3SKey - Service Description - SWIFT · 3SKey Service Description This document describes the features and functions of the components of the 3SKey solution and the roles and responsibilities

3SKey

Service Description

This document describes the features and functions of the components of the 3SKey solution and the roles andresponsibilities of all parties involved in the 3SKey solution.

30 September 2016

Table of Contents

Preface......................................................................................................................................................3

1 Introduction.................................................................................................................................... 5

1.1 Advantages of the 3SKey Solution................................................................................................ 5

1.2 Eligibility Criteria............................................................................................................................5

2 Features and Functions................................................................................................................ 7

2.1 Overview........................................................................................................................................7

2.2 Description of the Solution............................................................................................................ 7

2.3 Components of the 3SKey Solution.............................................................................................12

2.4 3SKey Service Availability........................................................................................................... 15

3 Ordering and Support..................................................................................................................17

3.1 Ordering...................................................................................................................................... 17

3.2 Support........................................................................................................................................17

4 Roles and Responsibilities......................................................................................................... 19

4.1 SWIFT's Roles and Responsibilities............................................................................................19

4.2 The 3SKey Subscriber's Roles and Responsibilities................................................................... 21

4.3 The 3SKey User's Roles and Responsibilities.............................................................................22

5 Pricing and Invoicing...................................................................................................................24

6 Contractual Framework...............................................................................................................25

7 Glossary of Terms....................................................................................................................... 26

Legal Notices......................................................................................................................................... 27

3SKey Service Description Table of Contents

30 September 2016 2

Preface

Purpose of the document

This document describes the features and functions of the various components of the 3SKey(SWIFT Secure Signature Key) solution and the roles and responsibilities of all parties involvedin the 3SKey solution.

Note This service description, together with other relevant contractual servicedocumentation, is an integral part of the contractual arrangements between SWIFTand the 3SKey subscribers, the 3SKey users or any other organisations that orderthe 3SKey Developer Toolkit for the provision and the use of the relevantcomponents of the 3SKey solution.

Audience

This document is for the following audience:

• 3SKey subscribers (typically, banks) that require information about the features and functionsof the components of the 3SKey solution, and about the roles and responsibilities of allparties involved in the 3SKey solution

• 3SKey users (typically, corporate clients of banks, or their representatives) that requireinformation about the features and functions of the components of the 3SKey solution, andabout the roles and responsibilities of all parties involved in the 3SKey solution

• persons that intend to subscribe to or use the 3SKey solution, and require information aboutthe features and functions of the components of the 3SKey solution and about the roles andresponsibilities of the parties involved in the 3SKey solution

Significant changes

The following table shows the functional change to this document since its September 2015publication. This table does not include the general edits and updates that were also made.

New information Location

Information related to the use of data in case ofcybersecurity investigations

Use of data for security monitoring andinvestigation purposes on page 20

SWIFT-defined terms

In the context of SWIFT documentation, certain terms have a specific meaning. These termsare called SWIFT-defined terms (for example, customer, user, or SWIFT services and products).The definition of SWIFT-defined terms appears in the SWIFT Glossary.

Related information:

Instructions for the 3SKey Administrator

Instructions for the 3SKey User

3SKey Getting Started for Banks

3SKey Getting Started for Corporates

3SKey Token Software Installation Guide

3SKey Service Description Preface

30 September 2016 3

https://www2.swift.com/go/book/book68439/book68439/html






3SKey Portal User Guide for Corporates

3SKey Troubleshooting Guide

3SKey Token Renewal Instructions for Banks

3SKey Token Renewal Instructions for Corporate Administrators

3SKey Token Renewal Instructions for Corporate Users

3SKey Terms and Conditions

3SKey Token Terms and Conditions

3SKey Developer Toolkit Terms and Conditions

Premium Custom Support Service Description

Premium Plus Support Service Description

Premium Support Service Description

Standard Plus Service Description

Standard Service Description

3SKey Service Description Preface

30 September 2016 4






https://www.swift.com/about-us/legal/swift-contracts/directories-swiftref#3SKey-TermsandConditions



https://www2.swift.com/uhbonline/books/protected/en_uk/prem_cust_sup_sd/index.htm?subpage=title.htm

https://www2.swift.com/uhbonline/books/protected/en_uk/prem_plus_sup_sd/index.htm?subpage=title.htm

https://www2.swift.com/uhbonline/books/protected/en_uk/prem_sup_sd/index.htm?subpage=title.htm

https://www2.swift.com/uhbonline/books/protected/en_uk/std_plus_sup_sd/index.htm?subpage=title.htm

https://www2.swift.com/uhbonline/books/protected/en_uk/std_sup_sd/index.htm?subpage=title.htm

1 IntroductionWhen a bank interacts with their corporate customers through electronic banking channels, itmay need to authenticate received data at the level of the individual(s) authorised to serveinstructions to it. For example, a specific individual in the corporate treasury department mustapprove payment instructions.

