Public Key Infrastructure (PKI) Exchange Procedures for MasterCard Business Partners 23 April 2015
Notices Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online. Proprietary Rights The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively MasterCard ), or both. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Trademarks Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Global Customer Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States. All third-party product and service names are trademarks or registered trademarks of their respective owners. Disclaimer MasterCard makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. Without limitation, MasterCard specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, MasterCard specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third party patents, copyrights, trade secrets or other rights. Translation A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any translated document to its customers AS IS and makes no representations or warranties of any kind with respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall MasterCard be liable for any damages resulting from reliance on any translated document. The English version of any MasterCard document will take precedence over any translated version in any legal proceeding. Information Available Online MasterCard provides details about the standards used for this document including times expressed, language use, and contact information on the Publications Support page available on MasterCard Connect. Go to Publications Support for centralized information. X11 23 April 2015 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners
Summary of Changes, 23 April 2015 This document reflects changes associated with the 23 April 2015 publication. To locate these changes online, click the hyperlinks in the following table. Description of Change Clarified wording in the Certificate Exchange Procedures bullet Added Step 2 in the Before you begin section Clarified wording in Step 1 of the Procedure section Added a note in the Results section Where to Look Overview of Procedures Registration of Authorized Certificate Requestors and Password Data for Production Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 1
Table of Contents Chapter 1 Introduction... 1-i Overview of Procedures... 1-1 Chapter 2 Registration... 2-i Registration Procedures... 2-1 Registration of Authorized Certificate Requestors and Password... 2-2 Update Authorized Certificate Requestors and Password... 2-3 Chapter 3 Certificate Exchange... 3-i Exchange of Data with Business Partners... 3-1 Data for Staging, Member Test Facility (MTF), and Development... 3-1 Data for Production... 3-1 Chapter 4 Contact and Emergency Procedures... 4-i Contact for Certificate Exchanges... 4-1 Contact for Emergency Situations... 4-1 Documenting Emergency Situations... 4-1 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 i
Chapter 1 Introduction This section provides an overview of the Public Key Infrastructure (PKI) Exchange Procedures for MasterCard Business Partners document. Overview of Procedures... 1-1 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 1-i
Introduction Overview of Procedures Overview of Procedures All tasks to be performed by the business partners and MasterCard are divided into a number of procedures. Each procedure has a defined purpose and scope. Each procedure is divided into four subsections: Personnel: List of the individuals involved in performing the procedure Forms Used: List of the forms used in the procedure Before You Begin: Description of preparatory work that must be performed prior to carrying out the procedure Procedure/Results: Steps that must be carried out by the business partners to complete the procedure as well as the expected result after completing the procedure. Using These Procedures The procedures defined in this document are divided into three categories: Registration Procedures Describes the personnel and password registration procedures that business partners and MasterCard must follow to exchange or update information. This registration information is required to identify personnel involved in the exchange of PKI information between the business partners and MasterCard. Certificate Exchange Procedures Describes the procedures for business partners to exchange or renew certificate signing requests (CSR), certificates and CA certificates with MasterCard Key Management Services (KMS) on different environments Contact and Emergency Procedures Describes the procedures for business partners to contact KMS in case of emergency situation should a certificate need urgent withdrawal or renewal. Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 1-1
Chapter 2 Registration Provides the procedures for initial authorized certificate requestors, password registration and update. Registration Procedures... 2-1 Registration of Authorized Certificate Requestors and Password... 2-2 Update Authorized Certificate Requestors and Password... 2-3 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 2-i
Registration Registration Procedures Registration Procedures Provides an overview of the key management registration procedures and usage. Registration is mandatory for any PKI exchange to and from MasterCard. This registration will remain in place for all exchanges until amended by the business partner. Procedure Registration of business partners authorized certificate requestors and password Registration or password update Usage Used for initial registration to provide MasterCard with the names, contact details, specimen signatures and password of all future authorized certificate requestors. Personnel: The following individuals are involved in performing this procedure: Authorized certificate requestors (minimum 2 peoples) Form The following form pertains to this procedure: 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners Used to add, revoke or update details related to a business partner s registration, or to change the shared password. Personnel: Depending on the updates, the following individuals are involved in performing this procedure: Authorized certificate requestors whose contact details have changed New authorized certificate requestors Current registered authorized certificate requestors (in case of password update) Form The following form pertains to this procedure: 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 2-1
