3SKey

Service Description

This document describes the features and functions of the components of the 3SKey solution and the roles and
responsibilities of all parties involved in the 3SKey solution.

30 September 2016
3SKey
Service Description Table of Contents

Table of Contents

Preface......................................................................................................................................................3

1 Introduction.................................................................................................................................... 5
1.1 Advantages of the 3SKey Solution................................................................................................ 5
1.2 Eligibility Criteria............................................................................................................................5

2 Features and Functions................................................................................................................ 7

2.1 Overview........................................................................................................................................7
2.2 Description of the Solution............................................................................................................ 7
2.3 Components of the 3SKey Solution.............................................................................................12
2.4 3SKey Service Availability........................................................................................................... 15

3 Ordering and Support..................................................................................................................17

3.1 Ordering...................................................................................................................................... 17
3.2 Support........................................................................................................................................17

4 Roles and Responsibilities......................................................................................................... 19

4.1 SWIFT's Roles and Responsibilities............................................................................................19
4.2 The 3SKey Subscriber's Roles and Responsibilities................................................................... 21
4.3 The 3SKey User's Roles and Responsibilities.............................................................................22

5 Pricing and Invoicing...................................................................................................................24

6 Contractual Framework...............................................................................................................25

7 Glossary of Terms....................................................................................................................... 26

Legal Notices......................................................................................................................................... 27

30 September 2016 2
3SKey
Service Description Preface

Preface
Purpose of the document
This document describes the features and functions of the various components of the 3SKey
(SWIFT Secure Signature Key) solution and the roles and responsibilities of all parties involved
in the 3SKey solution.
Note This service description, together with other relevant contractual service
documentation, is an integral part of the contractual arrangements between SWIFT
and the 3SKey subscribers, the 3SKey users or any other organisations that order
the 3SKey Developer Toolkit for the provision and the use of the relevant
components of the 3SKey solution.

Audience
This document is for the following audience:
• 3SKey subscribers (typically, banks) that require information about the features and functions
of the components of the 3SKey solution, and about the roles and responsibilities of all
parties involved in the 3SKey solution
• 3SKey users (typically, corporate clients of banks, or their representatives) that require
information about the features and functions of the components of the 3SKey solution, and
about the roles and responsibilities of all parties involved in the 3SKey solution
• persons that intend to subscribe to or use the 3SKey solution, and require information about
the features and functions of the components of the 3SKey solution and about the roles and
responsibilities of the parties involved in the 3SKey solution

Significant changes
The following table shows the functional change to this document since its September 2015
publication. This table does not include the general edits and updates that were also made.

New information Location

Information related to the use of data in case of Use of data for security monitoring and
cybersecurity investigations investigation purposes on page 20

SWIFT-defined terms
In the context of SWIFT documentation, certain terms have a specific meaning. These terms
are called SWIFT-defined terms (for example, customer, user, or SWIFT services and products).
The definition of SWIFT-defined terms appears in the SWIFT Glossary.

Related information:
Instructions for the 3SKey Administrator
Instructions for the 3SKey User
3SKey Getting Started for Banks
3SKey Getting Started for Corporates
3SKey Token Software Installation Guide

30 September 2016 3
3SKey
Service Description Preface

3SKey Portal User Guide for Corporates

3SKey Troubleshooting Guide
3SKey Token Renewal Instructions for Banks
3SKey Token Renewal Instructions for Corporate Administrators
3SKey Token Renewal Instructions for Corporate Users
3SKey Terms and Conditions
3SKey Token Terms and Conditions
3SKey Developer Toolkit Terms and Conditions
Premium Custom Support Service Description
Premium Plus Support Service Description
Premium Support Service Description
Standard Plus Service Description
Standard Service Description

30 September 2016 4
3SKey
Service Description Introduction

1 Introduction
When a bank interacts with their corporate customers through electronic banking channels, it
may need to authenticate received data at the level of the individual(s) authorised to serve
instructions to it. For example, a specific individual in the corporate treasury department must
approve payment instructions.
In practice, banks and their corporate clients must often manage and use multiple and different
types of personal signing mechanisms (for example, multiple tokens with different passwords
and different processes to maintain them). Using and maintaining different authentication
methods in parallel adds to the complexity and leads to higher operational risk and cost.
To address this issue, SWIFT introduced the 3SKey solution. With this solution, SWIFT supplies
tokens that include PKI-based credentials for use between 3SKey subscribers (typically, banks)
and 3SKey users (typically, corporates). 3SKey users then set up their tokens with a unique
certificate issued by the SWIFT Public Key Infrastructure (PKI). 3SKey users then use these
credentials to sign messages and files exchanged with one or more 3SKey subscribers over any
mutually agreed channel. The signature provides authentication of the 3SKey user and non-
repudiation of the signed transactions.