In practice, banks and their corporate clients must often manage and use multiple and differenttypes of personal signing mechanisms (for example, multiple tokens with different passwordsand different processes to maintain them). Using and maintaining different authenticationmethods in parallel adds to the complexity and leads to higher operational risk and cost.

To address this issue, SWIFT introduced the 3SKey solution. With this solution, SWIFT suppliestokens that include PKI-based credentials for use between 3SKey subscribers (typically, banks)and 3SKey users (typically, corporates). 3SKey users then set up their tokens with a uniquecertificate issued by the SWIFT Public Key Infrastructure (PKI). 3SKey users then use thesecredentials to sign messages and files exchanged with one or more 3SKey subscribers over anymutually agreed channel. The signature provides authentication of the 3SKey user and non-repudiation of the signed transactions.

1.1 Advantages of the 3SKey Solution

3SKey subscribers

The 3SKey solution is designed to address the needs of 3SKey subscribers and 3SKey users.3SKey subscribers associate each individual 3SKey user with their unique credentialindependently of the other 3SKey subscribers. 3SKey subscribers access SWIFT PKI to makesure that the certificate hasn't been revoked.

This approach leaves each 3SKey subscriber free to set and apply its own Know-Your-Customerrules when it associates 3SKey users. Each 3SKey subscriber associates its 3SKey usersindependently and does not need to rely on the association performed by other 3SKeysubscribers.

The 3SKey solution enables 3SKey subscribers to cost-effectively implement (or strengthen)authentication and non-repudiation on their existing electronic banking channels.

3SKey users

A 3SKey user must currently use many different security devices to authenticate itself towardsthird parties (typically, banks). The use of a single token towards multiple 3SKey subscribers willhelp to reduce cost and operational risk and increase convenience.

1.2 Eligibility Criteria

Eligibility to subscribe to the 3SKey service

The 3SKey service is available to all SWIFT users and service bureaux.

Eligibility to order and distribute 3SKey tokens

SWIFT users that have subscribed to the 3SKey service may order 3SKey tokens from SWIFTfor their own use or for distribution to 3SKey users. Affiliated SWIFT users of the 3SKey

3SKey Service Description Introduction

30 September 2016 5

subscriber may also order 3SKey tokens from SWIFT for their own use or for distribution to3SKey users in their own name.

All other SWIFT users may order 3SKey tokens from SWIFT for their own use or for distributionto affiliates within their corporate group. A Service Bureau may distribute 3SKey tokens toSWIFT users connecting to SWIFT through it. All SWIFT partners that order a 3SKey DeveloperToolkit may also order 3SKey tokens from SWIFT for their development activities only. 3SKeytokens must not be distributed to individuals for private purposes.

Eligibility to order the 3SKey Developer Toolkit

The 3SKey users and all SWIFT partners may order the 3SKey Developer Toolkit from SWIFT.

To facilitate the implementation of the 3SKey subscriber application functions, SWIFT providesthe 3SKey Developer Toolkit to all 3SKey subscribers requesting it.

For more information about the 3SKey Developer Toolkit, see the 3SKey Developer Guide.

3SKey Service Description Introduction

30 September 2016 6

2 Features and Functions

2.1 Overview

SWIFT delivers the 3SKey solution through the following components:

• SWIFT Public Key Infrastructure (PKI)

The underlying PKI that SWIFT manages and operates. 3SKey subscribers and their 3SKeyusers access SWIFT PKI either through the 3SKey portal or through the 3SKey certificaterevocation check facility, as applicable.

• 3SKey tokens

Secure devices that hold either the signing credentials of the 3SKey user or theauthentication credential for the 3SKey subscriber to access the portal.

• 3SKey portal

Accessed by the 3SKey users to manage the 3SKey tokens (activation, renewal, recovery,reset and revocation of the tokens).

Accessed by the 3SKey subscribers to get the Secure Socket Layer (SSL) certificates for the3SKey certificate revocation check facility, and to get reports on the tokens that theydistribute.

• 3SKey certificate revocation check facility

Accessed by the 3SKey subscriber to check whether a 3SKey user's (unexpired) certificatehas been revoked.

• 3SKey Developer Toolkit

Software libraries, technical specifications and 2 test tokens that 3SKey subscribers andintegrators use to enable web servers and applications to work with the 3SKey service. Thisincludes signing, signature verification, and certificate revocation check functions.

2.2 Description of the Solution

2.2.1 Set-up of the solution

Procedure

1. Supply and distribution of 3SKey tokens

If a 3SKey subscriber, service bureau or 3SKey user has placed an order for the 3SKeytokens, then SWIFT provides the tokens which, subject to applicable distribution rights (ifany), may be further distributed to 3SKey users.

