Public Key Infrastructure
(PKI)
Exchange Procedures for MasterCard Business Partners
23 April 2015
Notices
Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online.
Proprietary Rights
The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively “MasterCard”), or both.
This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard.
Trademarks
Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Global Customer Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States.
All third-party product and service names are trademarks or registered trademarks of their respective owners.
Disclaimer
MasterCard makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. Without limitation, MasterCard specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, MasterCard specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third party patents, copyrights, trade secrets or other rights.
Translation
A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any translated document to its customers “AS IS” and makes no representations or warranties of any kind with respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall MasterCard be liable for any damages resulting from reliance on any translated document. The English version of any MasterCard document will take precedence over any translated version in any legal proceeding.
Information Available Online
MasterCard provides details about the standards used for this document—including times expressed, language use, and contact information—on the Publications Support page available on MasterCard Connect™. Go to Publications
Summary of Changes, 23 April 2015
This document reflects changes associated with the 23 April 2015 publication. To locate these changes online, click the hyperlinks in the following table.
Description of Change Where to Look
Clarified wording in theCertificate Exchange Proceduresbullet Overview of Procedures
Added Step 2 in theBefore you beginsection Clarified wording in Step 1 of theProceduresection
Registration of Authorized Certificate Requestors and Password
Table of Contents
Chapter 1
Introduction ... 1-i
Overview of Procedures ... 1-1
Chapter 2
Registration ... 2-i
Registration Procedures ... 2-1 Registration of Authorized Certificate Requestors and Password ... 2-2 Update Authorized Certificate Requestors and Password ... 2-3
Chapter 3
Certificate Exchange ... 3-i
Exchange of Data with Business Partners... 3-1 Data for Staging, Member Test Facility (MTF), and Development ... 3-1 Data for Production ... 3-1
Chapter 4
Contact and Emergency Procedures ... 4-i
Contact for Certificate Exchanges ... 4-1 Contact for Emergency Situations ... 4-1 Documenting Emergency Situations ... 4-1
Chapter 1
Introduction
This section provides an overview of the Public Key Infrastructure (PKI) Exchange Procedures for MasterCard Business Partners document.
Introduction Overview of Procedures
Overview of Procedures
All tasks to be performed by the business partners and MasterCard are divided into a number of procedures. Each procedure has a defined purpose and scope. Each procedure is divided into four subsections:
• Personnel: List of the individuals involved in performing the procedure • Forms Used: List of the forms used in the procedure
• Before You Begin: Description of preparatory work that must be performed prior to carrying out the procedure
• Procedure/Results: Steps that must be carried out by the business partners to complete the procedure as well as the expected result after completing the procedure.
Using These Procedures
The procedures defined in this document are divided into three categories: • Registration Procedures—Describes the personnel and password
registration procedures that business partners and MasterCard must follow to exchange or update information. This registration information is required to identify personnel involved in the exchange of PKI information between the business partners and MasterCard.
• Certificate Exchange Procedures—Describes the procedures for business partners to exchange or renew certificate signing requests (CSR), certificates and CA certificates with MasterCard Key Management Services (KMS) on different environments
• Contact and Emergency Procedures—Describes the procedures for business partners to contact KMS in case of emergency situation should a certificate need urgent withdrawal or renewal.
Chapter 2
Registration
Provides the procedures for initial authorized certificate requestors, password registration and update.
Registration Procedures ... 2-1 Registration of Authorized Certificate Requestors and Password ... 2-2 Update Authorized Certificate Requestors and Password ... 2-3
Registration Registration Procedures
Registration Procedures
Provides an overview of the key management registration procedures and usage.
Registration is mandatory for any PKI exchange to and from MasterCard. This registration will remain in place for all exchanges until amended by the business partner.
Procedure Usage
Registration of business partners authorized certificate requestors and password
Used for initial registration to provide MasterCard with the names, contact details, specimen signatures and password of all future authorized certificate requestors.
Personnel:
The following individuals are involved in performing this procedure:
• Authorized certificate requestors (minimum 2 peoples)
Form
The following form pertains to this procedure:
• 1075—MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners
Registration or password update Used to add, revoke or update details related to a business partner’s registration, or to change the shared password.
Personnel:
Depending on the updates, the following individuals are involved in performing this procedure:
• Authorized certificate requestors whose contact details have changed
• New authorized certificate requestors
• Current registered authorized certificate requestors (in case of password update)
Form
The following form pertains to this procedure:
• 1075—MasterCard X.509 Public Key Infrastructure (PKI) Enrollment - Business Partners
Registration
Registration of Authorized Certificate Requestors and Password
Registration of Authorized Certificate Requestors and
Password
Provides the process of registering authorized certificate requestors and password.
