole American Express Company David Moore Bank of Amer

25、ica Daniel Welch Blackhawk Network Anthony Redondo Bloomberg LP Corby Dear Capital One Marie LaQuerre Citigroup, Inc. Karla McKenna CLS Bank Ram Komarraju Conexxus, Inc. Michael Davis Conexxus, Inc. Gray Taylor Delap LLP Darlene Kargel Deluxe Corporation Angela Hendershott Diebold, Inc. Bruce Chapa

26、Discover Financial Services Michelle Zhang eCurrency David Wen Federal Reserve Bank Mary Hughes Federal Reserve Bank Janet LaFrence FIS Stephen Gibson-Saxty Fiserv Dan Otten FIX Protocol Ltd - FPL Jim Northey Futurex Ryan Smith Gilbarco Bruce Welch Harland Clarke John McCleary Hewlett Packard Susan

27、Langford IBM Corporation Todd Arnold Independent Community Bankers of America Cary Whaley Ingenico Rob Martin ISITC Jason Brasile J.P. Morgan Chase Roy DeCicco KPMG LLP Mark Lundin MagTek, Inc. Roger Applewhite ANSI X9.119-1-2016 ASC X9, Inc. 2016 All rights reserved vii MagTek, Inc. Mimi Hart Maste

28、rCard Europe Sprl Mark Kamers NACHA The Electronic Payments Association Priscilla Holland National Security Agency Paul Timmel Nautilus Hyosung Joe Militello NCR Corporation David Norris Office of Financial Research, U.S. Treasury Department Justin Stekervetz PCI Security Standards Council Troy Leac

29、h RouteOne Chris Irving RouteOne Jenna Wolfe State Street Corporation Jason Brasile SWIFT/Pan Americas Frank Vandriessche Symcor Inc. Debbi Fitzpatrick TECSEC Incorporated Ed Scheidt The Clearing House Sharon Jablon U.S. Bank John King U.S. Commodity Futures Trading Commission (CFTC) Robert Stowsky

30、USDA Food and Nutrition Service Kathy Ottobre Vantiv LLC Gary Zempich VeriFone, Inc. Dave Faoro VISA Kim Wagner Wayne Fueling Systems Steven Bowles Wells Fargo Bank Mark Schaffer ANSI X9.119-1-2016 viii ASC X9, Inc. 2016 All rights reserved At the time this standard was approved, the X9F subcommitte

31、e on Data and Information Security had the following members: Ed Scheidt, Chairman Organization Represented Representative ACI Worldwide Doug Grote ACI Worldwide Dan Kinney ACI Worldwide Julie Samson American Bankers Association Tom Judd American Express Company Farid Hatefi American Express Company

32、 John Timar American Express Company Kevin Welsh Bank of America Amanda Adams Bank of America Peter Capraro Bank of America Andi Coleman Bank of America Lawrence LaBella Bank of America Will Robinson Bank of America Michael Smith Bank of America Daniel Welch BlackBerry Limited Daniel Brown BlackBerr

33、y Limited Sandra Lambert Blackhawk Network Anthony Redondo Bloomberg LP Erik Anderson Bloomberg LP Corby Dear Capital One Marie LaQuerre Capital One Johnny Lee Cipherithm Scott Spiker comForte 21 GmbH Thomas Gloerfeld comForte 21 GmbH Henning Horst Communications Security Establishment Jonathan Hamm

34、ell Communications Security Establishment David Smith Conexxus, Inc. Alan Thiemann CUSIP Service Bureau Scott Preiss Delap LLP David Buchanan Delap LLP Darlene Kargel Deluxe Corporation Angela Hendershott Deluxe Corporation Margiore Romay Deluxe Corporation Andy Vo Diebold, Inc. Bruce Chapa Diebold,

35、 Inc. Michael Ott Diebold, Inc. Dave Phister Discover Financial Services Cheryl Mish Discover Financial Services Diana Pauliks Discover Financial Services Jordan Schaefer eCurrency David Wen Federal Reserve Bank Patrick Adler Federal Reserve Bank Guy Berg Federal Reserve Bank Julia Cheney Federal Re

36、serve Bank Marianne Crowe Federal Reserve Bank Sandeep Dhameja Federal Reserve Bank Amanda Dorphy Federal Reserve Bank Mary Hughes Federal Reserve Bank Heather Hultquist ANSI X9.119-1-2016 ASC X9, Inc. 2016 All rights reserved ix Federal Reserve Bank Janet LaFrence Federal Reserve Bank Susan Pandy F

