Standards and specification bodies that matter to payments - ISO, X9, and more…

Standards and specification bodies that matter to payments - ISO, X9, and more…
Steve Cole Director, Tech Engagement Merchant Advisory Group
Jul 12, 2022

“Alex, I’ll take standards body acronyms for $400!”

Standards impact every aspect of life from the moisture content in your cereal to liquid rocket engines to working safely in a pandemic.  Without standards, it would be impossible for the modern world to function, and the world of payments is no exception.  Standards ensure consistency, reliability, security, and quality and help guide innovation. In payments, standards define how transactions are communicated, how customers are verified, how data is secured, and much more.  But where do these standards come from and how are they created and maintained?  To find out, join us over the next three weeks as we publish a series of articles examining the organizations that maintain the standards with some of the greatest impact on how the payments industry runs. 

ISO

What is it and what does it do?  ISO is the International Organization for Standards. But wait, you may say, “Wouldn’t that make them IOS???” Ironically, ‘ISO’ is not an acronym at all. From the ISO website, “Because 'International Organization for Standardization' would have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalisation), our founders decided to give it the short form ISO. ISO is derived from the Greek 'isos,' meaning equal. Whatever the country, whatever the language, we are always ISO.”1 ISO develops and publishes international standards on everything from screw threads to quantum key distribution. 

Who is it?  ISO is a network of national standards bodies. In the United States, that national standards body is ANSI (American National Standards Institute). ANSI membership is open to corporations (merchants), not-for-profits, and government and educational organizations. The national standards bodies are the ISO members and there can only be one member per country.  Other industry bodies and stakeholder groups within a given country cannot be ISO members directly but work through their national member organization to participate in the ISO standards process. The national member organizations have voting privileges in ISO meetings. In addition to the member organizations, there are correspondent members and subscriber members.  Correspondent members can attend ISO meetings but only as observers, and they do not have voting privileges. Subscriber members can monitor ISO activities but cannot attend meetings and do not have voting privileges. ISO also maintains a liaison program that allows external organizations, such as FIDO, W3C and EMVCo (described later), to participate in the standards development process subject to meeting specific criteria.

How does it work?  ISO begins the standard development process by responding to a request which can come from an industry stakeholder or other stakeholder group, such as a consumer group. ISO does not decide independently to develop new standards. The standards are developed by groups of experts from the ISO technical committees which are made up of representatives from industry, academia, governmental entities, and other stakeholder groups.  ISO standards are developed based using consensus-driven approach.  

Why do we care?  Among the standards ISO manages is the ISO 8583 standard for ‘Financial transaction card originated messages — Interchange message specifications.’ The specifications based on this standard are the primary specifications for payment transaction messages. Visa, Mastercard, and the other global payments networks base their authorization communications on this standard. In addition, ISO manages the ISO 20022 for ‘Financial services — Universal financial industry message scheme.’ This message specification will eventually become the predominant payments transaction message specification in the United States (it is the specification real-time payments are built on) and has already been adopted in some other markets. ISO 20022 offers a richer data set than ISO 8583 and utilizes an XML schema. By participating in organizations that have a liaison relationship with ISO (such as EMVCo and FIDO), merchants can have additional influence on the ISO standards development process.

X9

What is it and what does it do?  X9 is, apparently, also not an acronym for anything. It is officially the Accredited Standards Committee X9, Financial Services Inc. or ASC X9…so a semi-acronym.  The accreditation comes from ANSI, the American National Standards Institute, referenced in the earlier ISO topic. X9 develops and maintains voluntary consensus standards for the financial services industry. The committee works to maintain a standards development process that is open, transparent, and free of dominance from special interest groups2. Through appointment by ANSI, X9 represents the United States on three ISO technical committees.

Who is it?  X9 is made up of members from the financial services industry. Members include banks, corporations (merchants), vendors, government agencies and regulators, associations, security experts, software producers, consultants, and others. X9 has four categories of membership. The highest level of membership allows for representation on the board of directors, represent the U.S. internationally on certain ISO committees and participation in multiple X9 subcommittees and work groups. These members can vote on new work projects, standards, procedures and policies, and direct the work of subcommittees and work groups.  There are no restrictions on joining at the highest level, and of the approximately 100 member organizations, 57 are in this category. The other levels of membership restrict participation to a single subcommittee or are reserved for smaller organizations in terms of revenue or employee count or to organizations interested in participating in a single domestic work group.

How does it work?  The X9 Board of Directors makes decisions on new work efforts to develop standards and has the final decision on approval of standards. Five subcommittees develop the standards and technical documentation for the business area they cover. The covered areas are payments, checks and back-office operations, corporate banking, securities, and data and information security. Each subcommittee is comprised of subject matter experts in key business sectors of the financial services industry.

Why do we care?  The X9A Electronic and Emerging Payments subcommittee develops and maintains standards focused on electronic and mobile payments including wholesale, retail, and electronic benefits transfer. Work groups under this subcommittee are focused on mobile banking and payments and EBT payments. The X9F Data & Information Security subcommittee focuses on data and information security standards including projects on message encipherment and digital signature algorithms. Work groups under this subcommittee are working on standards related to cryptographic tools, cybersecurity and cryptographic solutions, public key infrastructure (PKI), and cardholder authentication and integrated chip cards (ICCs). X9 is also engaged in a joint project with PCI to maintain the PCI PINS Standard.  X9’s work impacts everything from messaging protocols to data breach notifications to faster payments. 

Next week we will discuss PCI and W3C.

1. https://www.iso.org/about-us.html
2. https://x9.org/wp-content/uploads/2020/06/OverviewOfX9v10.pdf

The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.