BS ISO 13491-1:2016 pdf download

BS ISO 13491-1:2016 pdf download.Financial services — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation methods
1 Scope
This part of ISO 13491 specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609, and ISO 11568.
This part of ISO 13491 has two primary purposes:
— to state the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle;
— to provide guidance for methodologies to verify compliance with those requirements. This information is contained in Annex A.
ISO 13491-2 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564-1, ISO 9564-2, ISO 16609, ISO 11568-1, ISO 11568-2, ISO 11568-3, ISO 11568-4, ISO 11568-5, and ISO 11568-6 in the financial services environment.
Annex A provides an informative illustration of the concepts of security levels described in this part of ISO 13491 as being applicable to SCDs.
This part of ISO 13491 does not address issues arising from the denial of service of an SCD.
Specific requirements for the security characteristics and management of specific types of SCD functionality used in the retail financial services environment are contained in ISO 13491-2.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 11568-1, Banking — Key management (retail) — Part 1: Principles
ISO 11568-2, Financial services — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle
ISO 11568-4, Banking — Key management (retail) — Part 4: Asymmetric cryptosystems — Key management and life cycle
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1 accreditation authority
authority responsible for the accreditation of evaluation agencies and supervision of their work in order to guarantee the reproducibility of the evaluation results
5 Secure cryptographic device concepts
5.1 General
Cryptography is used in retail financial services to help ensure the following objectives:
a) the integrity and authenticity of sensitive data, e.g. by MAC-ing transaction details;
b) the confidentiality of secret information, e.g. by encrypting customer PINs;
c) the confidentiality, integrity, and authenticity of cryptographic keys;
d) the security of other sensitive operations, e.g. PIN verification.
To ensure that the above objectives are met, the following threats to the security of the cryptographic processing shall be countered:
— unauthorized use, disclosure, or modification of cryptographic keys and other sensitive information;
— unauthorized use or modification of cryptographic services.
A secure cryptographic device (SCD) is a physically and logically secure hardware device providing a defined set of cryptographic functions, access controls, and secure key storage. SCDs are employed to protect against these threats. The requirements of this part of ISO 13491 pertain to the SCD and not the system in which the SCD may be integrated. However, it is important to analyse the interfaces between the SCD and the remainder of the system to ensure that the SCD may not be compromised.