1.1 Advantages of the 3SKey Solution

3SKey subscribers
The 3SKey solution is designed to address the needs of 3SKey subscribers and 3SKey users.
3SKey subscribers associate each individual 3SKey user with their unique credential
independently of the other 3SKey subscribers. 3SKey subscribers access SWIFT PKI to make
sure that the certificate hasn't been revoked.
This approach leaves each 3SKey subscriber free to set and apply its own Know-Your-Customer
rules when it associates 3SKey users. Each 3SKey subscriber associates its 3SKey users
independently and does not need to rely on the association performed by other 3SKey
subscribers.
The 3SKey solution enables 3SKey subscribers to cost-effectively implement (or strengthen)
authentication and non-repudiation on their existing electronic banking channels.

3SKey users
A 3SKey user must currently use many different security devices to authenticate itself towards
third parties (typically, banks). The use of a single token towards multiple 3SKey subscribers will
help to reduce cost and operational risk and increase convenience.

1.2 Eligibility Criteria

Eligibility to subscribe to the 3SKey service
The 3SKey service is available to all SWIFT users and service bureaux.

Eligibility to order and distribute 3SKey tokens

SWIFT users that have subscribed to the 3SKey service may order 3SKey tokens from SWIFT
for their own use or for distribution to 3SKey users. Affiliated SWIFT users of the 3SKey

30 September 2016 5
3SKey
Service Description Introduction

subscriber may also order 3SKey tokens from SWIFT for their own use or for distribution to
3SKey users in their own name.
All other SWIFT users may order 3SKey tokens from SWIFT for their own use or for distribution
to affiliates within their corporate group. A Service Bureau may distribute 3SKey tokens to
SWIFT users connecting to SWIFT through it. All SWIFT partners that order a 3SKey Developer
Toolkit may also order 3SKey tokens from SWIFT for their development activities only. 3SKey
tokens must not be distributed to individuals for private purposes.

Eligibility to order the 3SKey Developer Toolkit

The 3SKey users and all SWIFT partners may order the 3SKey Developer Toolkit from SWIFT.
To facilitate the implementation of the 3SKey subscriber application functions, SWIFT provides
the 3SKey Developer Toolkit to all 3SKey subscribers requesting it.
For more information about the 3SKey Developer Toolkit, see the 3SKey Developer Guide.

30 September 2016 6
3SKey
Service Description Features and Functions

2 Features and Functions

2.1 Overview
SWIFT delivers the 3SKey solution through the following components:
• SWIFT Public Key Infrastructure (PKI)
The underlying PKI that SWIFT manages and operates. 3SKey subscribers and their 3SKey
users access SWIFT PKI either through the 3SKey portal or through the 3SKey certificate
revocation check facility, as applicable.
• 3SKey tokens
Secure devices that hold either the signing credentials of the 3SKey user or the
authentication credential for the 3SKey subscriber to access the portal.
• 3SKey portal
Accessed by the 3SKey users to manage the 3SKey tokens (activation, renewal, recovery,
reset and revocation of the tokens).
Accessed by the 3SKey subscribers to get the Secure Socket Layer (SSL) certificates for the
3SKey certificate revocation check facility, and to get reports on the tokens that they
distribute.
• 3SKey certificate revocation check facility
Accessed by the 3SKey subscriber to check whether a 3SKey user's (unexpired) certificate
has been revoked.
• 3SKey Developer Toolkit
Software libraries, technical specifications and 2 test tokens that 3SKey subscribers and
integrators use to enable web servers and applications to work with the 3SKey service. This
includes signing, signature verification, and certificate revocation check functions.

2.2 Description of the Solution

2.2.1 Set-up of the solution

Procedure
1. Supply and distribution of 3SKey tokens
If a 3SKey subscriber, service bureau or 3SKey user has placed an order for the 3SKey
tokens, then SWIFT provides the tokens which, subject to applicable distribution rights (if
any), may be further distributed to 3SKey users.

30 September 2016 7
3SKey
Service Description Features and Functions

3SKey
subscriber
3SKey

3SKey user

D1290001
2. Activation
SWIFT supplies inactive tokens (that is, they cannot be used to sign transactions). The
3SKey user must first activate its token by using the secure access (provided by the inactive
token) to the 3SKey portal over the Internet and the default password of the token.
As a result, a business credential (that is, a certificate and private key) is created and stored
on the token. The activation process does not require the supply of any identification
information about the 3SKey user, and the business credential is entirely anonymous. It
does not contain any name but just a Unique ID that is used by 3SKey subscribers to
associate the 3SKey user with the certificate.

