Key management schemes in POS : EMV Transaction Flow (Part-4)
Intro:
In the previous part we have learned how to use the APDU commands to communicate with card in POS environment. In this blog we are trying to find the types key management used in EMV transaction.
So, what do we mean by key management. Let’s see everything from high level first. In a POS device there must be some program sitting inside, which communicates with card. In previous part we have seen that APDU commands are used to communicate from POS to card.
Now, This card data will be sent to the payment processor to perform the transaction but this card data must not be sent in plain text right? so, for this, the program on POS device uses below key management standard.
1. MK/SK (Master Key/Session Key):
- MK/SK is a symmetric key encryption scheme used to secure communication between the POS device and the payment processing system.
- The master key (MK) is a secret key known only to the payment processor and the POS device manufacturer. It is used to encrypt and decrypt the session key (SK).
- The session key (SK) is a temporary key generated for each transaction and is used to encrypt the sensitive data transmitted during that transaction.
2. DUKPT (Derived Unique Key Per Transaction):
- DUKPT is another encryption method commonly used in POS communications.
- DUKPT generates a unique encryption key for each transaction based on a combination of the device’s unique key and a transaction-specific value.
- This approach enhances security by ensuring that each transaction uses a different encryption key, making it more difficult for an attacker to compromise multiple transactions even if they manage to obtain one key.
We will learn about these in the coming parts of this series.
In addition to MK/SK and DUKPT, there are other encryption methods and security protocols used in POS systems to ensure data confidentiality and integrity. Some examples include:
3. Triple Data Encryption Standard (3DES):
- 3DES is a symmetric key encryption scheme commonly employed in the POS landscape.
- It applies the Data Encryption Standard (DES) algorithm three times to each data block, using multiple keys for each iteration.
- 3DES provides a higher level of security than its predecessor, DES, making it suitable for protecting sensitive data during transactions.
4. Advanced Encryption Standard (AES):
- AES is a widely recognized symmetric encryption algorithm used in various industries, including POS systems.
- It offers robust security and supports key sizes of 128, 192, or 256 bits, making it highly resistant to attacks.
- AES provides a flexible and efficient encryption solution, ensuring the confidentiality and integrity of transactional data.
5. Key Block Encryption:
- Key Block Encryption is a scheme that wraps encryption keys with an additional layer of encryption known as a key block.
- This technique ensures the secure transmission and storage of keys by adding an extra level of protection.
- The key block contains the encrypted key and additional metadata required for decryption.
6. Tokenization:
- Tokenization is an alternative approach where sensitive data, such as credit card numbers, is replaced with randomly generated tokens.
- The actual sensitive data is securely stored and managed in a separate environment while the tokens are used for transactional purposes.
- Tokenization minimizes the risk associated with storing sensitive data, simplifies compliance requirements, and enhances data security.
Conclusion:
Implementing robust key management schemes is crucial for maintaining the security of sensitive data in the POS environment. By employing key management schemes such as MK/SK, DUKPT, 3DES, AES, key block encryption, or tokenization, organizations can effectively protect transactional information, safeguard customer data, and meet compliance standards. Understanding and implementing the appropriate key management scheme ensures the confidentiality, integrity, and availability of data, fostering trust between businesses and their customers in the realm of payment processing.