Before you begin
1. The business partner must select and approve all individuals within its organization who will be registered as authorized certificate requestors. At least two peoples are required but to allow continuity in the event of absence of authorized certificate requestors, additional people can be registered.
2. The business partner must include a group email address within his organization. This email address would be used for crucial communication and in case the authorized certificate requestors registered email addresses are no longer in use.
3. The authorized certificate requestors must define a password compliant with basic security rules (password that is at least 8 characters and contain upper and lower case, number and symbol).
4. A project scope must have been defined and approved beforehand with MasterCard.
Procedure
1. Complete the 1075—MasterCard X.509 Public Key Infrastructure (PKI)
Enrollment - Business Partners form with all of the identified individual’s
data as well as Project/Application Name, MasterCard Project Manager name and Group mailbox email address.
2. Include a legible password, ideally the password will be provided typed for clarity.
The password can be used for all PKI exchanges and must not be shared except with Key Management Services department through the
1075—MasterCard X.509 Public Key Infrastructure (PKI) Enrollment -Business Partners form.
3. All authorized certificate requestors must sign the form.
4. The 1075—MasterCard X.509 Public Key Infrastructure (PKI) Enrollment
-Business Partners form must be sent to Key Management department only
by registrant people. It can be sent either by email, courier or fax. No other person than the registrant should be in copy when sending this email, otherwise the password will be considered as compromised.
Results
Upon receipt of the 1075—MasterCard X.509 Public Key Infrastructure (PKI)
Enrollment - Business Partners form the MasterCard project Manager mentioned
Registration Update Authorized Certificate Requestors and Password
Registered authorized certificate requestors will receive an email confirmation of their registration as well as the next step of the PKI exchange.
NOTE
It is the business partners’ responsibilities to keep the information up to date. Passwords should never be disclosed to non-registered person(s).
Update Authorized Certificate Requestors and Password
Provides the process of updating authorized certificate requestors or password.
Before you begin
1. The business partner must determine what needs to be changed within the current registration: Authorized certificate requestors and/or password. 2. If needed, business partner authorized certificate requestors must define a
new or additional password compliant with basic security rules (password that is at least 8 characters and contain upper and lower case, number and symbol).
3. In the case of a new project, new project number and scope must have been defined and approved beforehand with MasterCard.
Procedure
1. The 1075—MasterCard X.509 Public Key Infrastructure (PKI) Enrollment
-Business Partners form must reflect all the changes. The update or the
revoke box must be checked next to the updated authorized certificate requestors’ details.
In the case of a password update, at least two registered authorized certificate requestors must be listed on the form and must provide a signature.
2. The signed 1075—MasterCard X.509 Public Key Infrastructure (PKI)
Enrollment - Business Partners form must be sent to Key Management
departmentonlyby registrant people. It can be sent either by email, courier or fax. No other person than the registrant should be in copy when sending this email, otherwise the password will be considered as compromised.
Results
Upon receipt of the 1075—MasterCard X.509 Public Key Infrastructure (PKI)
Enrollment - Business Partners form the MasterCard project Manager mentioned
on the form will be contacted to confirm the registration and project scope. Registered authorized certificate requestors will receive an email confirmation of their registration as well as the next step of the PKI exchange.
Chapter 3
Certificate Exchange
Certificate signing requests (CSRs [public keys, for example]), certificates and CA certificates are the cryptographic materials that may be exchanged between MasterCard (KMS) and business partners in the scope of some projects.
Exchange of Data with Business Partners... 3-1 Data for Staging, Member Test Facility (MTF), and Development ... 3-1 Data for Production ... 3-1
Certificate Exchange Exchange of Data with Business Partners
Exchange of Data with Business Partners
Security measures for conveying cryptographic data depend on the exact usage in the target environment.
This document provides information for data used in the following cases: • Development
• Staging (or for a situation where the security requirements are identical) • Production (or for a situation where the security requirements are identical)
Data for Staging, Member Test Facility (MTF), and
Development
A registered authorized certificate requestor performs this procedure to complete and send the certificate signing request (CSR).
Before you begin
The processes for data used for development, MTF and staging purposes can be done in a single control for any transmission. CSR can be sent by only one authorized certificate requestor without any further encryption of the CSR. Certificates returned by Key Management Services Operations will always be encrypted using the password shared on the 1075—MasterCard X.509 Public
Key Infrastructure (PKI) Enrollment - Business Partners form.
Procedure
1. The generated CSR should be as per the DN template provided following the registration completion linked to the project requirements.
2. One authorized certificate requestor should send the CSR to be signed to [email protected] and provide in the email body all of the details on the CSR to be signed such as the project name, environment and the certificate type. On reception of the email request, MasterCard will validate that the authorized certificate requestor is registered and that the CSR matches the DN template and project scope.