3SKey Service Description Features and Functions

30 September 2016 7

D1

29

00

01

3SKey user

3SKey

subscriber

3SKey

2. Activation

SWIFT supplies inactive tokens (that is, they cannot be used to sign transactions). The3SKey user must first activate its token by using the secure access (provided by the inactivetoken) to the 3SKey portal over the Internet and the default password of the token.

As a result, a business credential (that is, a certificate and private key) is created and storedon the token. The activation process does not require the supply of any identificationinformation about the 3SKey user, and the business credential is entirely anonymous. Itdoes not contain any name but just a Unique ID that is used by 3SKey subscribers toassociate the 3SKey user with the certificate.

D1290002

3SKey

subscriber

3SKey portal

Internet

3SKey

3SKey user

The same process applies to the activation of any other user token, used for testingpurposes.

3. Association

The 3SKey subscriber associates the token with its 3SKey user(s).

As a result, the 3SKey subscriber application links the 3SKey user with the Unique ID. Suchassociation is achieved as a registration process to be agreed by the 3SKey subscriber andthe 3SKey user directly (for example, through a physical presence or through the use of


30 September 2016 8

secure, pre-existing, remote identification technology). During the association process, the3SKey subscriber must verify that the certificate is valid, including through the 3SKeycertificate revocation check facility.

When the association process is complete, the 3SKey subscriber can link any message thatis signed with the credential with the registered 3SKey user or, if the registration process sopermits, a specific representative of the 3SKey user.

Association of 3SKey tokens

D1

29

00

03

3SKey user3SKey

subscriber3SKey portal

John = 45678-unique ID

Check thattoken 45678 is

not revoked

3SKey

2.2.2 Use of the solution

Procedure

1. Use of the token

When the activation and association steps are complete, the 3SKey user can use the tokento sign messages and files towards the 3SKey subscriber or to securely access 3SKeysubscriber applications with its 3SKey token.

The 3SKey user application software or 3SKey user browser interacting with a 3SKeysubscriber web application (for example, e-banking) signs the messages with the 3SKeyuser's token.

The 3SKey subscriber's application verifies the signature and accesses the 3SKeycertificate revocation check facility to verify that the certificate has not been revoked.


30 September 2016 9

D1

29

000

4

3SKey user3SKey

subscriber3SKey portal


Check that

token 45678 is

not revoked

Message signed

with token 45678

3SKey

2. Using the business credential with multiple 3SKey subscribers

A 3SKey user can use the same business credential to sign messages for transactions withor to securely access applications of multiple 3SKey subscribers. The 3SKey subscribermust associate with each 3SKey user separately. This is the same process as described instep 3 on page 8 of "Set-up of the solution".

D1

29

00

05

3SKey user

3SKey

subscriber




3SKey

2.2.3 Maintenance of the solution

Procedure

1. Revocation

If the 3SKey token has been stolen, or its security or reliance is otherwise compromised(typically, the individual using the token leaves the company) the 3SKey user, or a 3SKeyadministrator, can request the revocation of its certificate through the 3SKey portal.


30 September 2016 10

Consequently, SWIFT updates the certificate revocation list with the certificate revocationinformation. So, when the 3SKey subscribers' application checks the certificate revocationlist, the certificate will appear as revoked and, consequently, the application of the 3SKeysubscriber stops trusting it.

Certain 3SKey subscribers may also require their 3SKey users to de-associate thecertificate with them directly.

For more information, 3SKey users should check the conditions governing the use of thecertificate with their 3SKey subscribers.

2. Renewal

The 3SKey user's token will expire after 3 years. Before its token expires, the 3SKey usermust renew its certificate on a new token through the portal. The 3SKey user can renew itstoken during 90 days preceding its expiry. After that, the token becomes unusable and thecertificate will need to be recovered.

The new token will inherit the original Unique ID. The old token is still usable until thecertificate expires.

This also applies to user tokens used for testing purposes. Not activated user tokenscannot be renewed.

3. Recovery

It may be necessary to recover a certificate, if the certificate has been revoked or if thetoken holding the certificate is lost or is not usable anymore (for example, it is damaged) or ifthe certificate has expired. In this case, the 3SKey user asks a 3SKey administrator to setup the certificate for recovery on a new token. Through the 3SKey portal, the 3SKey usercan recover its certificate onto a new token that has been set up for recovery by theadministrator. The 3SKey user is requested to provide its security code to complete therecovery.

The new token will hold a new business certificate with the original Unique ID and will bevalid for 3 years. The old certificate cannot be used anymore.

This also applies to user tokens used for testing purposes. Not activated user tokenscannot be recovered.

