![20 Ransomware Statistics You’re Powerless to Resist Reading [Updated for 2024]](https://www.thesslstore.com/blog/wp-content/uploads/2022/05/ransomware-statisitcs-2024-feature-75x94.jpg)
![The Latest Quantum Computing & Cryptography News Round Up [September 2024 Edition]](https://www.thesslstore.com/blog/wp-content/uploads/2024/09/quantum-computing-news-feature2-75x94.jpg)
(1 votes, average: 5.00 out of 5, rated)
Loading...X9’s New PKI System Is Purpose-Built for the Financial Industry
After about eight years of planning and development, the Accredited Standards Committee X9 Inc. (ASC X9) is ready to launch its new PKI system — one that’s custom-built to meet the security needs of the Financial Services industry
For decades, the financial industry has secured payment networks with digital certificates from publicly trusted (Web PKI) certificate authorities. That approach works, but it’s less than ideal for a simple reason: ATMs, credit card machines, and other financial networks function very differently than web browsers, and they have different security needs.
X9, a non-profit standards committee that represents ~100 different banks and financial institutions, is launching a new public key infrastructure for the financial services industry. The X9 Financial PKI is powered by DigiCert and has been built from the ground up to better serve the needs of financial services companies — both now and in the future. For example, the PKI industry’s increasing preference toward shorter digital certificate validity periods could cause many issues for financial services organizations that deploy hardware with 10+ year lifespans.
Let’s take a look at what the X9 PKI is, how it’s been built, and how it will be used.
Let’s hash it out.
What Is the X9 Financial PKI?
X9 Financial PKI is a public key infrastructure that’s designed specifically to meet the needs of financial institutions, merchants, securities companies, third-party payment service providers, and many other financial services organizations. It provides resilient, stable, and secure security infrastructure and certificate lifecycle management capabilities.
Let’s take a quick look at the PKI architectural model of the X9 Financial PKI, of which there will initially be a single root CA and two issuing CAs chaining back to it (although this will likely expand over time.):
We’ll speak more about the ASC X9 governing body in just a few moments. But the main takeaway here is that X9’s Financial PKI shifts the dynamic of PKI as we’ve traditionally known it, creating a dedicated security framework that puts financial institutions firmly in the driver’s seat. Putting it another way, X9 PKI addresses the needs of this distinct community, which are different than those of the Web PKI.
Sign Up for DigiCert’s Webinar to Learn More About the X9 PKI
Click on the banner below to visit DigiCert’s X9 PKI webinar event registration page:
Compare This to the Existing Traditional Web PKI
- Traditional Web PKI involves dozens of publicly trusted certification authorities (CAs) issuing certificates. This means the security of Web PKI is only as good as the security of its least secure CA.
- Web PKI standards and security requirements and recommendations are set by a group of entities that include non-financial sector organizations such as Google, Apple, Mozilla, and Microsoft (via the CA/Browser Forum or CA/B Forum for short).
- These non-financial sector organizations have their own focuses and priorities when it comes to digital security that don’t always align with those of financial entities.
Here’s a quick reminder of what traditional PKI architecture looks like, which consists of many root CAs and even more subordinate and issuing CAs that chain back to them:
Why Financial Services PKI ≠ Web PKI
The X9 Financial PKI is similar to the traditional browser-oriented public key infrastructure in that it uses public key cryptography and a certification authority (CA) issues trusted digital certificates to organizations that are responsible for managing them securely.
However, the similarities end there. This is because the X9 PKI framework is specific to the sector’s unique needs to ensure interoperability and improve data security against modern and future threats (i.e., Quantum Computing). It’s likely to offer a bit more flexibility to meet the sector’s broad range of use cases.
Knowing this, there are some key differences between X9 Financial PKI and the traditional PKI ecosystem used by organizations globally:
- X9 trust hierarchy would be built on a stable, dedicated root. The X9 PKI framework requires a dedicated, PQC-ready root CA that wouldn’t be used for other applications. At this time, DigiCert is the only CA that has been authorized to create such a dedicated root of trust (i.e., “trust chain” or “chain of trust”).
- This system is designed specifically with financial security and infrastructure in mind. It would be designed to serve the unique needs of financial services providers and their technologies (i.e., ATM machines, POS systems, etc.) rather than web browsers and website users. For example, payment processors have massive deployments of fixed-function equipment in use globally, which makes it virtually impossible to upgrade on a regular basis.
- The standard wouldn’t be influenced by irrelevant parties. Web PKI is oriented to meet the needs of browsers and is governed by the CA/B Forum and other entities, some of which aren’t relevant to financial organizations. X9 PKI is a standard that aligns with financial service providers’ needs rather than being shaped by browsers and other non-financial services entities.
What Are ASC X9 and ASC X9F?