37、ederal Reserve Bank Patti Ritter Federal Reserve Bank Daniel Rozycki First Data Corporation Andrea Beatty First Data Corporation Lisa Curry First National Bank of Omaha Kristi White FIS Chelsea Lopez FIS John Soares FIS Sunny Wear Fiserv Bud Beattie Fiserv Dan Otten Futurex Ryan Smith GEOBRIDGE Corp

38、oration Donna Gem GEOBRIDGE Corporation Jason Way Gilbarco Scott Turner Gilbarco Bruce Welch Harland Clarke Joseph Filer Heartland Payment Systems Scott Meeker Hewlett Packard Susan Langford Hewlett Packard Luther Martin Hewlett Packard Terence Spies IBM Corporation Todd Arnold Independent Community

39、 Bankers of America Cary Whaley Ingenico Rob Martin ITS, Inc. (SHAZAM Networks) Manish Nathwani J.P. Morgan Chase Bruce Geller J.P. Morgan Chase Kathleen Krupa J.P. Morgan Chase Jackie Pagn K3DES LLC Azie Amini KPMG LLP Mark Lundin MagTek, Inc. Jeff Duncan MagTek, Inc. Mimi Hart MasterCard Europe Sp

40、rl Mark Kamers MasterCard Europe Sprl Joshua Knopp MasterCard Europe Sprl Larry Newell MasterCard Europe Sprl Adam Sommer MasterCard Europe Sprl Michael Ward National Institute of Standards and Technology (NIST) Elaine Barker National Institute of Standards and Technology (NIST) Lily Chen National S

41、ecurity Agency Mike Boyle National Security Agency Paul Timmel Nautilus Hyosung Joe Militello Nautilus Hyosung Jay Shin NCR Corporation Tanika Eng NCR Corporation Charlie Harrow NCR Corporation David Norris PCI Security Standards Council Leon Fell PCI Security Standards Council Troy Leach PCI Securi

42、ty Standards Council Ralph Poore RSA, The Security Division of EMC Steve Schmalz SafeNet, Inc. Amit Sinha Security Innovation Mark Etzel Security Innovation William Whyte Security Innovation Lee Wilson ANSI X9.119-1-2016 x ASC X9, Inc. 2016 All rights reserved Security Innovation Zhenfei Zhang TECSE

43、C Incorporated Ed Scheidt TECSEC Incorporated Dr. Wai Tsang TECSEC Incorporated Jay Wack Thales UK Limited Larry Hines Thales UK Limited James Torjussen The Clearing House Henry Farrar Trustwave John Amaral Trustwave Tim Hollebeek U.S. Bank Stephen Case U.S. Bank Peter Skirvin Vantiv LLC Bill Weinga

44、rt Vantiv LLC Gary Zempich Vantiv LLC James Zerfas VeriFone, Inc. John Barrowman VeriFone, Inc. David Ezell VeriFone, Inc. Dave Faoro VeriFone, Inc. Doug Manchester VeriFone, Inc. Brad McGuinness VeriFone, Inc. Joachim Vance VISA Shahzad Khan VISA Kim Wagner Wayne Fueling Systems Steven Bowles Wells

45、 Fargo Bank William Felts, IV Wells Fargo Bank Phillip Griffin Wells Fargo Bank Jan Kohl Wells Fargo Bank Garrett Macey Wells Fargo Bank Kelly ODonnell Wells Fargo Bank Mark Schaffer Wells Fargo Bank Jeff Stapleton Wincor Nixdorf Inc Christoph Bruecher Wincor Nixdorf Inc Andrea Carozzi Wincor Nixdor

46、f Inc Michael Nolte XYPRO Technology Steve Tcherchian Under ASC X9, Inc. procedures, a working group may be established to address specific segments of work under the ASC X9 Committee or one of its subcommittees. A working group exists only to develop standard(s) or guideline(s) in a specific area a

47、nd is then disbanded. The individual experts are listed with their affiliated organizations. However, this does not imply that the organization has approved the content of the standard or guideline. (Note: Per X9 policy, company names of non-member participants are listed only if, at the time of pub

48、lication, the X9 Secretariat received an original signed release permitting such company names to appear in print.) At the time this standard was approved, the X9F6 Cardholder Authentication and ICCs working group which developed this standard had the following active members: Scott Spiker, Chairman

49、 Organization Represented Representative ACI Worldwide . Doug Grote ACI Worldwide . Dan Kinney ACI Worldwide . Julie Samson American Bankers Association Tom Judd ANSI X9.119-1-2016 ASC X9, Inc. 2016 All rights reserved xi American Express Company Gail Chapman American Express Company Alan Fong American Express Company Michael Hyzer American Express Company Kenneth Mealey American Express Company David Moore American Express Company Clyde Van Blarcum American Express Company Kevin Welsh Bank of America .Amanda Adams Bank o