4. Reset

It may be necessary to reset a token, if the token is locked after a series of consecutivewrong password entries or if the 3SKey user has lost its password. In this case, the 3SKeyuser asks a 3SKey administrator to set up the locked token for reset. Through the 3SKeyportal, the 3SKey user can re-initialise its token with a new certificate and set a newpassword. The 3SKey user is requested to provide its security code to complete the reset.

After reset, the token holds a new business or, as the case may be a new technical,certificate with the original Unique ID and has the same expiry date as the old certificate.This also applies to user tokens used for testing purposes.

2.2.4 3SKey token management and lifecycle

The following diagram shows the different states that a 3SKey token can pass through and theauthor of the change.



D1290018

preparedto reset

Revoked

activated expirednotactivated

preparedto recover

1

2

65

43

5

5

4

7 8

Previous token state New token state Action Author

1 Not activated Activated to activate user

2 Activated Activated to renew user

3 Activated Revoked to revoke administrator or user

4 Activated Expired to expire automatic

4 Revoked Expired to expire automatic

5 Activated Prepared to recover to set up for recovery administrator

5 Revoked Prepared to recover to set up for recovery administrator

5 Expired Prepared to recover to set up for recovery administrator

6 Prepared to recover Activated to recover user

7 Activated Prepared to reset to set up for reset administrator

8 Prepared to reset Activated to reset user

2.3 Components of the 3SKey Solution

The components of the 3SKey solution are deployed by the different parties, as follows:

• SWIFT: SWIFT PKI, 3SKey portal, and 3SKey certificate revocation check facility

• 3SKey subscriber: 3SKey subscriber application, 3SKey subscriber tokens, and 3SKeyDeveloper Toolkit

• 3SKey user: 3SKey user application, 3SKey user tokens, 3SKey Developer Toolkit, and webbrowser



2.3.1 SWIFT Components

SWIFT PKI

The SWIFT PKI supports the following PKI operations:

• new certificate issuance

• certificate renewal

• certificate revocation

• certificate recovery

3SKey portal

SWIFT provides a web portal.

• A duly authenticated 3SKey user can access the 3SKey portal to perform the followingfunctions on the 3SKey token:

- activation

- renewal (on a new token)

- revocation

- recovery (on a new token)

- reset (on the same token)

- password and security code management

- user list management functions

• An authenticated 3SKey subscriber can access the portal to perform the following functions:

- retrieve the SSL certificates (used to securely access the 3SKey certificate revocationcheck facility)

- retrieve a report on the 3SKey subscriber's distributed tokens and their status

3SKey certificate revocation check facility

The 3SKey subscriber can access the Certificate Revocation List (CRL) using a secure channelto the 3SKey certificate revocation check facility through the Internet. This requires an SSLcertificate which the 3SKey subscriber obtains from the portal.

The 3SKey certificate revocation check facility is only available to the 3SKey subscribers.

For more information, see the 3SKey Getting Started for Banks.

2.3.2 3SKey Subscriber Components

3SKey subscriber application

During the association phase, the 3SKey subscriber must perform through its application thefollowing activities:

• establishes the correspondence between the Unique ID and an identity (for example, thename of a person or a function)

• verifies the signature




• verifies that the certificate is a 3SKey business certificate by checking that it has the PolicyID 1.3.21.6.3.20.200.1

• verifies that the certificate has been issued by the SWIFT CA

• verifies that the certificate has not expired

• ensures that the certificate has not been revoked

When processing business transactions, the 3SKey subscriber must perform through itsapplication the following activities:

• verifies the signature of messages or files that have been signed with a 3SKey token

• ensures that the signing certificate is a 3SKey business certificate by checking that it has thePolicy ID 1.3.21.6.3.20.200.1

• verifies that the certificate has been issued by the SWIFT CA

• verifies that the signing certificate has not expired

• ensures that the signing certificate has not been revoked

• keeps non-repudiation logs of the signed transactions

Note The 3SKey subscriber is responsible for the integration of the 3SKey service withits application(s) using the 3SKey Developer Toolkit or with assistance of a vendorof its choice.

3SKey subscriber tokens

The 3SKey subscribers receive specific tokens to access the portal to retrieve an SSL certificateand access a token report. The SSL certificate enables the subscribers to securely access the3SKey certificate revocation check facility. The token report lists the tokens that the 3SKeysubscriber has ordered with their status.

3SKey Developer Toolkit

To facilitate the implementation of the 3SKey subscriber application functions, SWIFT providesthe 3SKey Developer Toolkit to all 3SKey subscribers requesting it.

For more information about the 3SKey Developer Toolkit, see the 3SKey Developer Guide.

