Standard

Track updates

AS ISO 13491.1:2025

[Current]

Financial services - Secure cryptographic devices (retail), Part 1: Concepts and requirements

AS ISO 13491.1:2025 identically adopts ISO 13491 1:2024 which specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, AS ISO 16609 and AS ISO 11568

Published: 24/04/2025

Pages: 28

Table of contents

Cited references

Content history

Table of contents

Header

About this publication

Preface

Foreword

Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Abbreviated terms

5 Secure cryptographic device concepts

5.1 General

5.2 Hardware management devices

5.3 Secure cryptographic device types

5.3.1 General types

5.3.2 Secure cryptographic device components

5.3.3 Hardware security module

5.3.3.1 Overview

5.3.3.2 Security requirements

5.3.3.3 Hardware security module usage

5.3.4 Key loading devices

5.4 Attack scenarios

5.4.1 General

5.4.2 Penetration

5.4.3 Monitoring

5.4.4 Manipulation

5.4.4.1 Physical manipulation

5.4.4.2 Logical (API) manipulation

5.4.5 Modification

5.4.6 Substitution

5.5 Defence measures

5.5.1 General

5.5.2 Device characteristics

5.5.3 Device management

5.5.4 Environment

6 Requirements for device security characteristics

6.1 General

6.2 Physical security requirements for secure cryptographic devices

6.3 Tamper-evident requirements

6.3.1 General

6.3.2 Substitution

6.3.3 Penetration

6.3.4 Modification

6.3.5 Monitoring

6.4 Tamper-resistant requirements

6.4.1 General

6.4.2 Penetration

6.4.3 Modification

6.4.4 Monitoring

6.4.5 Substitution or removal

6.5 Tamper-responsive requirements

6.5.1 General

6.5.2 Penetration

6.5.3 Modification

6.6 Logical security requirements for SCDs and HMDs

6.6.1 General

6.6.2 Dual control

6.6.3 Unique key per device

6.6.4 Assurance of genuine device

6.6.5 Design of functions

6.6.6 Use of cryptographic keys

6.6.7 Sensitive device states

6.6.8 Multiple cryptographic relationships

6.6.9 Secure device software authentication

7 Requirements for device management

7.1 General

7.2 Life cycle phases

7.3 Life cycle protection requirements

7.3.1 General

7.3.2 Manufacturing phase

7.3.3 Post-manufacturing phase

7.3.4 Commissioning (initial financial key loading) phase

7.3.5 Inactive operational phase

7.3.6 Active operational phase (use)

7.3.7 Decommissioning (post-use) phase

7.3.8 Repair phase

7.3.9 Destruction phase

7.4 Life cycle protection methods

7.4.1 Manufacturing

7.4.2 Post-manufacturing phase

7.4.3 Commissioning (initial financial key loading) phase

7.4.4 Inactive operational phase

7.4.5 Active operational (use) phase

7.4.6 Decommissioning phase

7.4.7 Repair

7.4.8 Destruction

7.5 Accountability

7.6 Device management principles of audit and control

Bibliography

Cited references in this standard

Content history

ISO 13491-1:2024

[Current]

AS ISO 13491.1:2019

[Superseded]

DR AS ISO 13491.1:2025