Академический Документы
Профессиональный Документы
Культура Документы
Service Description
This document describes the features and functions of the components of the 3SKey solution and the roles and
responsibilities of all parties involved in the 3SKey solution.
30 September 2016
3SKey
Service Description Table of Contents
Table of Contents
Preface......................................................................................................................................................3
1 Introduction.................................................................................................................................... 5
1.1 Advantages of the 3SKey Solution................................................................................................ 5
1.2 Eligibility Criteria............................................................................................................................5
6 Contractual Framework...............................................................................................................25
7 Glossary of Terms....................................................................................................................... 26
Legal Notices......................................................................................................................................... 27
30 September 2016 2
3SKey
Service Description Preface
Preface
Purpose of the document
This document describes the features and functions of the various components of the 3SKey
(SWIFT Secure Signature Key) solution and the roles and responsibilities of all parties involved
in the 3SKey solution.
Note This service description, together with other relevant contractual service
documentation, is an integral part of the contractual arrangements between SWIFT
and the 3SKey subscribers, the 3SKey users or any other organisations that order
the 3SKey Developer Toolkit for the provision and the use of the relevant
components of the 3SKey solution.
Audience
This document is for the following audience:
• 3SKey subscribers (typically, banks) that require information about the features and functions
of the components of the 3SKey solution, and about the roles and responsibilities of all
parties involved in the 3SKey solution
• 3SKey users (typically, corporate clients of banks, or their representatives) that require
information about the features and functions of the components of the 3SKey solution, and
about the roles and responsibilities of all parties involved in the 3SKey solution
• persons that intend to subscribe to or use the 3SKey solution, and require information about
the features and functions of the components of the 3SKey solution and about the roles and
responsibilities of the parties involved in the 3SKey solution
Significant changes
The following table shows the functional change to this document since its September 2015
publication. This table does not include the general edits and updates that were also made.
Information related to the use of data in case of Use of data for security monitoring and
cybersecurity investigations investigation purposes on page 20
SWIFT-defined terms
In the context of SWIFT documentation, certain terms have a specific meaning. These terms
are called SWIFT-defined terms (for example, customer, user, or SWIFT services and products).
The definition of SWIFT-defined terms appears in the SWIFT Glossary.
Related information:
Instructions for the 3SKey Administrator
Instructions for the 3SKey User
3SKey Getting Started for Banks
3SKey Getting Started for Corporates
3SKey Token Software Installation Guide
30 September 2016 3
3SKey
Service Description Preface
30 September 2016 4
3SKey
Service Description Introduction
1 Introduction
When a bank interacts with their corporate customers through electronic banking channels, it
may need to authenticate received data at the level of the individual(s) authorised to serve
instructions to it. For example, a specific individual in the corporate treasury department must
approve payment instructions.
In practice, banks and their corporate clients must often manage and use multiple and different
types of personal signing mechanisms (for example, multiple tokens with different passwords
and different processes to maintain them). Using and maintaining different authentication
methods in parallel adds to the complexity and leads to higher operational risk and cost.
To address this issue, SWIFT introduced the 3SKey solution. With this solution, SWIFT supplies
tokens that include PKI-based credentials for use between 3SKey subscribers (typically, banks)
and 3SKey users (typically, corporates). 3SKey users then set up their tokens with a unique
certificate issued by the SWIFT Public Key Infrastructure (PKI). 3SKey users then use these
credentials to sign messages and files exchanged with one or more 3SKey subscribers over any
mutually agreed channel. The signature provides authentication of the 3SKey user and non-
repudiation of the signed transactions.
3SKey users
A 3SKey user must currently use many different security devices to authenticate itself towards
third parties (typically, banks). The use of a single token towards multiple 3SKey subscribers will
help to reduce cost and operational risk and increase convenience.
30 September 2016 5
3SKey
Service Description Introduction
subscriber may also order 3SKey tokens from SWIFT for their own use or for distribution to
3SKey users in their own name.
All other SWIFT users may order 3SKey tokens from SWIFT for their own use or for distribution
to affiliates within their corporate group. A Service Bureau may distribute 3SKey tokens to
SWIFT users connecting to SWIFT through it. All SWIFT partners that order a 3SKey Developer
Toolkit may also order 3SKey tokens from SWIFT for their development activities only. 3SKey
tokens must not be distributed to individuals for private purposes.
30 September 2016 6
3SKey
Service Description Features and Functions
30 September 2016 7
3SKey
Service Description Features and Functions
3SKey
subscriber
3SKey
3SKey user
D1290001
2. Activation
SWIFT supplies inactive tokens (that is, they cannot be used to sign transactions). The
3SKey user must first activate its token by using the secure access (provided by the inactive
token) to the 3SKey portal over the Internet and the default password of the token.