Results
MasterCard will process the certificate request, ZIP the certificate, encrypt with the shared password, and return the certificate to two registered authorized certificate requestors.
Data for Production
Two registered authorized certificate requestors (dual control) perform this procedure to complete and send the certificate signing request (CSR).
Certificate Exchange Data for Production
Before you begin
The processes for data used for production requires that two registered authorized certificate requestors are involved in any transmission. It is a mandate that the CSRs are zipped with WinZip and password protected using the password shared in the 1075—MasterCard X.509 Public Key Infrastructure
(PKI) Enrollment - Business Partners form.
Certificates returned by Key Management Services Operations will always be encrypted using the password shared on the 1075—MasterCard X.509 Public
Key Infrastructure (PKI) Enrollment - Business Partners form.
Procedure
1. The generated CSR should be as per the DN template provided following the registration completion linked to the project requirements.
2. Authorized certificate requestors should ZIP the CSR and encrypt it under the shared password.
3. Authorized certificate requestors should send the ZIP file containing the CSR to be signed to [email protected] and include in copy the email address of a second registered authorized certificate requestors to the request. Business partners have to provide in the email body all the details on the CSR to be signed such as the project name, environment and the certificate type. On reception of the email request, MasterCard will validate that the authorized certificate requestors are registered and that the CSR match the DN template and project scope.
Results
MasterCard will process the certificate request, ZIP the certificate, encrypt with the shared password, and return the certificate to two registered authorized certificate requestors.
NOTE
Please note that the certificate has an expiry date. This certificate might need to be renewed on time in order to avoid any outage on the service using that certificate. Renewal process is the same as for initial CSR exchange.
Chapter 4
Contact and Emergency Procedures
Provides contact information and emergency procedures.Contact for Certificate Exchanges ... 4-1 Contact for Emergency Situations ... 4-1 Documenting Emergency Situations ... 4-1
Contact and Emergency Procedures Contact for Certificate Exchanges
Contact for Certificate Exchanges
Provides contact information for non-emergency situations.
Email: [email protected]
Telephone: +32 (2) 352–5578
Use the Key Management Services (KMS) email address for the following questions:
• Certificates issued on a Keon certification system for staging or production purposes.
• Exchange of PKI data with third parties (which include certificate
requests) and the 1075—MasterCard X.509 Public Key Infrastructure (PKI)
Enrollment - Business Partners form.
Contact for Emergency Situations
In some situations, Key Management Services (KMS) may need to be contacted for emergencies. For example, certificates may be required urgently because of overlooked certificate expiration, system failure, or outage.
Emergency procedures in place within KMS cover the urgent generation of certificates, including the generation of Certificates Signing Requests (CSR), the urgent revocation of a certificate, and urgent support in view of resolving production issues. The purpose is to resolve emergency issues having a significant business impact.
Business partners are required to contact their MasterCard application team contact person who will then reach out to KMS. Application teams to proceed with emergency requests on behalf of business partners and liaise with KMS.
Documenting Emergency Situations
Depending on the reason for the emergency, prepare data in advance to communicate to the MasterCard application team contact person.
Urgent Support
When there is an issue for a production application related to the use of a certificate, provide the following data (if known):
Contact and Emergency Procedures Documenting Emergency Situations
• Serial number and the reference of the certificate for which there is an issue, the complete DN, the certification system, the CA, and the jurisdiction that issued the certificate
• Entity or entities validating the certificate • Keystore and truststore files content • Description of the issue
Urgent Request Due to Incorrect Certificate Delivery
When a certificate was not issued as defined during the design phase and the correct certificate is needed urgently to meet the project constraints, provide the following data (if known):
• Serial number and the reference of the certificate for which there is an issue, the complete DN, the certification system, the CA, and the jurisdiction that issued the certificate
• Description of the issue with the certificate, such as the discrepancies from the original certificate design description, and the certificate characteristics to modify
Urgent Request Due to Overlooked Certificate Expiration
When an expiring certificate has not been replaced in time by another with an extended lifetime, production systems can experience outages. A replacement certificate can be requested urgently, provide the following data (if known): • Serial number and the reference of the certificate for which there is an issue,
the complete DN, the certification system, the CA and the jurisdiction that issued the certificate
Urgent Revocation of Entity Certificate
When a certified key is compromised or there is suspicion of key compromise, the related certificate must be revoked urgently. Note that urgent revocation of a certificate is meaningless for CAs for which no CRL is issued.
To proceed to the effective revocation of a certificate, provide the following data (if known):
• Serial number, the reference, and full DN of the certificate for which the key is compromised or suspected of compromise, the certification system, the CA, and the jurisdiction that issued the certificate
• Detailed reason for revocation (for example, key compromise or suspicion of compromise)
• Name, title, contact information, and team name of the person requesting revocation