3SKey portal 3SKey 3SKey user

subscriber

3SKey

Internet
D1290002

The same process applies to the activation of any other user token, used for testing
purposes.
3. Association
The 3SKey subscriber associates the token with its 3SKey user(s).
As a result, the 3SKey subscriber application links the 3SKey user with the Unique ID. Such
association is achieved as a registration process to be agreed by the 3SKey subscriber and
the 3SKey user directly (for example, through a physical presence or through the use of

30 September 2016 8
3SKey
Service Description Features and Functions

secure, pre-existing, remote identification technology). During the association process, the
3SKey subscriber must verify that the certificate is valid, including through the 3SKey
certificate revocation check facility.
When the association process is complete, the 3SKey subscriber can link any message that
is signed with the credential with the registered 3SKey user or, if the registration process so
permits, a specific representative of the 3SKey user.

Association of 3SKey tokens

3SKey
Check that
token 45678 is
not revoked 3SKey 3SKey user
3SKey portal subscriber

D1290003
John = 45678-unique ID

2.2.2 Use of the solution

Procedure
1. Use of the token
When the activation and association steps are complete, the 3SKey user can use the token
to sign messages and files towards the 3SKey subscriber or to securely access 3SKey
subscriber applications with its 3SKey token.
The 3SKey user application software or 3SKey user browser interacting with a 3SKey
subscriber web application (for example, e-banking) signs the messages with the 3SKey
user's token.
The 3SKey subscriber's application verifies the signature and accesses the 3SKey
certificate revocation check facility to verify that the certificate has not been revoked.

30 September 2016 9
3SKey
Service Description Features and Functions

Message signed
with token 45678

3SKey
Check that
token 45678 is
not revoked 3SKey 3SKey user
3SKey portal subscriber

D1290004
John = 45678-unique ID

2. Using the business credential with multiple 3SKey subscribers

A 3SKey user can use the same business credential to sign messages for transactions with
or to securely access applications of multiple 3SKey subscribers. The 3SKey subscriber
must associate with each 3SKey user separately. This is the same process as described in
step 3 on page 8 of "Set-up of the solution".

3SKey
subscriber

3SKey

John = 45678-unique ID 3SKey user

John = 45678-unique ID
D1290005

John = 45678-unique ID

2.2.3 Maintenance of the solution

Procedure
1. Revocation
If the 3SKey token has been stolen, or its security or reliance is otherwise compromised
(typically, the individual using the token leaves the company) the 3SKey user, or a 3SKey
administrator, can request the revocation of its certificate through the 3SKey portal.

30 September 2016 10
3SKey
Service Description Features and Functions

Consequently, SWIFT updates the certificate revocation list with the certificate revocation
information. So, when the 3SKey subscribers' application checks the certificate revocation
list, the certificate will appear as revoked and, consequently, the application of the 3SKey
subscriber stops trusting it.
Certain 3SKey subscribers may also require their 3SKey users to de-associate the
certificate with them directly.
For more information, 3SKey users should check the conditions governing the use of the
certificate with their 3SKey subscribers.
2. Renewal
The 3SKey user's token will expire after 3 years. Before its token expires, the 3SKey user
must renew its certificate on a new token through the portal. The 3SKey user can renew its
token during 90 days preceding its expiry. After that, the token becomes unusable and the
certificate will need to be recovered.
The new token will inherit the original Unique ID. The old token is still usable until the
certificate expires.
This also applies to user tokens used for testing purposes. Not activated user tokens
cannot be renewed.
3. Recovery
It may be necessary to recover a certificate, if the certificate has been revoked or if the
token holding the certificate is lost or is not usable anymore (for example, it is damaged) or if
the certificate has expired. In this case, the 3SKey user asks a 3SKey administrator to set
up the certificate for recovery on a new token. Through the 3SKey portal, the 3SKey user
can recover its certificate onto a new token that has been set up for recovery by the
administrator. The 3SKey user is requested to provide its security code to complete the
recovery.
The new token will hold a new business certificate with the original Unique ID and will be
valid for 3 years. The old certificate cannot be used anymore.
This also applies to user tokens used for testing purposes. Not activated user tokens
cannot be recovered.
4. Reset
It may be necessary to reset a token, if the token is locked after a series of consecutive
wrong password entries or if the 3SKey user has lost its password. In this case, the 3SKey
user asks a 3SKey administrator to set up the locked token for reset. Through the 3SKey
portal, the 3SKey user can re-initialise its token with a new certificate and set a new
password. The 3SKey user is requested to provide its security code to complete the reset.
After reset, the token holds a new business or, as the case may be a new technical,
certificate with the original Unique ID and has the same expiry date as the old certificate.
This also applies to user tokens used for testing purposes.