Web browser

The 3SKey subscriber browser accesses the 3SKey portal to retrieve the SSL certificates and toretrieve a report on its ordered tokens and their status. The 3SKey subscriber must ensure thatits web browser meets the applicable specifications set out in the 3SKey Token InstallationGuide.

2.3.3 3SKey User Components

3SKey user application

The application must enable 3SKey users to sign files and messages with the 3SKey token andto send them to the 3SKey subscriber's application or to securely access 3SKey subscriberapplications.

Note The 3SKey user is responsible for the integration of the 3SKey service with itsapplication(s) using the 3SKey Developer Toolkit or with assistance of a vendor ofits choice.





3SKey user tokens

The 3Skey users install the software for the 3SKey tokens. They activate their tokens throughthe 3SKey portal and associate them with their 3SKey subscriber(s). 3SKey users can then usetheir tokens with their 3SKey subscriber(s) either through the 3SKey user browser or through the3SKey user application.

Note To avoid any confusion, SWIFT recommends not to re-assign a token to anotherperson once the association has been performed.

Web browser

The 3SKey user accesses the 3SKey portal using a web browser. The portal is used for tokenmanagement purposes (activation, revocation, recovery, reset and renewal). The web browser isnecessary to enable access to Web-based services (for example, cash management). The3SKey user must ensure that its web browser meets the applicable specifications set out in the3SKey Token Installation Guide.

2.4 3SKey Service Availability

3SKey certificate revocation check facility availability

The 3SKey certificate revocation check facility is designed to be available 24 hours a day, 7 daysa week, through LDAPS and HTTPS channels, subject to any unavailability as set out hereafter.

SWIFT is not responsible if the 3SKey certificate revocation check facility cannot be reacheddue to problems with the internet channels used by the 3SKey subscriber.

Planned unavailability

SWIFT plans for specific dates and times when the 3SKey service, typically access to the3SKey portal, will be unavailable. SWIFT publishes notification of unavailability in advance onwww.swift.com.

Planned unavailability can be for the following events:

• downtime due to scheduled equipment maintenance

• scheduled system changes (for example, changes to software or hardware configurations orbusiness continuity testing)

SWIFT performs system changes and maintenance during allowable downtime windows. Thesewindows occur during weekends (Saturday and Sunday).

During an allowable downtime window, the 3SKey portal may be unavailable either for the wholeduration of the downtime, or only intermittently.

For more information about scheduled downtime, see www.swift.com > Support > Operationalstatus.

Unplanned unavailability

If SWIFT becomes aware of a problem with the 3SKey service, then it initiates any recovery orfallback operation for which it is responsible and that is necessary to restore the service.

SWIFT may suspend or change the 3SKey service, in whole or in part, at any time, giving asmuch advance notice as practicable to prevent or mitigate any adverse effect on the security,reliability, or resilience of the 3SKey service or, more generally, SWIFT's reputation, brand or




http://www.swift.com/


goodwill (typically, if the 3SKey subscriber and 3SKey user would be subject to sanctions suchas EU sanctions).

The levels of service that this document specifies assume normal operating conditions. Theseinclude resilient operations during most single-component failure scenarios within the active andstandby SWIFT operating centres where SWIFT runs the 3SKey certificate revocation checkfacility. The 3SKey certificate revocation check facility design is resilient, and can handle manyanomalous events without impact to the activities of the 3SKey subscribers and users. However,under certain, very unlikely, disaster scenarios (for example, the destruction of a SWIFToperating centre, dual failures of similar components, or component failures during SWIFToperating centre switchovers), SWIFT may be unable to meet these levels of service, in whole orin part. The potential for data loss exists in such cases. In this case, SWIFT will inform the3SKey subscribers concerned and 3SKey users who have registered an email address throughthe 3SKey portal.

For example, if a disaster were to strike a SWIFT operating centre where SWIFT runs the3SKey service, this may prevent SWIFT to process fully all revocation requests received in the15 minutes preceding the disaster. In such case, the 3SKey users can contact SWIFT forassistance to trace the affected requests.



3 Ordering and Support

3.1 Ordering

Subscribe to the 3SKey service

SWIFT users and service bureaux can subscribe to the 3SKey service using the 3SKeysubscription form. It is mandatory to subscribe to the 3SKey service in order to rely on a 3SKeycertificate.

As an integral part of its subscription, the 3SKey subscriber is entitled to the following:

• access to the 3SKey portal

• access to the 3SKey certificate revocation check facility (maximum 10)

• 3SKey tokens as specified in the subscription form

3SKey subscribers requiring the 3SKey Developer Toolkit must request it through a separateorder as specified below.