Registration Registration of Authorized Certificate Requestors and Password Registration of Authorized Certificate Requestors and Password Provides the process of registering authorized certificate requestors and password. Before you begin 1. The business partner must select and approve all individuals within its organization who will be registered as authorized certificate requestors. At least two peoples are required but to allow continuity in the event of absence of authorized certificate requestors, additional people can be registered. 2. The business partner must include a group email address within his organization. This email address would be used for crucial communication and in case the authorized certificate requestors registered email addresses are no longer in use. 3. The authorized certificate requestors must define a password compliant with basic security rules (password that is at least 8 characters and contain upper and lower case, number and symbol). 4. A project scope must have been defined and approved beforehand with MasterCard. Procedure 1. Complete the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form with all of the identified individual s data as well as Project/Application Name, MasterCard Project Manager name and Group mailbox email address. 2. Include a legible password, ideally the password will be provided typed for clarity. The password can be used for all PKI exchanges and must not be shared except with Key Management Services department through the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form. 3. All authorized certificate requestors must sign the form. 4. The 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form must be sent to Key Management department only by registrant people. It can be sent either by email, courier or fax. No other person than the registrant should be in copy when sending this email, otherwise the password will be considered as compromised. Results Upon receipt of the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form the MasterCard project Manager mentioned on the form will be contacted to confirm the registration and project scope. 2-2 23 April 2015 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners
Registration Update Authorized Certificate Requestors and Password Registered authorized certificate requestors will receive an email confirmation of their registration as well as the next step of the PKI exchange. NOTE It is the business partners responsibilities to keep the information up to date. Passwords should never be disclosed to non-registered person(s). Update Authorized Certificate Requestors and Password Provides the process of updating authorized certificate requestors or password. Before you begin 1. The business partner must determine what needs to be changed within the current registration: Authorized certificate requestors and/or password. 2. If needed, business partner authorized certificate requestors must define a new or additional password compliant with basic security rules (password that is at least 8 characters and contain upper and lower case, number and symbol). 3. In the case of a new project, new project number and scope must have been defined and approved beforehand with MasterCard. Procedure 1. The 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form must reflect all the changes. The update or the revoke box must be checked next to the updated authorized certificate requestors details. In the case of a password update, at least two registered authorized certificate requestors must be listed on the form and must provide a signature. 2. The signed 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form must be sent to Key Management department only by registrant people. It can be sent either by email, courier or fax. No other person than the registrant should be in copy when sending this email, otherwise the password will be considered as compromised. Results Upon receipt of the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form the MasterCard project Manager mentioned on the form will be contacted to confirm the registration and project scope. Registered authorized certificate requestors will receive an email confirmation of their registration as well as the next step of the PKI exchange. Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 2-3
Chapter 3 Certificate Exchange Certificate signing requests (CSRs [public keys, for example]), certificates and CA certificates are the cryptographic materials that may be exchanged between MasterCard (KMS) and business partners in the scope of some projects. Exchange of Data with Business Partners... 3-1 Data for Staging, Member Test Facility (MTF), and Development... 3-1 Data for Production... 3-1 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 3-i
Certificate Exchange Exchange of Data with Business Partners Exchange of Data with Business Partners Security measures for conveying cryptographic data depend on the exact usage in the target environment. This document provides information for data used in the following cases: Development Staging (or for a situation where the security requirements are identical) Production (or for a situation where the security requirements are identical) Data for Staging, Member Test Facility (MTF), and Development A registered authorized certificate requestor performs this procedure to complete and send the certificate signing request (CSR). Before you begin The processes for data used for development, MTF and staging purposes can be done in a single control for any transmission. CSR can be sent by only one authorized certificate requestor without any further encryption of the CSR. Certificates returned by Key Management Services Operations will always be encrypted using the password shared on the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form. Procedure 1. The generated CSR should be as per the DN template provided following the registration completion linked to the project requirements. 2. One authorized certificate requestor should send the CSR to be signed to key_management@mastercard.com and provide in the email body all of the details on the CSR to be signed such as the project name, environment and the certificate type. On reception of the email request, MasterCard will validate that the authorized certificate requestor is registered and that the CSR matches the DN template and project scope. Results MasterCard will process the certificate request, ZIP the certificate, encrypt with the shared password, and return the certificate to two registered authorized certificate requestors. Data for Production Two registered authorized certificate requestors (dual control) perform this procedure to complete and send the certificate signing request (CSR). Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 3-1