2.2.4 3SKey token management and lifecycle

The following diagram shows the different states that a 3SKey token can pass through and the
author of the change.

30 September 2016 11
3SKey
Service Description Features and Functions

2
not expired
activated 1 activated 4

7 5 5
8 6

prepared 3 prepared 4
to reset to recover

D1290018
Revoked

Previous token state New token state Action Author

1 Not activated Activated to activate user

2 Activated Activated to renew user

3 Activated Revoked to revoke administrator or user

4 Activated Expired to expire automatic

4 Revoked Expired to expire automatic

5 Activated Prepared to recover to set up for recovery administrator

5 Revoked Prepared to recover to set up for recovery administrator

5 Expired Prepared to recover to set up for recovery administrator

6 Prepared to recover Activated to recover user

7 Activated Prepared to reset to set up for reset administrator

8 Prepared to reset Activated to reset user

2.3 Components of the 3SKey Solution

The components of the 3SKey solution are deployed by the different parties, as follows:
• SWIFT: SWIFT PKI, 3SKey portal, and 3SKey certificate revocation check facility
• 3SKey subscriber: 3SKey subscriber application, 3SKey subscriber tokens, and 3SKey
Developer Toolkit
• 3SKey user: 3SKey user application, 3SKey user tokens, 3SKey Developer Toolkit, and web
browser

30 September 2016 12
3SKey
Service Description Features and Functions

2.3.1 SWIFT Components

SWIFT PKI
The SWIFT PKI supports the following PKI operations:
• new certificate issuance
• certificate renewal
• certificate revocation
• certificate recovery

3SKey portal
SWIFT provides a web portal.
• A duly authenticated 3SKey user can access the 3SKey portal to perform the following
functions on the 3SKey token:
- activation
- renewal (on a new token)
- revocation
- recovery (on a new token)
- reset (on the same token)
- password and security code management
- user list management functions
• An authenticated 3SKey subscriber can access the portal to perform the following functions:
- retrieve the SSL certificates (used to securely access the 3SKey certificate revocation
check facility)
- retrieve a report on the 3SKey subscriber's distributed tokens and their status

3SKey certificate revocation check facility

The 3SKey subscriber can access the Certificate Revocation List (CRL) using a secure channel
to the 3SKey certificate revocation check facility through the Internet. This requires an SSL
certificate which the 3SKey subscriber obtains from the portal.
The 3SKey certificate revocation check facility is only available to the 3SKey subscribers.
For more information, see the 3SKey Getting Started for Banks.

2.3.2 3SKey Subscriber Components

3SKey subscriber application
During the association phase, the 3SKey subscriber must perform through its application the
following activities:
• establishes the correspondence between the Unique ID and an identity (for example, the
name of a person or a function)
• verifies the signature

30 September 2016 13
3SKey
Service Description Features and Functions

• verifies that the certificate is a 3SKey business certificate by checking that it has the Policy
ID 1.3.21.6.3.20.200.1
• verifies that the certificate has been issued by the SWIFT CA
• verifies that the certificate has not expired
• ensures that the certificate has not been revoked
When processing business transactions, the 3SKey subscriber must perform through its
application the following activities:
• verifies the signature of messages or files that have been signed with a 3SKey token
• ensures that the signing certificate is a 3SKey business certificate by checking that it has the
Policy ID 1.3.21.6.3.20.200.1
• verifies that the certificate has been issued by the SWIFT CA
• verifies that the signing certificate has not expired
• ensures that the signing certificate has not been revoked
• keeps non-repudiation logs of the signed transactions
Note The 3SKey subscriber is responsible for the integration of the 3SKey service with
its application(s) using the 3SKey Developer Toolkit or with assistance of a vendor
of its choice.

3SKey subscriber tokens

The 3SKey subscribers receive specific tokens to access the portal to retrieve an SSL certificate
and access a token report. The SSL certificate enables the subscribers to securely access the
3SKey certificate revocation check facility. The token report lists the tokens that the 3SKey
subscriber has ordered with their status.

3SKey Developer Toolkit

To facilitate the implementation of the 3SKey subscriber application functions, SWIFT provides
the 3SKey Developer Toolkit to all 3SKey subscribers requesting it.
For more information about the 3SKey Developer Toolkit, see the 3SKey Developer Guide.

Web browser
The 3SKey subscriber browser accesses the 3SKey portal to retrieve the SSL certificates and to
retrieve a report on its ordered tokens and their status. The 3SKey subscriber must ensure that
its web browser meets the applicable specifications set out in the 3SKey Token Installation
Guide.