Note The subscription to the 3SKey service by a SWIFT user permits the 3SKeysubscriber to extend, under its sole responsibility, the benefit of the subscription toaffiliates within its corporate group. Otherwise, the subscription to the 3SKeyservice is personal. Consequently, the 3SKey subscriber may not share thecertificate revocation list with a third party (or, in the case of a SWIFT user, a non-affiliated entity), or may not verify the status of a 3SKey certificate on behalf of athird party (or, in the case of a SWIFT user, a non-affiliated entity).

For more information about the right for 3SKey subscribers to use the 3SKeyservice, see the 3SKey Token Terms and Conditions.

Order 3SKey tokens

SWIFT users, service bureaux and partners can order the 3SKey tokens for their own use and,subject to their respective distribution rights (if any), distribution to 3SKey users using the 3SKeytokens order form.

The provision, use and, if permitted, distribution of 3SKey tokens are subject to U.S. exportrestrictions and other sanction programmes. Persons located in Cuba, North Korea, Iran, Sudanor Syria and/or persons identified on U.S. government or EU "denied party" or specificallydesignated nationals lists are not permitted to possess, use or distribute 3SKey tokens.

Order the 3SKey Developer Toolkit

SWIFT users, service bureaux and partners can order the 3SKey Developer Toolkit using the3SKey Developer Toolkit order form. The 3SKey Developer Toolkit includes a developer guidewith the technical specifications, software libraries and 2 test tokens.

3.2 Support

Support for 3SKey subscribers and the 3SKey Developer Toolkit

SWIFT is the single point of contact to report all problems and queries that relate to the 3SKeyservice and the 3SKey Developer Toolkit. Support is also available for the 3SKey Developer

3SKey Service Description Ordering and Support



Toolkit. Individual users within their respective organisation must register to use the Supportservice.

Related information

For more information about how to register for Support, see the Customer login section on thewww.swift.com home page.

For more information about support services, see:

• Premium Custom Support Service Description

• Premium Plus Support Service Description

• Premium Support Service Description

• Standard Plus Support Service Description

• Standard Support Service Description

Support for 3SKey users

Online support for the token management functions is available for 3SKey users through the3SKey website.

3SKey Service Description Ordering and Support








http://www.3skey.com

4 Roles and ResponsibilitiesThe following three parties are involved in the 3SKey solution:

• SWIFT: provides the 3SKey service and supplies the 3SKey tokens and the 3SKeyDeveloper Toolkit.

• The 3SKey subscriber: subscribes and integrates the 3SKey service and distributes 3SKeytokens to 3SKey users.

• The 3SKey user: integrates and uses the 3SKey service with their 3SKey subscriber (or3SKey subscribers). The 3SKey users will normally obtain the 3SKey tokens from their initial3SKey subscriber.

The following graphic provides an overview of the interactions between the different parties:

D1

29

00

06

3SKey

subscriber

Order placed for the service and tokens

Shipment of the tokensAssociation and usageAct

ivat

ion

and

key

man

agem

ent t

hrou

gh

3SKey

por

tal

3SKey user

2

4

1

5Distribution of

the token (s)3

4.1 SWIFT's Roles and Responsibilities

SWIFT's primary responsibilities are as follows:

• provision the service as described in this service description

• manage and operate SWIFT PKI

• qualify the tokens

• personalise tokens with a Unique ID

• provide and implement the Certificate Policy

• ensure the uniqueness of the ID of a certificate from activation and through its completelifecycle

• supply the inactive tokens

• provide a portal for 3SKey users for token management functions

• provide the 3SKey certificate revocation check facility to the 3SKey subscribers and inparticular make an updated version of the CRL available to 3SKey subscribers (within 4hours for the combined CRL, and within 7 minutes for the partitioned CRLs) after therevocation of a 3SKey token by the 3SKey user.

3SKey Service Description Roles and Responsibilities


• provide, when specifically ordered, the 3SKey Developer Toolkit, including the technicalspecifications, the relevant software libraries and two test tokens to integrate the 3SKeyservice in the applications of the 3SKey user and subscriber

• provide support to 3SKey subscribers, 3SKey users and partners for those components ofthe 3SKey solution that are relevant to them

• make the 3SKey documentation available on www.swift.com and the 3SKey website.

• report to the 3SKey subscribers on the status (activated, not activated, prepared to recover,prepared to reset, revoked, used to recover, used to renew) of the certificates that are storedon the tokens they ordered

• revoke business certificates through an exception offline procedure by contacting SWIFTsupport

• confirm, on request of the 3SKey user, details on the activation, renewal, reset, revocation, orrecovery of a certificate performed on the 3SKey portal for up to 6 months after the expirydate of that certificate. Such certificate actions done by a 3SKey user are non-repudiatedand time-stamped and, therefore, SWIFT can confirm the Unique ID of the 3SKey user whoinitiated the change as well as the date and time of the change.