Certificate Exchange Data for Production Before you begin The processes for data used for production requires that two registered authorized certificate requestors are involved in any transmission. It is a mandate that the CSRs are zipped with WinZip and password protected using the password shared in the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form. Certificates returned by Key Management Services Operations will always be encrypted using the password shared on the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form. Procedure 1. The generated CSR should be as per the DN template provided following the registration completion linked to the project requirements. 2. Authorized certificate requestors should ZIP the CSR and encrypt it under the shared password. 3. Authorized certificate requestors should send the ZIP file containing the CSR to be signed to key_management@mastercard.com and include in copy the email address of a second registered authorized certificate requestors to the request. Business partners have to provide in the email body all the details on the CSR to be signed such as the project name, environment and the certificate type. On reception of the email request, MasterCard will validate that the authorized certificate requestors are registered and that the CSR match the DN template and project scope. Results MasterCard will process the certificate request, ZIP the certificate, encrypt with the shared password, and return the certificate to two registered authorized certificate requestors. NOTE Please note that the certificate has an expiry date. This certificate might need to be renewed on time in order to avoid any outage on the service using that certificate. Renewal process is the same as for initial CSR exchange. 3-2 23 April 2015 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners
Chapter 4 Contact and Emergency Procedures Provides contact information and emergency procedures. Contact for Certificate Exchanges... 4-1 Contact for Emergency Situations... 4-1 Documenting Emergency Situations... 4-1 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 4-i
Contact and Emergency Procedures Contact for Certificate Exchanges Contact for Certificate Exchanges Provides contact information for non-emergency situations. Email: key_management@mastercard.com Telephone: +32 (2) 352 5578 Use the Key Management Services (KMS) email address for the following questions: Certificates issued on a Keon certification system for staging or production purposes. Exchange of PKI data with third parties (which include certificate requests) and the 1075 MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners form. Contact for Emergency Situations In some situations, Key Management Services (KMS) may need to be contacted for emergencies. For example, certificates may be required urgently because of overlooked certificate expiration, system failure, or outage. Emergency procedures in place within KMS cover the urgent generation of certificates, including the generation of Certificates Signing Requests (CSR), the urgent revocation of a certificate, and urgent support in view of resolving production issues. The purpose is to resolve emergency issues having a significant business impact. Business partners are required to contact their MasterCard application team contact person who will then reach out to KMS. Application teams to proceed with emergency requests on behalf of business partners and liaise with KMS. Documenting Emergency Situations Depending on the reason for the emergency, prepare data in advance to communicate to the MasterCard application team contact person. Urgent Support When there is an issue for a production application related to the use of a certificate, provide the following data (if known): Public Key Infrastructure (PKI) Standards for MasterCard Business Partners 23 April 2015 4-1
Contact and Emergency Procedures Documenting Emergency Situations Serial number and the reference of the certificate for which there is an issue, the complete DN, the certification system, the CA, and the jurisdiction that issued the certificate Entity or entities validating the certificate Keystore and truststore files content Description of the issue Urgent Request Due to Incorrect Certificate Delivery When a certificate was not issued as defined during the design phase and the correct certificate is needed urgently to meet the project constraints, provide the following data (if known): Serial number and the reference of the certificate for which there is an issue, the complete DN, the certification system, the CA, and the jurisdiction that issued the certificate Description of the issue with the certificate, such as the discrepancies from the original certificate design description, and the certificate characteristics to modify Urgent Request Due to Overlooked Certificate Expiration When an expiring certificate has not been replaced in time by another with an extended lifetime, production systems can experience outages. A replacement certificate can be requested urgently, provide the following data (if known): Serial number and the reference of the certificate for which there is an issue, the complete DN, the certification system, the CA and the jurisdiction that issued the certificate Urgent Revocation of Entity Certificate When a certified key is compromised or there is suspicion of key compromise, the related certificate must be revoked urgently. Note that urgent revocation of a certificate is meaningless for CAs for which no CRL is issued. To proceed to the effective revocation of a certificate, provide the following data (if known): Serial number, the reference, and full DN of the certificate for which the key is compromised or suspected of compromise, the certification system, the CA, and the jurisdiction that issued the certificate Detailed reason for revocation (for example, key compromise or suspicion of compromise) Name, title, contact information, and team name of the person requesting revocation 4-2 23 April 2015 Public Key Infrastructure (PKI) Standards for MasterCard Business Partners