mobirise.com

Remote Key Loading

Remote Key Loading for eft/pos and ATM terminals is a mechanism for transferring, securely, a Terminal Master Key from a centralized cryptographic device to the eft/pos cryptographic device - Pin Pad.

ANSI Standard X9.24, Retail Key Management, VISA and MasterCard PIN security mandates and PCI require each PIN encryption device to contain a unique key.

Concept

Over the past years VISA and MasterCard security regulations indicate that Terminal Master Keys in any ATM and/or eft/pos fleet has to be: 

 (a) unique and 

 (b) change frequently 


Although the "frequency" of updating TMKs it is not clearly defined, changing TMKs once per year would be considered an appropriate TMK update frequency. 


On relatively small terminal fleets consisted of 100 ... 500 and up to 1.000 terminals (ATMs or eft/pos) updating manually the TMK could be feasible within one year period. In reality very few eft-pos fleets are consisted of less than 1.000 terminals. Most of eft-pos fleets (owned by a single legal entity or authorizing transactions to the same acquirer) are consisted of thousands, ten of thousands or even hundreds of thousands of terminals. 


When organizations have to manage thousands of eft/pos terminals (as well as thousands of ATMs) it is not possible to update its TMK "frequently" within reasonable business time using the traditional methods and remaining PCI compliant. Moreover the cost of traditional methods is prohibiting of updating TMKs with a frequency that would cover VISA and MasterCard security regulations.  


An automated, secure and PCI compliant TMK update technology should be introduced.


This technology is implemeted in CubeIQ's CIQ/RKL™ system.


Solution


CubeIQ in association with Trusted Security Solutions is using PKI technology to ecrypt and transfer the new TMK to eft/pos and ATM terminals.


TMKs are random numbers generated inside a crypto device (HSM), encrypted with a public key, inserted into a financial message and then tranfered to eft/pos terminals.


Eft/pos and ATM terminals purge the message, extract TMK encrypted value and decrypt the TMK using their own private key.


TMK is then stored inside eft/pos or ATM terminals crypto device (secure chip).