iso8583-core 0.1.0

Production-ready zero-allocation ISO 8583 parser with SIMD optimization and no_std support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Security Considerations

### What This Library Provides

- **Memory Safety**: Rust's ownership system prevents memory corruption vulnerabilities  
- **Type Safety**: Compile-time guarantees prevent type confusion  
- **PAN Masking**: Utilities for masking card numbers in logs  
- **Input Validation**: Field format and length validation  
- **Luhn Check**: Card number validation algorithm  

### What You Must Implement

- **Encryption**: This library handles message structure only. You MUST implement:
- TLS/SSL for network communication
- PIN encryption (typically using HSM)
- MAC (Message Authentication Code) generation
- Key management for cryptographic operations

- **Authentication**: Implement proper authentication for:
- Terminal authentication
- Card authentication (EMV)
- Network participants

- **Logging**: When logging:
- Always mask PANs using `utils::mask_pan()`
- Never log PINs or cryptographic keys
- Never log full Track 2 data
- Sanitize all sensitive fields

## Reporting a Vulnerability

**Please DO NOT report security vulnerabilities through public GitHub issues.**

Instead, please send an email to: kingidrogen@gmail.com

Include:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We will respond within 48 hours and provide a timeline for fixes.

## Security Best Practices

### PCI DSS Compliance

This library can help with PCI DSS compliance but does not guarantee it. Requirements:

1. **Cardholder Data Protection**
   - Always mask PANs when displaying or logging
   - Encrypt sensitive data in storage and transit
   - Never store CVV2, PIN, or full track data after authorization

2. **Secure Development**
   - Keep dependencies up to date (`cargo audit`)
   - Use compiler warnings as errors (`RUSTFLAGS="-D warnings"`)
   - Run security audits regularly

3. **Access Control**
   - Implement proper authentication
   - Use principle of least privilege
   - Audit all access to cardholder data

### Example: Secure Logging

```rust
use iso8583_core::*;

// ❌ WRONG - Logs full PAN
log::info!("Transaction for card {}", pan);

// - CORRECT - Masks PAN
log::info!("Transaction for card {}", mask_pan(&pan));
```

### Example: Never Log Sensitive Fields

```rust
// ❌ NEVER DO THIS
log::debug!("PIN: {:?}", message.get_field(Field::PersonalIdentificationNumberData));
log::debug!("Track2: {}", message.get_field(Field::Track2Data));
log::debug!("CVV: {}", cvv);

// - CORRECT - Don't log sensitive data at all
log::debug!("PIN verification requested");
log::debug!("Track2 data present: {}", message.has_field(Field::Track2Data));
```

## Vulnerability Disclosure Timeline

1. **Day 0**: Vulnerability reported
2. **Day 2**: Acknowledgment sent
3. **Day 7**: Impact assessment complete
4. **Day 14**: Fix developed and tested
5. **Day 21**: Security patch released
6. **Day 30**: Public disclosure (if critical)

## Known Limitations

### Out of Scope

This library does NOT provide:
- Network communication
- Cryptographic operations (encryption, MAC, PIN verification)
- HSM integration
- Key management
- Certificate validation
- Secure element integration
- EMV chip card processing (format only, not cryptography)

### In Scope

This library DOES provide:
- Message parsing and generation
- Field validation
- PAN masking utilities
- Luhn check algorithm
- Safe memory handling (Rust guarantees)

## Cryptographic Recommendations

For production use, implement:

1. **TLS 1.3** for network communication
2. **AES-256** for data encryption
3. **HMAC-SHA256** for MAC generation
4. **RSA-2048 or ECC-256** for key exchange
5. **FIPS 140-2 Level 2+** HSM for key storage

## Compliance Checklist

- [ ] PAN masking implemented in all logs
- [ ] PIN encryption using HSM
- [ ] TLS/SSL for all network communication
- [ ] MAC validation for all messages
- [ ] Secure key storage (HSM or equivalent)
- [ ] Access controls and audit logging
- [ ] Regular security testing
- [ ] Vulnerability scanning
- [ ] Dependency auditing (`cargo audit`)
- [ ] Code review process
- [ ] Incident response plan
- [ ] PCI DSS certification (if applicable)