As a result, a business credential (that is, a certificate and private key) is created and stored
on the token. The activation process does not require the supply of any identification
information about the 3SKey user, and the business credential is entirely anonymous. It
does not contain any name but just a Unique ID that is used by 3SKey subscribers to
associate the 3SKey user with the certificate.
3SKey
Internet
D1290002
The same process applies to the activation of any other user token, used for testing
purposes.
3. Association
The 3SKey subscriber associates the token with its 3SKey user(s).
As a result, the 3SKey subscriber application links the 3SKey user with the Unique ID. Such
association is achieved as a registration process to be agreed by the 3SKey subscriber and
the 3SKey user directly (for example, through a physical presence or through the use of
30 September 2016 8
3SKey
Service Description Features and Functions
secure, pre-existing, remote identification technology). During the association process, the
3SKey subscriber must verify that the certificate is valid, including through the 3SKey
certificate revocation check facility.
When the association process is complete, the 3SKey subscriber can link any message that
is signed with the credential with the registered 3SKey user or, if the registration process so
permits, a specific representative of the 3SKey user.
3SKey
Check that
token 45678 is
not revoked 3SKey 3SKey user
3SKey portal subscriber
D1290003
John = 45678-unique ID
30 September 2016 9
3SKey
Service Description Features and Functions
Message signed
with token 45678
3SKey
Check that
token 45678 is
not revoked 3SKey 3SKey user
3SKey portal subscriber
D1290004
John = 45678-unique ID
3SKey
subscriber
3SKey
John = 45678-unique ID
D1290005
John = 45678-unique ID
30 September 2016 10
3SKey
Service Description Features and Functions
Consequently, SWIFT updates the certificate revocation list with the certificate revocation
information. So, when the 3SKey subscribers' application checks the certificate revocation
list, the certificate will appear as revoked and, consequently, the application of the 3SKey
subscriber stops trusting it.
Certain 3SKey subscribers may also require their 3SKey users to de-associate the
certificate with them directly.
For more information, 3SKey users should check the conditions governing the use of the
certificate with their 3SKey subscribers.
2. Renewal
The 3SKey user's token will expire after 3 years. Before its token expires, the 3SKey user
must renew its certificate on a new token through the portal. The 3SKey user can renew its
token during 90 days preceding its expiry. After that, the token becomes unusable and the
certificate will need to be recovered.
The new token will inherit the original Unique ID. The old token is still usable until the
certificate expires.
This also applies to user tokens used for testing purposes. Not activated user tokens
cannot be renewed.
3. Recovery
It may be necessary to recover a certificate, if the certificate has been revoked or if the
token holding the certificate is lost or is not usable anymore (for example, it is damaged) or if
the certificate has expired. In this case, the 3SKey user asks a 3SKey administrator to set
up the certificate for recovery on a new token. Through the 3SKey portal, the 3SKey user
can recover its certificate onto a new token that has been set up for recovery by the
administrator. The 3SKey user is requested to provide its security code to complete the
recovery.
The new token will hold a new business certificate with the original Unique ID and will be
valid for 3 years. The old certificate cannot be used anymore.
This also applies to user tokens used for testing purposes. Not activated user tokens
cannot be recovered.
4. Reset
It may be necessary to reset a token, if the token is locked after a series of consecutive
wrong password entries or if the 3SKey user has lost its password. In this case, the 3SKey
user asks a 3SKey administrator to set up the locked token for reset. Through the 3SKey
portal, the 3SKey user can re-initialise its token with a new certificate and set a new
password. The 3SKey user is requested to provide its security code to complete the reset.
After reset, the token holds a new business or, as the case may be a new technical,
certificate with the original Unique ID and has the same expiry date as the old certificate.
This also applies to user tokens used for testing purposes.
30 September 2016 11
3SKey
Service Description Features and Functions
2
not expired
activated 1 activated 4
7 5 5
8 6
prepared 3 prepared 4
to reset to recover
D1290018
Revoked
30 September 2016 12
3SKey
Service Description Features and Functions
3SKey portal
SWIFT provides a web portal.