2.3.3 3SKey User Components

3SKey user application
The application must enable 3SKey users to sign files and messages with the 3SKey token and
to send them to the 3SKey subscriber's application or to securely access 3SKey subscriber
applications.
Note The 3SKey user is responsible for the integration of the 3SKey service with its
application(s) using the 3SKey Developer Toolkit or with assistance of a vendor of
its choice.

30 September 2016 14
3SKey
Service Description Features and Functions

3SKey user tokens

The 3Skey users install the software for the 3SKey tokens. They activate their tokens through
the 3SKey portal and associate them with their 3SKey subscriber(s). 3SKey users can then use
their tokens with their 3SKey subscriber(s) either through the 3SKey user browser or through the
3SKey user application.
Note To avoid any confusion, SWIFT recommends not to re-assign a token to another
person once the association has been performed.

Web browser
The 3SKey user accesses the 3SKey portal using a web browser. The portal is used for token
management purposes (activation, revocation, recovery, reset and renewal). The web browser is
necessary to enable access to Web-based services (for example, cash management). The
3SKey user must ensure that its web browser meets the applicable specifications set out in the
3SKey Token Installation Guide.

2.4 3SKey Service Availability

3SKey certificate revocation check facility availability
The 3SKey certificate revocation check facility is designed to be available 24 hours a day, 7 days
a week, through LDAPS and HTTPS channels, subject to any unavailability as set out hereafter.
SWIFT is not responsible if the 3SKey certificate revocation check facility cannot be reached
due to problems with the internet channels used by the 3SKey subscriber.

Planned unavailability
SWIFT plans for specific dates and times when the 3SKey service, typically access to the
3SKey portal, will be unavailable. SWIFT publishes notification of unavailability in advance on
www.swift.com.
Planned unavailability can be for the following events:
• downtime due to scheduled equipment maintenance
• scheduled system changes (for example, changes to software or hardware configurations or
business continuity testing)
SWIFT performs system changes and maintenance during allowable downtime windows. These
windows occur during weekends (Saturday and Sunday).
During an allowable downtime window, the 3SKey portal may be unavailable either for the whole
duration of the downtime, or only intermittently.
For more information about scheduled downtime, see www.swift.com > Support > Operational
status.

Unplanned unavailability
If SWIFT becomes aware of a problem with the 3SKey service, then it initiates any recovery or
fallback operation for which it is responsible and that is necessary to restore the service.
SWIFT may suspend or change the 3SKey service, in whole or in part, at any time, giving as
much advance notice as practicable to prevent or mitigate any adverse effect on the security,
reliability, or resilience of the 3SKey service or, more generally, SWIFT's reputation, brand or

30 September 2016 15
3SKey
Service Description Features and Functions

goodwill (typically, if the 3SKey subscriber and 3SKey user would be subject to sanctions such
as EU sanctions).
The levels of service that this document specifies assume normal operating conditions. These
include resilient operations during most single-component failure scenarios within the active and
standby SWIFT operating centres where SWIFT runs the 3SKey certificate revocation check
facility. The 3SKey certificate revocation check facility design is resilient, and can handle many
anomalous events without impact to the activities of the 3SKey subscribers and users. However,
under certain, very unlikely, disaster scenarios (for example, the destruction of a SWIFT
operating centre, dual failures of similar components, or component failures during SWIFT
operating centre switchovers), SWIFT may be unable to meet these levels of service, in whole or
in part. The potential for data loss exists in such cases. In this case, SWIFT will inform the
3SKey subscribers concerned and 3SKey users who have registered an email address through
the 3SKey portal.
For example, if a disaster were to strike a SWIFT operating centre where SWIFT runs the
3SKey service, this may prevent SWIFT to process fully all revocation requests received in the
15 minutes preceding the disaster. In such case, the 3SKey users can contact SWIFT for
assistance to trace the affected requests.

30 September 2016 16
3SKey
Service Description Ordering and Support

3 Ordering and Support

3.1 Ordering
Subscribe to the 3SKey service
SWIFT users and service bureaux can subscribe to the 3SKey service using the 3SKey
subscription form. It is mandatory to subscribe to the 3SKey service in order to rely on a 3SKey
certificate.
As an integral part of its subscription, the 3SKey subscriber is entitled to the following:
• access to the 3SKey portal
• access to the 3SKey certificate revocation check facility (maximum 10)
• 3SKey tokens as specified in the subscription form
3SKey subscribers requiring the 3SKey Developer Toolkit must request it through a separate
order as specified below.
Note The subscription to the 3SKey service by a SWIFT user permits the 3SKey
subscriber to extend, under its sole responsibility, the benefit of the subscription to
affiliates within its corporate group. Otherwise, the subscription to the 3SKey
service is personal. Consequently, the 3SKey subscriber may not share the
certificate revocation list with a third party (or, in the case of a SWIFT user, a non-
affiliated entity), or may not verify the status of a 3SKey certificate on behalf of a
third party (or, in the case of a SWIFT user, a non-affiliated entity).
For more information about the right for 3SKey subscribers to use the 3SKey
service, see the 3SKey Token Terms and Conditions.

