Market Overview

ASC X9 Completes Update of ANSI X9.24-1, Detailing Requirements for Managing Symmetric Keys in Secure Retail Financial Transactions


Covers Keys Used in POS and ATM Transactions

Today the Accredited Standards Committee X9 Inc. (X9)
announced the completion of an updated edition of ANSI X9.24-1, Retail
Financial Services Symmetric Key Management Part 1: Using Symmetric
Techniques. X9.24-1 is one of the most important standards relevant to
PIN-based financial transactions. This standard provides requirements
and guidelines for secure management of symmetric keying material used
in retail financial services transactions and communications.

Symmetric key encryption uses one secret key to both encode and decode
the contents of a message; the sending and receiving parties must use
the same key to make sense of the message. The original version of
X9.24-1, published in 2009, is now obsolete. The new standard is now available
for purchase
from the ANSI Store.

"In order to depend upon the PIN (Personal Identification Number) to
demonstrate that the user of a credit or debit card is authorized to do
so, that PIN must be known only to the cardholder, and therefore must be
kept secret throughout the transaction," said Scott Spiker, Sr. Security
Engineer and founder of Cipherithm LLC, Chair of X9's Cardholder
Authentication and ICCs (integrated chip cards) Working Group. "This
standard addresses the management of the cryptographic keys used to
protect the PIN whenever it is outside the hardware that is specifically
designed and certified to protect against PIN disclosure. Our working
group redesigned the document to include advancements within the
industry and provide additional depth related to safeguarding the keys."

Updated items in X9.24-1-2017 include additions to the minimum key
management security requirements, the inclusion of AES (Advanced
Encryption Standard) algorithm and new technology in hardware devices
used to protect cryptographic keys, as well as significant modifications
in the standard's structure.

X9.24-1-2017 specifies the minimum requirements for the management of
keying material used for financial services such as point-of-sale (POS)
transactions (both debit and credit), automated teller machine (ATM)
transactions, messages among terminals and financial institutions, and
interchange messages among acquirers, switches and card issuers. The
requirements cover the full key life cycle. An institution's key
management process cannot be implemented or controlled in a manner that
has less security, protection or control than X9.24-1-2017 describes.

About the Accredited Standards Committee X9 Inc.
Accredited Standards Committee X9 Inc. is a non-profit organization
accredited by the American National Standards Institute (ANSI) to
develop both domestic and international standards for the financial
services industry. X9 has over 100 member companies and over 400 company
representatives that work to develop and maintain approximately 100
domestic standards and 58 international standards.

The subjects of X9's standards include: retail and mobile payments;
printing and processing of checks; corporate treasury functions; block
chain technology; processing of legal orders issued to financial
institutions; tracking of financial transactions and instruments;
tokenization of data; protection of financial data at rest and in
motion; electronic contracts; and remittance data in business payments.
X9 also performs the secretariat function and provides the committee
chair for ISO TC 68, which produces international standards for the
global financial services industry. For more information about X9 and
its work, visit

Follow ASC X9 on Facebook,

View Comments and Join the Discussion!