• A duly authenticated 3SKey user can access the 3SKey portal to perform the following
functions on the 3SKey token:
- activation
- renewal (on a new token)
- revocation
- recovery (on a new token)
- reset (on the same token)
- password and security code management
- user list management functions
• An authenticated 3SKey subscriber can access the portal to perform the following functions:
- retrieve the SSL certificates (used to securely access the 3SKey certificate revocation
check facility)
- retrieve a report on the 3SKey subscriber's distributed tokens and their status
30 September 2016 13
3SKey
Service Description Features and Functions
• verifies that the certificate is a 3SKey business certificate by checking that it has the Policy
ID 1.3.21.6.3.20.200.1
• verifies that the certificate has been issued by the SWIFT CA
• verifies that the certificate has not expired
• ensures that the certificate has not been revoked
When processing business transactions, the 3SKey subscriber must perform through its
application the following activities:
• verifies the signature of messages or files that have been signed with a 3SKey token
• ensures that the signing certificate is a 3SKey business certificate by checking that it has the
Policy ID 1.3.21.6.3.20.200.1
• verifies that the certificate has been issued by the SWIFT CA
• verifies that the signing certificate has not expired
• ensures that the signing certificate has not been revoked
• keeps non-repudiation logs of the signed transactions
Note The 3SKey subscriber is responsible for the integration of the 3SKey service with
its application(s) using the 3SKey Developer Toolkit or with assistance of a vendor
of its choice.
Web browser
The 3SKey subscriber browser accesses the 3SKey portal to retrieve the SSL certificates and to
retrieve a report on its ordered tokens and their status. The 3SKey subscriber must ensure that
its web browser meets the applicable specifications set out in the 3SKey Token Installation
Guide.
30 September 2016 14
3SKey
Service Description Features and Functions
Web browser
The 3SKey user accesses the 3SKey portal using a web browser. The portal is used for token
management purposes (activation, revocation, recovery, reset and renewal). The web browser is
necessary to enable access to Web-based services (for example, cash management). The
3SKey user must ensure that its web browser meets the applicable specifications set out in the
3SKey Token Installation Guide.
Planned unavailability
SWIFT plans for specific dates and times when the 3SKey service, typically access to the
3SKey portal, will be unavailable. SWIFT publishes notification of unavailability in advance on
www.swift.com.
Planned unavailability can be for the following events:
• downtime due to scheduled equipment maintenance
• scheduled system changes (for example, changes to software or hardware configurations or
business continuity testing)
SWIFT performs system changes and maintenance during allowable downtime windows. These
windows occur during weekends (Saturday and Sunday).
During an allowable downtime window, the 3SKey portal may be unavailable either for the whole
duration of the downtime, or only intermittently.
For more information about scheduled downtime, see www.swift.com > Support > Operational
status.
Unplanned unavailability
If SWIFT becomes aware of a problem with the 3SKey service, then it initiates any recovery or
fallback operation for which it is responsible and that is necessary to restore the service.
SWIFT may suspend or change the 3SKey service, in whole or in part, at any time, giving as
much advance notice as practicable to prevent or mitigate any adverse effect on the security,
reliability, or resilience of the 3SKey service or, more generally, SWIFT's reputation, brand or
30 September 2016 15
3SKey
Service Description Features and Functions
goodwill (typically, if the 3SKey subscriber and 3SKey user would be subject to sanctions such
as EU sanctions).
The levels of service that this document specifies assume normal operating conditions. These
include resilient operations during most single-component failure scenarios within the active and
standby SWIFT operating centres where SWIFT runs the 3SKey certificate revocation check
facility. The 3SKey certificate revocation check facility design is resilient, and can handle many
anomalous events without impact to the activities of the 3SKey subscribers and users. However,
under certain, very unlikely, disaster scenarios (for example, the destruction of a SWIFT
operating centre, dual failures of similar components, or component failures during SWIFT
operating centre switchovers), SWIFT may be unable to meet these levels of service, in whole or
in part. The potential for data loss exists in such cases. In this case, SWIFT will inform the
3SKey subscribers concerned and 3SKey users who have registered an email address through
the 3SKey portal.
For example, if a disaster were to strike a SWIFT operating centre where SWIFT runs the
3SKey service, this may prevent SWIFT to process fully all revocation requests received in the
15 minutes preceding the disaster. In such case, the 3SKey users can contact SWIFT for
assistance to trace the affected requests.
30 September 2016 16
3SKey
Service Description Ordering and Support
3.2 Support
Support for 3SKey subscribers and the 3SKey Developer Toolkit
SWIFT is the single point of contact to report all problems and queries that relate to the 3SKey
service and the 3SKey Developer Toolkit. Support is also available for the 3SKey Developer
30 September 2016 17
3SKey
Service Description Ordering and Support
Toolkit. Individual users within their respective organisation must register to use the Support
service.