The Accredited Standards Committee X9 Inc. (ASC X9) is a non-profit organization that develops and maintains national and international standards for the financial services sector. X9 members include:
- American Bankers Association
- Credit card companies like Discover Financial Services, MasterCard Europe Sprl, and VISA
- NACHA (the Electronic Payments Association)
- NIST
- PCI Security Standards Council
- Thales e-Security, Inc.
- USDA Food and Nutrition Service
- U.S. Treasury Department’s Office of Financial Research
ASC X9F (also known as the Data and Information Security Subcommittee) is the subgroup that’s charged with creating the independent X9 Financial PKI framework to meet the unique needs of the U.S. Financial Services industry. ASC X9’s PKI Study Group has:
- identified the sector’s specific PKI use cases (of which now there are 34 as of 2024)
- developed a framework and certificate policy (CP) that’s designed to meet financial organizations’ needs for more secure and trustworthy tokenization, certificate and key management, and data encryption
- will oversee the X9 Financial PKI as its governing body.
What Will the X9 PKI System Be Used For?
Examples of some specific use cases include:
- Cryptographically securing ATM machines’ connections with banking systems to prevent data theft and malware installation
- Securing POS systems’ credit card data in transit to protect consumer data
- Use of load keys to enable PIN encryption for ATM and POS devices
- Ensuring the integrity and security of inter-bank digital communications without relying on external dependencies
- Providing a verifiable means of document provenance
- Signing financial services software
- Facilitating digital signatures for financial transactions
- Securing the new ISO 20022 messages, which will take effect on July 14, 2025 (previously set for March 10, 2025) for the Federal Reserve’s Fedwire
What the X9 Financial Services PKI and Standard Aim to Achieve
Ultimately, the goal of X9 PKI is to provide organizations with the tools, skills, and knowledge to overcome PKI complexities and address the industry’s ever-evolving cybersecurity threats and concerns.
This project involves expanding modern public key infrastructure in a way that works specifically for the Financial Services industry without external interference. But what are the advantages of creating a unique and separate private PKI for this specific industry?
- Stronger data security and confidentiality. Designing PKI to meet specific use cases (such as transport layer security [TLS] for ATMs and POS devices) will enable financial entities to better protect their sensitive data in transit.
- Simplified deployment and enhanced interoperability. We saw what happened when Web PKI standards shifted from SHA1 to SHA-2 — chaos reigned as financial organizations were left scrambling for interoperability solutions. X9 PKI aims to improve integration and increase interoperability in part by enabling organizations with existing PKIs to cross-certify with the X9 RCA.
- Improved cryptoagility. Financial organizations need to have the tools and framework to combat the advanced threats posed by cybercriminals using modern tools and future quantum computing technologies.
- Reduce outages and decrease costs. It’s no secret that outages and inadequate security have a direct impact on a business’s bottom line. This means everything from the costs of responding to cybersecurity incidents or operational interruptions to the revenue losses stemming from a brand’s reputational damages. Implementing a secure and stable PKI that’s tailored to the sector’s needs can help mitigate these issues and reduce direct and indirect costs.
X9 PKI Is the Next Security Transition for Financial Services
The financial sector is no stranger to data privacy and security-related changes:
- Adoption of Europay, Mastercard, and Visa (EMV) technology (i.e., smart chips) in payment cards,
- Implementation of the PCI Data Security Standards (PCI DSS)
- Incorporation of multifactor authentication (MFA)
- Compliance with other data security and privacy regulations (e.g., NYDFS, GDPR, etc.)
The development of X9 Financial PKI isn’t something that’s happened overnight. It’s something that has been in the works for the better part of a decade:
Something to note is that this year (2025) is when X9 study group members will begin to see the fruits of their labor. For example (the following dates are estimates):
- Q2 2025: Dean Coclin, Senior Director of Digital Trust at DigiCert who is chair of the ASC X9 PKI Study Group and CA/B Forum, said he expects the key ceremony for the creation of its X9 dedicated root and issuing CA for testing will be held in April.
- Q3-Q4 2025: DigiCert will hold a key ceremony to create its X9 production root and issuing CAs. A WebTrust CA audit will also be required to ensure the CA’s certification practice statement (CPS) and operations align. An additional check will verify that the CPS meets the X9 CP PKI requirements.
Let’s Wrap This Up: Why a Dedicated Financial PKI Is Necessary
The need for X9 PKI boils down to different needs and use cases of the Financial Services industry. For example, the ways that POS systems connect to credit card companies and ATM machines connect to banks are very different from a human using a browser to visit websites.
If your organization needs to secure data in transit for a payment system, then the X9 PKI may be a better fit for your needs than traditional SSL/TLS certificates from a browser-trusted CA. Reach out to our PKI team and we’ll help you determine if X9’s PKI will meet your needs.
Be the first to comment