Order 3SKey tokens

SWIFT users, service bureaux and partners can order the 3SKey tokens for their own use and,
subject to their respective distribution rights (if any), distribution to 3SKey users using the 3SKey
tokens order form.
The provision, use and, if permitted, distribution of 3SKey tokens are subject to U.S. export
restrictions and other sanction programmes. Persons located in Cuba, North Korea, Iran, Sudan
or Syria and/or persons identified on U.S. government or EU "denied party" or specifically
designated nationals lists are not permitted to possess, use or distribute 3SKey tokens.

Order the 3SKey Developer Toolkit

SWIFT users, service bureaux and partners can order the 3SKey Developer Toolkit using the
3SKey Developer Toolkit order form. The 3SKey Developer Toolkit includes a developer guide
with the technical specifications, software libraries and 2 test tokens.

3.2 Support
Support for 3SKey subscribers and the 3SKey Developer Toolkit
SWIFT is the single point of contact to report all problems and queries that relate to the 3SKey
service and the 3SKey Developer Toolkit. Support is also available for the 3SKey Developer

30 September 2016 17
3SKey
Service Description Ordering and Support

Toolkit. Individual users within their respective organisation must register to use the Support
service.

Related information
For more information about how to register for Support, see the Customer login section on the
www.swift.com home page.
For more information about support services, see:
• Premium Custom Support Service Description
• Premium Plus Support Service Description
• Premium Support Service Description
• Standard Plus Support Service Description
• Standard Support Service Description

Support for 3SKey users

Online support for the token management functions is available for 3SKey users through the
3SKey website.

30 September 2016 18
3SKey
Service Description Roles and Responsibilities

4 Roles and Responsibilities

The following three parties are involved in the 3SKey solution:
• SWIFT: provides the 3SKey service and supplies the 3SKey tokens and the 3SKey
Developer Toolkit.
• The 3SKey subscriber: subscribes and integrates the 3SKey service and distributes 3SKey
tokens to 3SKey users.
• The 3SKey user: integrates and uses the 3SKey service with their 3SKey subscriber (or
3SKey subscribers). The 3SKey users will normally obtain the 3SKey tokens from their initial
3SKey subscriber.

The following graphic provides an overview of the interactions between the different parties:

Order placed for the service and tokens

1
2
Shipment of the tokens
3SKey
As
so

subscriber 5
ci
at

rta rou y
l gh
po th ke
D he

io
is to

y nt d
4
t
tri k

an

Ke e an
bu en

3S gem tion
tio (s

us
n )

ag

a a
of

an tiv
e

m Ac

D1290006
3SKey user

4.1 SWIFT's Roles and Responsibilities

SWIFT's primary responsibilities are as follows:
• provision the service as described in this service description
• manage and operate SWIFT PKI
• qualify the tokens
• personalise tokens with a Unique ID
• provide and implement the Certificate Policy
• ensure the uniqueness of the ID of a certificate from activation and through its complete
lifecycle
• supply the inactive tokens
• provide a portal for 3SKey users for token management functions
• provide the 3SKey certificate revocation check facility to the 3SKey subscribers and in
particular make an updated version of the CRL available to 3SKey subscribers (within 4
hours for the combined CRL, and within 7 minutes for the partitioned CRLs) after the
revocation of a 3SKey token by the 3SKey user.

30 September 2016 19
3SKey
Service Description Roles and Responsibilities

• provide, when specifically ordered, the 3SKey Developer Toolkit, including the technical
specifications, the relevant software libraries and two test tokens to integrate the 3SKey
service in the applications of the 3SKey user and subscriber
• provide support to 3SKey subscribers, 3SKey users and partners for those components of
the 3SKey solution that are relevant to them
• make the 3SKey documentation available on www.swift.com and the 3SKey website.
• report to the 3SKey subscribers on the status (activated, not activated, prepared to recover,
prepared to reset, revoked, used to recover, used to renew) of the certificates that are stored
on the tokens they ordered
• revoke business certificates through an exception offline procedure by contacting SWIFT
support
• confirm, on request of the 3SKey user, details on the activation, renewal, reset, revocation, or
recovery of a certificate performed on the 3SKey portal for up to 6 months after the expiry
date of that certificate. Such certificate actions done by a 3SKey user are non-repudiated
and time-stamped and, therefore, SWIFT can confirm the Unique ID of the 3SKey user who
initiated the change as well as the date and time of the change.
• provide, on request of the 3SKey user or subscriber, evidence of the revocation status of a
specific certificate for up to 10 years
SWIFT reserves the right to unilaterally revoke certificates in specific circumstances (for
example, if it would appear or be likely, based on reasonable grounds, that a certificate has
been, is or could be used for illegal, illicit or fraudulent purposes, in a manner that might create
confusion or misrepresent the person normally associated with the certificate).

