Last updated: 01 August 2016
The Berlin Group ISO8583 Authorisation & Clearing standards rely on Triple-DES security. The Triple-DES algorithm and therefore today’s PIN encryption and MACing is expected to be no longer secure in a mid-term perspective. For that reason some European banking communities, e.g. in Germany or Belgium, have considered a migration from Triple-DES towards AES (Advanced Encryption Standard) cryptography. To integrate AES also into the Berlin Group ISO8583 Authorisation & Clearing standards, e.g. key length, random number length, PIN block length and storage, MAC length versus truncated MAC, among many other things, need to be considered. An earlier Berlin Group Security Taskforce proposal document for integration of AES into the ISO8583 based Berlin Group specifications could not be finalised as agreement could not be reached within ISO on the proper bitmap positions to address the new ISO PIN block format, to transmit the PIN block itself and to note the 16-byte length.
Like the Berlin Group, other ISO communities (e.g. ANSI X9) have voiced the need to find a harmonised way of integrating the AES-based PIN encryption block in the different ISO8583 versions. The ISO TC68/SC7/TG1 Sub-group for maintenance of ISO8583 has initiated a proposal within ISO to use a new format in a new specific data element that would accommodate the data requirements for AES and other encryption needs. This new data element would then contain e.g. the new AES-based PIN block, key information and sensitive data encryption, as a more flexible future replacement for data elements 52 (PIN data) & 53 (Security related control information). This new data element would also be better prepared for future innovations. The contents of this field would be governed by ISO13492 under SC2.
The Berlin Group is closely working with the ISO community on harmonisation of AES integration and is ready to integrate AES once ISO finalises the AES requirements into their standards.