ISO 13491-2:2023 – Security Compliance Checklists

Woman making a banking transaction at an ATM that adheres to cryptography checklist in ISO 13491-2:2023.

The origin of cryptography dates back to 1900 BC Egypt in the form of hieroglyphics. The scribe of the main chamber of the tomb of Khnumhotep II used complex pictograms whose meaning was known only to an elite few. From ancient inscriptions on tombs to modern-day codes on the internet, cryptography continues to ensure the integrity and security of data. By following security compliance checklists in ISO 13491-2:2023— Financial Services – Secure Cryptographic Devices (Retail) – Part 2: Security Compliance Checklists For Devices Used In Financial Transactions, there is assurance that data in financial transactions has not been altered or destroyed in an unauthorized manner.

What Is Cryptography Important?

The word “cryptography”  is derived from the Greek word kryptos, meaning “hidden” or “vault,” with the suffix graphy meaning “writing.” Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. Essentially, it is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.

Each time you make an online purchase, conduct a banking transaction, or ping your email client, cryptography is working in the background. Without it, internet traffic and cell phones would not operate, bank transactions would come to a standstill, and our private information would be accessible to anyone. Luckily, cryptography secures communication and information in our internet of things (IoT) world, to authenticate people and devices and devices to other devices.

What Are Cryptographic Devices?

A cryptographic device [e.g., PIN Entry Device (PED), a smartcard, or a hardware security module (HSM)] is a device that performs physically and logically cryptographic algorithms or functions in order to transform messages in ways that are hard to decipher. These functions to transmit confidential communications, such as credit card transactions or email, can include random number generation, microdots, merging words with images, message authentication, digital signature generation, encryption, or key establishment. There is a risk that these devices can be tampered with or otherwise compromised to disclose or modify sensitive data, and hence ISO 13491-2:2023 was created to protect messages, cryptographic keys, and other sensitive information used in a retail financial services environment. 

Woman using a smartcard to make a payment that adheres to ISO 13491-2:2023 cryptography device requirements.

What Is ISO 13491-2:2023?

ISO 13491-2:2023 specifies checklists to be used by evaluating agencies—like a sponsor, approval authority, or accreditation authority—to evaluate secure cryptographic devices (SCDs). It covers the characteristics and the management of secure cryptographic devices (SCDs) used to ensure the general security of sensitive information in retail financial services.

The standard asserts that a cryptographic device achieves security through both its inherent, logical characteristics and the physical characteristics of the environment in which the device is located. For example, a device intended for use in an uncontrolled public location, such as an ATM or kiosk, can require greater inherent security than the equivalent device operating in a controlled environment, such as a merchant location with PIN entry devices that are maintained inside the store that has stringent access controls.

Moreover, the management procedures in ISO 13491-2:2023 implement preventive measures to reduce the opportunity for a breach of cryptographic device security. These measures aim for a high probability of detection of any illicit access to sensitive or confidential data in the event that device characteristics fail to prevent or detect the security compromise.

Woman using ATM, adhering to ISO 13491-2:2023 to make a banking transaction.

Other evaluation frameworks exist and can be appropriate for formal security evaluations (e.g., ISO/IEC 15408-1, ISO/IEC 15408-2, ISO/IEC 15408-3 and ISO/IEC 19790) but are outside the scope of this standard. Additionally, it is important to note that integrated circuit (IC) payment cards are subject to the requirements identified in ISO 13491-2:2023 up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

What Are Tamper-Evident Characteristics of Cryptographic Devices?

ISO 13491-2:2023 maintains that all secure cryptographic devices (SCDs) should contain tamper-evident characteristics to ensure security. These tamper proofing characteristics are put in place to confirm that the device is designed and constructed so penetration is unfeasible. As specified in the standard, tamper-evident characteristics of SCDs include the inability to do the following: 

  • Make any additions, substitutions, or modifications (e.g., the installation of a bug) to the hardware or software of the device
  • Determine or modify any sensitive information (e.g., PINs, access codes, and cryptographic keys)

Thus, importing tamper-responsive characteristics the SCDs are highly important. These characteristics include that the SCD is able detect any feasible attempts to tamper with the device and cause immediate erasure of all cryptographic keys and sensitive data when such an attempt is detected.

ISO 13491-2:2023— Financial Services – Secure Cryptographic Devices (Retail) – Part 2: Security Compliance Checklists For Devices Used In Financial Transactions is available on the ANSI Webstore.

Share this blog post:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.