Use of data for security monitoring and investigation purposes

In accordance with the SWIFT Data Retrieval Policy and the Distributed Architecture principles,
SWIFT may process and store traffic and message data in order to support SWIFT’s protection
measures and forensic capabilities against cybersecurity threats. SWIFT processes and stores
such data on dedicated security systems and in strict accordance with its security policies and
procedures and may analyse such data in the context of a specific security investigation as part
of its security monitoring and investigation processes.

Related information

For more information about SWIFT's roles and responsibilities with regard to the 3SKey solution,
see the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions

30 September 2016 20
3SKey
Service Description Roles and Responsibilities

4.2 The 3SKey Subscriber's Roles and

Responsibilities
Description
The 3SKey subscriber's primary responsibilities are as follows:
1. For its own use and, as applicable, the distribution of 3SKey tokens to the 3SKey users:
• order the necessary 3SKey tokens from SWIFT
• subject to all applicable export restrictions and other sanctions programmes, distribute
the 3SKey tokens and the associated password to the 3SKey users that require them,
and if not included on the tokens, link the 3SKey users to or supply the 3SKey users with
the relevant installation instructions and software
• manage the token renewal process with the 3SKey users
2. For the use of the 3SKey service:
• subscribe to the 3SKey service
• integrate the 3SKey service with the 3SKey subscriber's application
• provide 3SKey users with the relevant documentation for using the 3SKey service and
tokens
• provide 3SKey users with best-practice guidelines
• associate and record the association of the tokens with 3SKey users that use the 3SKey
service
• obtain and manage a valid SSL client certificate to secure access to the 3SKey
certificate revocation check facility
• obtain and manage a working internet connection to the 3SKey portal and the 3SKey
certificate revocation check facility
• have and apply a Know-Your-Customer policy to associate 3SKey users with their
token(s)
• inform SWIFT of any security threats that relate to the 3SKey service
• verify the signatures of messages received from 3SKey users and check that the signing
certificates are valid 3SKey business certificates
To the extent reasonably necessary for its use of the 3SKey solution, the 3SKey subscriber has
the right, at its own cost and under its sole responsibility, to translate information provided by
SWIFT and to include this information in its end-user documentation. Any such translations shall
however confirm that, towards SWIFT, the English version of SWIFT documentation is the only
official and binding version.

Customer testing
Customers must not conduct any performance or vulnerability tests unless expressly permitted
in the SWIFT Customer Testing Policy.
If customers believe they have identified a potential performance or vulnerability threat, they
must immediately inform SWIFT thereof and treat all related information, data or materials as
SWIFT confidential information.

30 September 2016 21
3SKey
Service Description Roles and Responsibilities

Related information

For more information about the 3SKey subscriber's roles and responsibilities with regard to the
3SKey solution, 3SKey subscribers can refer to the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions

4.3 The 3SKey User's Roles and Responsibilities

Description
The 3SKey user's primary responsibilities are as follows:
• perform integration work that relates to the functioning of the 3SKey service with the 3SKey
subscriber (or 3SKey subscribers)
• activate the token through the 3SKey portal
• for authentication purposes towards SWIFT, safe keep the unique ID and related security
code
• associate one or more tokens with the 3SKey subscriber (or 3SKey subscribers)
• perform token management according to the guidelines provided in the 3SKey
documentation
• safe keep the acknowledgement of all management functions performed on the 3SKey portal
• obtain new tokens prior to token expiration
• protect their tokens physically from unauthorised access (borrowing, loss, and theft) and take
all necessary measures to prevent any unauthorised disclosure of the token's password. The
3SKey user is responsible for maintaining the confidentiality, integrity and availability of its
private key at all times.
• revoke tokens in case of security threat, if the token is no longer used or as may be
otherwise necessary or desirable. After requesting the revocation of a 3SKey certificate,
verify as soon as practicable on the 3SKey portal that its certificate has been duly revoked by
SWIFT.
• inform the 3SKey subscriber(s) and SWIFT of any security threat that may affect the use of
the 3SKey service
• follow the best-practice guidelines provided by the 3SKey subscriber
• comply with any other obligations agreed with its subscriber(s) directly.

