paysec
is a Rust library designed to facilitate the development and testing
of standards related to payment security in retail payment transactions. It
serves as a resource for financial institutions and payment service providers
who require compliance with such standards.
IMPORTANT DISCLAIMER:
The current setup of paysec
is primarily intended for use in test
environments to generate test data. This version is not recommended for
productive setups, particularly in scenarios where Hardware Security Modules
(HSMs) are mandated. One key aspect of this limitation is the handling of
random seeds: they must be explicitly provided via the interface, making the
library suitable for deterministic testing. This approach stands in contrast to
the use of strong cryptographic random generators and hardware acceleration for
encryption, which are essential for robust security in production
environments.
You should be aware that while the library offers tools and functionalities aligned with payment security standards, its utility in production environments is limited. It is crucial to integrate additional security measures and hardware capabilities when deploying solutions in a real-world, high-security context.
paysec
provides functionalities aligned with the payment security standards,
with a primary focus on standards supporting at least AES security levels.
While parts of other versions that are based on TDES (Triple Data Encryption
Standard) might be implemented, they are not the primary focus.
-
ASC X9 TR 31-2018: Wrap and unwrap cryptographic keys according to the TR-31 key block format. Currently version
D
is supported which uses the Key Block Binding Method, specifically AES-CMAC to derive the encryption and authentication keys from a Key Block Protection Key. This includes functionalities for:- Generating key blocks with comprehensive header information including key usage, algorithm, and mode of use.
- Supporting multiple optional blocks for extended metadata, such as certificates or timestamps.
- Secure wrapping of cryptographic keys
- Unwrapping key blocks to retrieve the original cryptographic key and header information, ensuring the integrity and authenticity of the key.
- Finalizing key block headers to comply with block size requirements, including automatic padding block insertion.
- Validating key block structure and header contents against TR-31 specifications.
-
ISO 9564 Format 4 PIN Block: Encode and encipher PIN blocks using the ISO 9564 format 4 standard. This includes functionalities for:
- Encoding a Personal Identification Number (PIN) field.
- Encoding a Primary Account Number (PAN) field for PAN binding of a PIN block.
- Enciphering and deciphering PIN blocks with AES encryption, binding the PIN with the PAN for improved security.
-
ISO 9564 Format 3 PIN Block: Encode and decode PIN blocks using the ISO 9564 format 3 standard. Note that the functionalities encode and combine the PIN and PAN fields but do not ecrypt the resulting PIN block. The encoded PIN block would be encrypted in a separate step using algorithm like Tripe DES.
To start using paysec
in your Rust project, you can install it using Cargo.
Run the following command in your project directory:
cargo add paysec
Alternatively, you can manually add the following line to your Cargo.toml
file under [dependencies]
:
paysec = "0.1.1"
paysec
is equipped with comprehensive high-level documentation comments
across its modules. These comments not only provide detailed explanations of
the functions and their purpose but also include doc test examples that give a
clear impression of how to use the modules effectively.
Additionally, detailed documentation, including API references and more
examples, is available on the Rust docs website. Please visit the paysec
documentation page at
https://docs.rs/paysec/0.1.1/paysec/index.html.
The PIN Block Web Tool is
a practical application of this library using WebAssembly (Wasm) to provide a
user-friendly interface to generate test data based on ISO 9564 PIN Blocks. The
tools demonstrates the versatility of the paysec
library and its potential
applications in web-based environments through WebAssembly.
The Key Block Web Tool offers another web interface based on this library to have a more convenient interface for key block testing and to exemplify the use of the TR-31 module.
paysec
is actively being developed with plans to include more payment
security features such as:
- Integration with popular payment gateways and protocols.
- An asymmetric keyblock protection formats (TR-34)
- ANSI X9.143 and ISO 20038 extensions for TR-31
- Other TR-31 versions (A, B, C) on request.
- CVV Card Verification Value generation
- EMV related cryptography
- Key Management Web Interface (potentially as separate project based on the Wasm binding)
- HSM simulator interface
paysec
is licensed under the GNU General Public License Version 3 (GPLv3), a
widely-used free software license that ensures users have the freedom to run,
study, share, and modify the software. The GPLv3 is a copyleft license, which
means that any derivative work created from paysec
must also be distributed
under the same license terms. For complete license details, refer to the
LICENSE file included with the source code, or visit the GNU
General Public License Version 3, 29 June
2007 page.
The copyright of the paysec
implementation is held by David Schmid
(david.schmid@mailbox.org).
Also consider the licenses of any related libraries utilized within the project. Each library may have its own licensing terms, which should be respected and adhered to.
The implementation of paysec
may reference various standards and protocols in
the domain of payment security. The copyrights and rights of use for these
underlying standards are held by their respective organizations. Users should
ensure compliance with these standards and respect their intellectual property
rights.
For use cases not related to testing in non-commercial environments, or for any inquiries regarding alternative licensing arrangements or permissions beyond the scope of GPLv3, please contact the author, David Schmid, at david.schmid@mailbox.org.