The standard, ANSI X9.24-1-2017 part 1 has been written to provide minimum symmetric key management requirements and guidelines for the retail financial industry and actors involved in processing card payments.
Here we explore the different entities that form the card payment environment, as described in the norm ANSI X9.24-1-2017. We also explain why securely managing the symmetric keys used in such a context is an important way of securing transactions and, in general, of securing the whole Card Payment Environment.
Symmetric Cryptography and the Card Payment Environment
Symmetric cryptography relates to cryptographic algorithms where the key that encrypts the data is the same as the key that decrypts the data. Thus the symmetric key is a shared secret between the two parties (ciphering/deciphering) involved in a cryptographic exchange of data.
Why Symmetric Cryptography for Card Payments
The financial retail industry relies extensively on symmetric cryptography for securing transactions. For decades, banks and financial processors have been using symmetric cryptography to cipher PINs or transaction data. Historically, symmetric ciphers such as the Data Encryption Standard algorithm (DES/DEA) pioneered the cryptography used by this industry. Then the DES was replaced by triple-DES and AES. The card payments industry largely uses symmetric cryptography as it is much faster than asymmetric cryptography and better suited for the encryption of data-in-motion.
The Role of ANSI X9.24-1-2017 part 1
The security of the transactions, their integrity and their authentication relies on symmetric cryptography. The ANSI X9.24-1-2017 part 1 standard describes how to manage the corresponding keys, their generation, transportation, loading, archiving etc. in such a way that everything stays secure in all the levels of the payment environment.
Introduction to the Card Payment Environment
A card acceptor is a merchant or an ATM that accepts payment cards and sends the transaction data to an acquirer.
The card acceptor is named as such because it ‘accepts’ cards and, therefore, is able to access the cardholder account as a way to get paid for goods or services provided to the cardholder. In POS (Point-of-Sales) systems, the card acceptor may be a retailer, a payment service company, or a financial institution (eventually a bank). In ATM systems, the card acceptor may be the same entity as the acquirer.
An acquiring bank (also known simply as an acquirer) is a bank or a financial institution that allows a merchant to accept and process credit or debit card payments.
A Visa or Mastercard acquirer and in general, a merchant acquirer, is a third-party service company processor that has the right to work with merchants processing and settling transactions. The acquirer provides merchants with the tools and technology (including hardware and software) needed for processing transactions.
Card payment network companies, such as Visa or Mastercard who brand cards, are not acquirers. Instead, they operate and manage a payment network and stand in the middle of a transaction with certain rights to decline transactions or to perform additional processing.
An issuing bank (or simply ‘issuer’) is a financial institution that provides payment cards (debit, credit, or prepaid) on behalf of a specific card payment network. Examples of such card payment networks include Visa, Mastercard, Europay, JCB, American Express, and Discover.
The issuing bank provides its branded debit, credit or prepaid cards directly to its consumers. As such, the name ’issuer’ comes from the practice of ‘issuing’ cards to end-consumers.
The issuer bank is nothing more than the bank of the cardholder and, as such, is responsible for paying the merchant's bank, also known as the acquirer bank (or the bank operating the ATM in the case of an ATM transaction) for the goods or services that the consumer (or cardholder) has purchased, or for the money withdrawn at the ATM.
When a consumer uses a credit card, the issuing bank extends a credit line to that consumer. The responsibility for non-payment is shared by the issuing bank and the acquiring bank according to rules dictated by the corresponding card payment network (e.g. Visa, Mastercard, etc.).
Payment switches are transaction processing systems that act as gateways by receiving transaction requests from different subsystems (e.g. an ATM, POS, or payment gateway). These systems route messages and transaction authorizations to the right recipients.
Global Overview of the Environment
In summary, the payment environment in the context of ANSI X9.24-1-2017 roughly consists of the following actors and actions:
- The Consumer, who is the cardholder, and purchases goods or services from the merchant;
- The Issuer, the consumer's bank who transfers money to the acquirer;
- The Acquirer, who is the merchant's bank who accepts money from the Consumer
- The Merchant accepts credit, debit, or prepaid cards and provides an adequate amount of goods or services in exchange for a payment.
The Fundamental Role of Symmetric Cryptography in the Card Payment Environment
Symmetric cryptography is the backbone of the security of financial transactions. The protection and secure management of the corresponding cryptographic keys, especially when they are generated, transported and loaded into secure cryptographic devices (typically HSMs), is an essential task for those organizations who are responsible for maintaining the daily operations of transaction processing.
All the entities that we have described above need to achieve confidentiality of the data they communicate between each other. For example, ATMs need to communicate with an issuing bank and therefore they will cipher, for instance, PINs between the different zones and switches, which are involved in the link between the ATM and the issuing bank. These ciphers are done with symmetric cryptography because the PIN must stay confidential in all the steps of a financial transaction. Keys that encrypt PINs must be securely generated, transported, loaded etc. This requires the careful management of such keys during their lifecycle, “from key cradle to key grave” - which is where ANSI X9.24-1-2017 part 1 provide important requirements and guidelines for the retail financial industry and actors involved in processing card payments.
Asymmetric cryptography is also used in the card payment environment but mostly for signing transactions and in the context of PKI with certificates, etc. This is described by the part 2 of standard ANSI X9.24-1-2017.
References, Side Notes and Further Reading
- Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more
- ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute
-  Triple-DES (TDES) is the standard and the algorithm used by triple-DES is referred to as triple-DEA(TDEA). Practically these are equivalent terms.