Benchmarks Q&A: What the finance sector’s new X9 PKI standard signals for other industries

As organizations brace for the rising tide of machine identities and prepare for a post-quantum cryptographic era, a quiet but crucial shift is underway in the financial sector: the deployment of a new, private PKI standard designed specifically to meet banking’s complex operational and compliance needs.

Related: Why crypto-agility is a must have

While the web-based PKI system—governed by browsers and certificate authorities—has served the public internet well, its limitations are becoming evident in tightly regulated, high-assurance environments like banking. Enter ASC X9, a new framework that aims to modernize and unify trust models across financial institutions.

I sat down with Amit Sinha, CEO of DigiCert, to understand what ASC X9 changes, how it’s being implemented, and why this evolution could eventually influence how other sectors—from healthcare to IoT—approach digital trust.

LW: Why does the financial sector need a new PKI standard?

Sinha: The browser-based PKI works well for general internet traffic, but it wasn’t designed for the unique environments inside financial systems—think ATMs, POS terminals, cloud workloads, and now AI agents. ASC X9 identifies 30 such use cases where web PKI breaks down. This new standard solves for interoperability, security, and governance, all in a sector-specific context.

LW: What’s the fundamental problem ASC X9 addresses?

Sinha: Interoperability. Many financial institutions use private PKI systems that weren’t designed to work across organizational boundaries. With ASC X9, you get a set of shared policies and roots of trust that allow institutions to verify each other’s credentials without starting from scratch or rebuilding trust chains.

LW: Does ASC X9 throw out legacy infrastructure?

Sinha: Not at all. It’s designed to integrate with what’s already there. You can cross-sign existing CAs, build bridge models, and incrementally adopt X9 roots without disrupting operations. You retain past investment, while gaining stronger auditing, compliance, and security.

LW: How does this align with DigiCert’s broader vision?

Sinha: Our focus is on PKI-based identity lifecycle management. We help organizations manage outages, reduce operational costs from expired certs, and prepare for post-quantum threats. X9 fits into that by offering a high-assurance trust model that’s scalable and future-ready.

LW: What about quantum risks? Is this part of the motivation?

Sinha: Absolutely. Post-quantum cryptography is coming. We don’t know when Q-day will hit, but it’s a once-in-30-year upgrade cycle. With ASC X9, financial institutions have a clean framework to transition toward quantum-safe algorithms without getting stuck in fragmented legacy systems.

LW: Could other sectors adopt similar private PKI standards?

Sinha: It’s very likely. Healthcare, critical infrastructure, and IoT all have unique needs. As these sectors modernize, we expect to see more tailored PKI consortiums. But the core theme will remain: better interoperability, stronger governance, and crypto agility at scale.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

(LW provides consulting services to the vendors we cover.)

The post Benchmarks Q&A: What the finance sector’s new X9 PKI standard signals for other industries first appeared on The Last Watchdog.