A new set of security protocols to better safeguard online connections within the financial-services industry is in the offing.
Securing and trusting these connections is a critical piece of the payments infrastructure. Experts say the underlying standards they are built on—called public key infrastructure—need updating.
That’s why the Accredited Standards Committee X9 Inc., a nonprofit that develops standards for the financial-services industry, is reactivating a working group called X9F5 to create new PKI standards based on current uses within the industry. Without these standards and the assurances they provide, online commerce and financial transactions would be much more difficult to trust.
“Every day, a significant fraction of the world’s population uses a Web browser to access a Web page on a Web server,” Tim Hollebeek, industry and standards technical strategist at DigiCert Inc., which issues digital certificates, and interim X9F5 chairman, tells Digital Transactions News in an email. “At the same time, the vast majority of their financial transactions are being transmitted on server-to-server communications between banks and other financial institutions.”
This means there needs to be a distinction in PKI for the two connection types. The same technologies—PKIs, digital certificates, Transport Layer Security, and so on—“have a long history of being used both to protect high-value connections between payment companies and banks, and Web connections between Web sites and users,” Hollebeek says.
A real-world example of the situation is that when X9 tried to retire the outdated SHA-1 hash function—a cryptographic tool that was often used in Web browsers—the organization found it was used by a large number of payment terminals around the world. “It would have been much easier if each community could have come up with its own requirements and transition plan,” Hollebeek says.
The caveat, however, is that the security requirements for these two scenarios are fundamentally different, and it has become clear over the past five years or so that attempting to meet both sets of requirements with the same PKI leads to adverse consequences for all parties, Hollebeek says.
Financial institutions carefully authenticate the exact legal identity of each party they do business with, and they put mechanisms in place to guarantee they can reliably authenticate that entity for each transaction, he says. “The Web, on the other hand, is a much more dynamic place that is designed to be open to everyone, no matter how small.”
Today, there’s no reason for the same PKI standards to undergird both use cases, he says. “There are legitimate reasons why the same certificate hierarchies were re-used in the past, but as both PKIs have matured, it would be best if they went their separate ways so that they can independently meet their own goals.”
This type of technical work will proceed faster with the assistance of industry experts, Hollebeek says. “There’s a lot to be done in order to get this off the ground, but given the importance of this problem, we’re confident we can get it done quickly if everyone works together.”