Related information
For more information about how to register for Support, see the Customer login section on the
www.swift.com home page.
For more information about support services, see:
• Premium Custom Support Service Description
• Premium Plus Support Service Description
• Premium Support Service Description
• Standard Plus Support Service Description
• Standard Support Service Description
30 September 2016 18
3SKey
Service Description Roles and Responsibilities
The following graphic provides an overview of the interactions between the different parties:
subscriber 5
ci
at
rta rou y
l gh
po th ke
D he
io
is to
y nt d
4
t
tri k
an
Ke e an
bu en
3S gem tion
tio (s
us
n )
ag
a a
of
an tiv
e
m Ac
D1290006
3SKey user
30 September 2016 19
3SKey
Service Description Roles and Responsibilities
• provide, when specifically ordered, the 3SKey Developer Toolkit, including the technical
specifications, the relevant software libraries and two test tokens to integrate the 3SKey
service in the applications of the 3SKey user and subscriber
• provide support to 3SKey subscribers, 3SKey users and partners for those components of
the 3SKey solution that are relevant to them
• make the 3SKey documentation available on www.swift.com and the 3SKey website.
• report to the 3SKey subscribers on the status (activated, not activated, prepared to recover,
prepared to reset, revoked, used to recover, used to renew) of the certificates that are stored
on the tokens they ordered
• revoke business certificates through an exception offline procedure by contacting SWIFT
support
• confirm, on request of the 3SKey user, details on the activation, renewal, reset, revocation, or
recovery of a certificate performed on the 3SKey portal for up to 6 months after the expiry
date of that certificate. Such certificate actions done by a 3SKey user are non-repudiated
and time-stamped and, therefore, SWIFT can confirm the Unique ID of the 3SKey user who
initiated the change as well as the date and time of the change.
• provide, on request of the 3SKey user or subscriber, evidence of the revocation status of a
specific certificate for up to 10 years
SWIFT reserves the right to unilaterally revoke certificates in specific circumstances (for
example, if it would appear or be likely, based on reasonable grounds, that a certificate has
been, is or could be used for illegal, illicit or fraudulent purposes, in a manner that might create
confusion or misrepresent the person normally associated with the certificate).
Related information
For more information about SWIFT's roles and responsibilities with regard to the 3SKey solution,
see the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions
30 September 2016 20
3SKey
Service Description Roles and Responsibilities
Customer testing
Customers must not conduct any performance or vulnerability tests unless expressly permitted
in the SWIFT Customer Testing Policy.
If customers believe they have identified a potential performance or vulnerability threat, they
must immediately inform SWIFT thereof and treat all related information, data or materials as
SWIFT confidential information.
30 September 2016 21
3SKey
Service Description Roles and Responsibilities
Related information
For more information about the 3SKey subscriber's roles and responsibilities with regard to the
3SKey solution, 3SKey subscribers can refer to the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions
Customer testing
Customers must not conduct any performance or vulnerability tests unless expressly permitted
in the SWIFT Customer Testing Policy.
If customers believe they have identified a potential performance or vulnerability threat, they
must immediately inform SWIFT thereof and treat all related information, data or materials as
SWIFT confidential information.
30 September 2016 22
3SKey
Service Description Roles and Responsibilities
Related information
For more information about the 3SKey user's roles and responsibilities with regard to the 3SKey
solution, 3SKey users can refer to the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions
30 September 2016 23
3SKey
Service Description Pricing and Invoicing
Related information
For more information about the pricing scheme, contact your SWIFT Account Manager.
30 September 2016 24
3SKey
Service Description Contractual Framework
6 Contractual Framework
Terms and conditions
The 3SKey Terms and Conditions govern the provision and use of the 3SKey service.
The 3SKey Token Terms and Conditions govern the supply, distribution and use of the 3SKey
tokens.
The 3SKey Developer Toolkit Terms and Conditions govern the provision and use of the 3SKey
Developer Toolkit.
SWIFT assistance
In case of dispute between a 3SKey user and a 3SKey subscriber, SWIFT will act as a neutral
trusted party by providing relevant evidences it has available.
30 September 2016 25
3SKey
Service Description Glossary of Terms
7 Glossary of Terms
Term Definition
30 September 2016 26
3SKey
Service Description Legal Notices
Legal Notices
Copyright
SWIFT © 2016. All rights reserved.
Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.
Translations
The English version of SWIFT documentation is the only official and binding version.
Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:
the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,
MyStandards, and SWIFT Institute. Other product, service, or company names in this
publication are trade names, trademarks, or registered trademarks of their respective owners.
30 September 2016 27