ISO - 11568
Financial services — Key management (retail)
Organization: | ISO |
Publication Date: | 1 February 2023 |
Status: | active |
Page Count: | 122 |
ICS Code (IT applications in banking): | 35.240.40 |
scope:
General
This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events.
Requirements associated with hardware used to manage keys have also been included in this document.
Scope exclusions
This document does not specifically address internet banking services offered by an Issuer to their own customers through that financial institution's website or applications.
This document does not address using asymmetric keys to encrypt the Personal Identification Number (PIN) or any other data and does not address asymmetric keys managed with asymmetric keys.
This document is not intended to apply to the management of the keys installed in an ICC during manufacturing or the initial key established in an ICC during card personalization.
This document is not intended to address post-quantum encryption considerations. Key management using quantum technologies is out of scope of this document.