• provide, on request of the 3SKey user or subscriber, evidence of the revocation status of aspecific certificate for up to 10 years

SWIFT reserves the right to unilaterally revoke certificates in specific circumstances (forexample, if it would appear or be likely, based on reasonable grounds, that a certificate hasbeen, is or could be used for illegal, illicit or fraudulent purposes, in a manner that might createconfusion or misrepresent the person normally associated with the certificate).

Use of data for security monitoring and investigation purposes

In accordance with the SWIFT Data Retrieval Policy and the Distributed Architecture principles,SWIFT may process and store traffic and message data in order to support SWIFT’s protectionmeasures and forensic capabilities against cybersecurity threats. SWIFT processes and storessuch data on dedicated security systems and in strict accordance with its security policies andprocedures and may analyse such data in the context of a specific security investigation as partof its security monitoring and investigation processes.

Related information

For more information about SWIFT's roles and responsibilities with regard to the 3SKey solution,see the following documents, as applicable:3SKey Terms and Conditions3SKey Tokens Terms and Conditions3SKey Developer Toolkit Terms and Conditions



http://www.swift.com

http://www.swift.com/3skey/index.html





4.2 The 3SKey Subscriber's Roles andResponsibilities

Description

The 3SKey subscriber's primary responsibilities are as follows:

1. For its own use and, as applicable, the distribution of 3SKey tokens to the 3SKey users:

• order the necessary 3SKey tokens from SWIFT

• subject to all applicable export restrictions and other sanctions programmes, distributethe 3SKey tokens and the associated password to the 3SKey users that require them,and if not included on the tokens, link the 3SKey users to or supply the 3SKey users withthe relevant installation instructions and software

• manage the token renewal process with the 3SKey users

2. For the use of the 3SKey service:

• subscribe to the 3SKey service

• integrate the 3SKey service with the 3SKey subscriber's application

• provide 3SKey users with the relevant documentation for using the 3SKey service andtokens

• provide 3SKey users with best-practice guidelines

• associate and record the association of the tokens with 3SKey users that use the 3SKeyservice

• obtain and manage a valid SSL client certificate to secure access to the 3SKeycertificate revocation check facility

• obtain and manage a working internet connection to the 3SKey portal and the 3SKeycertificate revocation check facility

• have and apply a Know-Your-Customer policy to associate 3SKey users with theirtoken(s)

• inform SWIFT of any security threats that relate to the 3SKey service

• verify the signatures of messages received from 3SKey users and check that the signingcertificates are valid 3SKey business certificates

To the extent reasonably necessary for its use of the 3SKey solution, the 3SKey subscriber hasthe right, at its own cost and under its sole responsibility, to translate information provided bySWIFT and to include this information in its end-user documentation. Any such translations shallhowever confirm that, towards SWIFT, the English version of SWIFT documentation is the onlyofficial and binding version.

Customer testing

Customers must not conduct any performance or vulnerability tests unless expressly permittedin the SWIFT Customer Testing Policy.

If customers believe they have identified a potential performance or vulnerability threat, theymust immediately inform SWIFT thereof and treat all related information, data or materials asSWIFT confidential information.



https://www2.swift.com/go/book/bookext048170/pdf

Related information

For more information about the 3SKey subscriber's roles and responsibilities with regard to the3SKey solution, 3SKey subscribers can refer to the following documents, as applicable:3SKey Terms and Conditions3SKey Tokens Terms and Conditions3SKey Developer Toolkit Terms and Conditions

4.3 The 3SKey User's Roles and Responsibilities

Description

The 3SKey user's primary responsibilities are as follows:

• perform integration work that relates to the functioning of the 3SKey service with the 3SKeysubscriber (or 3SKey subscribers)

• activate the token through the 3SKey portal

• for authentication purposes towards SWIFT, safe keep the unique ID and related securitycode

• associate one or more tokens with the 3SKey subscriber (or 3SKey subscribers)

• perform token management according to the guidelines provided in the 3SKeydocumentation

• safe keep the acknowledgement of all management functions performed on the 3SKey portal

• obtain new tokens prior to token expiration

• protect their tokens physically from unauthorised access (borrowing, loss, and theft) and takeall necessary measures to prevent any unauthorised disclosure of the token's password. The3SKey user is responsible for maintaining the confidentiality, integrity and availability of itsprivate key at all times.

• revoke tokens in case of security threat, if the token is no longer used or as may beotherwise necessary or desirable. After requesting the revocation of a 3SKey certificate,verify as soon as practicable on the 3SKey portal that its certificate has been duly revoked bySWIFT.

• inform the 3SKey subscriber(s) and SWIFT of any security threat that may affect the use ofthe 3SKey service

• follow the best-practice guidelines provided by the 3SKey subscriber

• comply with any other obligations agreed with its subscriber(s) directly.