Customer testing
Customers must not conduct any performance or vulnerability tests unless expressly permitted
in the SWIFT Customer Testing Policy.
If customers believe they have identified a potential performance or vulnerability threat, they
must immediately inform SWIFT thereof and treat all related information, data or materials as
SWIFT confidential information.

30 September 2016 22
3SKey
Service Description Roles and Responsibilities

Related information

For more information about the 3SKey user's roles and responsibilities with regard to the 3SKey
solution, 3SKey users can refer to the following documents, as applicable:
3SKey Terms and Conditions
3SKey Tokens Terms and Conditions
3SKey Developer Toolkit Terms and Conditions

30 September 2016 23
3SKey
Service Description Pricing and Invoicing

5 Pricing and Invoicing

Charges
The 3SKey subscriber must pay to SWIFT all charges and fees for the various components of
the 3SKey solution.
The charges for the subscription to the 3SKey solution are as follows:
• a one-time service fee for the subscription by 3SKey subscribers to the 3SKey service
• a yearly recurring fee for subscription by 3SKey subscribers to the 3SKey service
• a one-time fee for the supply of the 3SKey tokens

Related information
For more information about the pricing scheme, contact your SWIFT Account Manager.

30 September 2016 24
3SKey
Service Description Contractual Framework

6 Contractual Framework
Terms and conditions
The 3SKey Terms and Conditions govern the provision and use of the 3SKey service.
The 3SKey Token Terms and Conditions govern the supply, distribution and use of the 3SKey
tokens.
The 3SKey Developer Toolkit Terms and Conditions govern the provision and use of the 3SKey
Developer Toolkit.

Always consult swift.com

The latest available version of the 3SKey Terms and Conditions, the 3SKey Token Terms and
Conditions and the 3SKey Developer Toolkit Terms and Conditions is available at www.swift.com
> About-Us < Legal > SWIFT-Contracts > Directories / SWIFTRef Services.

Other contractual arrangements between 3SKey subscribers and 3SKey users

It is for the 3SKey subscribers and their 3SKey users directly to consider any other contractual
arrangements that are necessary or desirable amongst themselves in connection with their use
of the 3SKey service. The use of the 3SKey token is governed by the agreement between the
user and the subscriber.
For example, such contractual arrangements may define the process that the 3SKey user is
required to follow when registering their 3SKey tokens with the 3SKey subscriber, the obligation
for the 3SKey user to request the subscriber to de-associate a certificate when it becomes
obsolete, the rules that the 3SKey subscriber applies for checking the certificate revocation and
in particular the frequency of such checks and any dispute handling process, including the claim
period considering the retention period of the 3SKey CRL logs by SWIFT.

SWIFT assistance
In case of dispute between a 3SKey user and a 3SKey subscriber, SWIFT will act as a neutral
trusted party by providing relevant evidences it has available.

30 September 2016 25
3SKey
Service Description Glossary of Terms

7 Glossary of Terms
Term Definition

3SKey Stands for SWIFT Secure Signature Key.

3SKey portal A web application server for 3SKey token and

certificate management operations: activation,
renewal, reset, recovery, user list administration,
security code change, password change, and
revocation.

3SKey subscriber Organisation participating in the 3SKey service,

SWIFT customer, with the intent of offering secure
application to its customers. Typically, a bank.

3SKey user Organisation, or an individual user in such

organisation, that is customer of a 3SKey
subscriber, with the intent of using the secure
application provided by the 3SKey subscriber.
Typically, a corporate.

Active token A 3SKey token that holds a valid business

certificate.

Administrator A designated person in the 3SKey user's

organisation, responsible for assigning tokens to a
user list, distributing tokens to the users, revoking
certificates and setting them up for reset or
recovery and reminding users to renew their
certificate. The administrators can also view the
status of the certificates for all tokens in their user
list. The administrators can also perform all 3SKey
user functions with their own tokens.

Business certificate A certificate valid for signing a business transaction.

Such a 3SKey certificate is identified with Policy ID
1.3.21.6.3.20.200.1.

Security code Personal authentication string that is generated by

the portal at activation time, or later at the request
of the user, and that the 3SKey user can use to
revoke its certificate and must provide to reset or
recover its certificate.

30 September 2016 26
3SKey
Service Description Legal Notices

Legal Notices
Copyright
SWIFT © 2016. All rights reserved.

Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.

Translations
The English version of SWIFT documentation is the only official and binding version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:
the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,
MyStandards, and SWIFT Institute. Other product, service, or company names in this
publication are trade names, trademarks, or registered trademarks of their respective owners.

30 September 2016 27