Customer testing

Customers must not conduct any performance or vulnerability tests unless expressly permittedin the SWIFT Customer Testing Policy.

If customers believe they have identified a potential performance or vulnerability threat, theymust immediately inform SWIFT thereof and treat all related information, data or materials asSWIFT confidential information.






https://www2.swift.com/go/book/bookext048170/pdf

Related information

For more information about the 3SKey user's roles and responsibilities with regard to the 3SKeysolution, 3SKey users can refer to the following documents, as applicable:3SKey Terms and Conditions3SKey Tokens Terms and Conditions3SKey Developer Toolkit Terms and Conditions






5 Pricing and Invoicing

Charges

The 3SKey subscriber must pay to SWIFT all charges and fees for the various components ofthe 3SKey solution.

The charges for the subscription to the 3SKey solution are as follows:

• a one-time service fee for the subscription by 3SKey subscribers to the 3SKey service

• a yearly recurring fee for subscription by 3SKey subscribers to the 3SKey service

• a one-time fee for the supply of the 3SKey tokens

Related information

For more information about the pricing scheme, contact your SWIFT Account Manager.

3SKey Service Description Pricing and Invoicing


6 Contractual Framework

Terms and conditions

The 3SKey Terms and Conditions govern the provision and use of the 3SKey service.

The 3SKey Token Terms and Conditions govern the supply, distribution and use of the 3SKeytokens.

The 3SKey Developer Toolkit Terms and Conditions govern the provision and use of the 3SKeyDeveloper Toolkit.

Always consult swift.com

The latest available version of the 3SKey Terms and Conditions, the 3SKey Token Terms andConditions and the 3SKey Developer Toolkit Terms and Conditions is available at www.swift.com> About-Us < Legal > SWIFT-Contracts > Directories / SWIFTRef Services.

Other contractual arrangements between 3SKey subscribers and 3SKey users

It is for the 3SKey subscribers and their 3SKey users directly to consider any other contractualarrangements that are necessary or desirable amongst themselves in connection with their useof the 3SKey service. The use of the 3SKey token is governed by the agreement between theuser and the subscriber.

For example, such contractual arrangements may define the process that the 3SKey user isrequired to follow when registering their 3SKey tokens with the 3SKey subscriber, the obligationfor the 3SKey user to request the subscriber to de-associate a certificate when it becomesobsolete, the rules that the 3SKey subscriber applies for checking the certificate revocation andin particular the frequency of such checks and any dispute handling process, including the claimperiod considering the retention period of the 3SKey CRL logs by SWIFT.

SWIFT assistance

In case of dispute between a 3SKey user and a 3SKey subscriber, SWIFT will act as a neutraltrusted party by providing relevant evidences it has available.

3SKey Service Description Contractual Framework









http://www.swift.com

7 Glossary of Terms

Term Definition

3SKey Stands for SWIFT Secure Signature Key.

3SKey portal A web application server for 3SKey token andcertificate management operations: activation,renewal, reset, recovery, user list administration,security code change, password change, andrevocation.

3SKey subscriber Organisation participating in the 3SKey service,SWIFT customer, with the intent of offering secureapplication to its customers. Typically, a bank.

3SKey user Organisation, or an individual user in suchorganisation, that is customer of a 3SKeysubscriber, with the intent of using the secureapplication provided by the 3SKey subscriber.Typically, a corporate.

Active token A 3SKey token that holds a valid businesscertificate.

Administrator A designated person in the 3SKey user'sorganisation, responsible for assigning tokens to auser list, distributing tokens to the users, revokingcertificates and setting them up for reset orrecovery and reminding users to renew theircertificate. The administrators can also view thestatus of the certificates for all tokens in their userlist. The administrators can also perform all 3SKeyuser functions with their own tokens.

Business certificate A certificate valid for signing a business transaction.Such a 3SKey certificate is identified with Policy ID1.3.21.6.3.20.200.1.

Security code Personal authentication string that is generated bythe portal at activation time, or later at the requestof the user, and that the 3SKey user can use torevoke its certificate and must provide to reset orrecover its certificate.

3SKey Service Description Glossary of Terms


Legal Notices

Copyright

SWIFT © 2016. All rights reserved.

Disclaimer

The information in this publication may change from time to time. You must always refer to thelatest available version.

Translations

The English version of SWIFT documentation is the only official and binding version.

Trademarks

SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,MyStandards, and SWIFT Institute. Other product, service, or company names in thispublication are trade names, trademarks, or registered trademarks of their respective owners.

3SKey Service Description Legal Notices


Documents

3SKey - Service Description - SWIFT · 3SKey Service Description This document describes the features and functions of the components of the 3SKey solution and the roles and responsibilities