Per Transaction (DUKPT) Per Transaction (DUKPT) Click to edit Master title style Derived Unique Key Per Transaction(DUKPT)
Derived Unique Key Per Transaction (DUKPT)
support allows merchants to send transactions to BASE! usin" a unique P#$ encryption %ey &or each transaction'
Each terminal security module (TS() or P#$
pad derives the current transaction %ey &rom an initial %ey) loaded into the TS( on initiali*ation'
The receivin" BASE!+pos security module will
then determine the current transaction %ey usin" a %ey held on BASE! and non+secret in&ormation contained in the transaction messa"e' Click to edit Master title style Derived Unique Key Per Transaction(DUKPT)
Upon receipt o& a terminal request messa"e)
the Standard P,S Device -andler (SPD-) will access the PTD'
The PTD P#$.E$/01PT.T1P &ield is used to
determine whether the terminal is usin" DUKPT'
The PTD 0ETA#2E0.#D) KE1D.30,UP and
TE0(.#D will 4e used to access the KE1D'
The Derivation Key 5ile (KE1D) will store the
Derivation Keys used to decrypt the unique %ey' /han"e these &ield names to re&lect the actual name on the PTD screen' Click to edit Master title style BASE24-POS POS TERMINAL DATA PRO1 BNK1 02/05/17 09:47 07 OF 19
MAC TYPE: 00 (NO MAC#IN! MAC MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000
RECORD LAST CHAN!ED: 01/0$/20 10:11 BY USER: 0255 % 00000255 CHAN!E &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& NE' PA!E: FILE DESTINATION: NE' LO!ICAL NET'ORK ID: F12-HELP P#$ E$/01PT#,$ T1PE &ield is used to determine whether this terminal supports DUKPT (67) Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style BASE24-POS POS TERMINAL DATA PRO1 02/05/17 09:45 01 OF 19
MAC TYPE: 00 (NO MAC#IN! MAC MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000
RECORD LAST CHAN!ED: 01/0$/20 10:11 BY USER: 0255 % 00000255 CHAN!E &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& NE' PA!E: FILE DESTINATION: NE' LO!ICAL NET'ORK ID:
Keys to access the correct KE1D record Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style Derived Unique Key Per Transaction(DUKPT) BASE24-BASE DERI"ATION KEY FILE PRO1 02/05/1$ 15:)* 01 OF 01
Based on an 2/,$5 param) this &ile can 4e read into memory at initiali*ation and accessed &rom memory &or each transaction) or it can 4e accessed on dis% via an #8, &or each transaction' Click to edit Master title style
,nce the KE1D record is located) SPD- will
send the required in&ormation to the -S( via SE/UT#2S to translate the P#$ to encryption under the P#$ (aster Key (intermediate %ey)' Derived Unique Key Per Transaction(DUKPT) BASE24-POS POS TERMINAL DATA PRO1 BNK1 02/05/17 09:47 07 OF 19
MAC TYPE: 00 (NO MAC#IN! MAC MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000
RECORD LAST CHAN!ED: 01/0$/20 10:11 BY USER: 0255 % 00000255 CHAN!E &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& NE' PA!E: FILE DESTINATION: NE' LO!ICAL NET'ORK ID:
Click to edit Master title style
The new P#$ 4loc% and the intermediate %ey
will 4e loaded in the PST( and &orwarded to 0outer8Auth &or processin"' Derived Unique Key Per Transaction(DUKPT) BASE24-POS POS TERMINAL DATA PRO1 BNK1 02/05/17 09:47 07 OF 19
MAC TYPE: 00 (NO MAC#IN! MAC MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000
RECORD LAST CHAN!ED: 01/0$/20 10:11 BY USER: 0255 % 00000255 CHAN!E &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& NE' PA!E: FILE DESTINATION: NE' LO!ICAL NET'ORK ID:
Click to edit Master title style
The DUKPT data which includes the Key Serial
$um4er (KS$) and KS$ descriptor is sent in to BASE! &rom the terminal'
The KS$ descriptor data is required &or 0acal
Security (odules only'
De&ault KS$ descriptor data placed in the
2/,$5 &ile is used i& the terminal does not send this data into BASE!'
The DUKPT P#$ 4loc% is translated to a 9:+
4yte sin"le len"th master (A$S#) P#$ 4loc% and passed throu"h to the appropriate authori*er' Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style
The SPD- messa"e de&inition will 4e modi&ied
to include a 5#D : su4 &id T) which will 4e used to transmit the Key Serial $um4er (KS$) and KS$ descriptor &rom the terminal to BASE!'
The P#$ 4loc% may 4e translated a"ain i& the
transaction needs to 4e authori*ed e;ternally'
The <+4yte derivation %eys must 4e encrypted
under the (5K prior to storin" them in the KE1D' This is done manually' Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style Transaction 5low = = P P $ $ E E T T = = P P $ $ E E T T Sec Utils PTD KE1D 9 9' The P,S terminal sends a tran to BASE! containin" a P#$ 4loc% encrypted usin" DUKPT (and KS$ data &or 0acal) ' SPD- retrieves DUKPT data &rom the PTD and KE1D' #t also retrieves transaction processin" data &rom the A/$5' <' The D- uses SE/UT#2S to translate the DUKPT P#$ 4loc% to the sin"le len"th (aster8Session %ey mana"ement type' The translate procedures use the intermediate P#$ 4loc% encryption %ey &rom the PTD (>KE1 &ield' !' SE/UT#2S will &ormat and send the appropriate command to the -S(' ?' The translated P#$ 4loc% is returned to the SE/UT#2S procedures' :' :' The translated P#$ 4loc% is returned to D-' 7' SPD- uses the request messa"e and data &rom the PTD and KE1D to 4uild the PST( and the DUKPT to%en) and passes this on to the 0outer8Auth module &or standard processin"'
< ! ? : D- 0outer8 Auth 7 @hat P,S data comes &rom the A/$5 &or an SPD- transactionA @hat P,S data comes &rom the A/$5 &or an SPD- transactionA Click to edit Master title style
#& DUKPT is supported) the SPD- will retrieve
the appropriate record &rom the KE1D to o4tain the derivation %ey &or the terminal
The search criteria used &ollowsB
Retailer ID KEYD Group TERMI!" ID #$ E%act E%act E%act &$ E%act E%act '''''''''''''''' ($ E%act '''' '''''''''''''''' )$ ''''''''''''''''''' '''' '''''''''''''''' Derived Unique Key Per Transaction(DUKPT) (atchin" on asteris%s in Terminal #D &ield will allow a retailer to have one derivation %ey in all o& their terminals &or a KE1D "roup' (atchin" on asteris%s in KE1D 3roup A$D Terminal #D will allow a retailer to have one derivation %ey &or all terminals' Click to edit Master title style
The SPD- will pass all required data to SE/UT#2S
which includesB + < 4yte derivation %ey retrieved &rom the KE1D + PTD (aster Key (PTD (.KE1) + P#$ 4loc% + PA$ di"its + KS$ and KS$ descriptor &rom messa"e or 2/,$5 value
SE/UT#2S will determine whether 0acal or Atalla is
supported and pass the required data to the -S(' Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style
#& the P#$ translate is success&ul) SPD- will &ill the
correspondin" PST( P#$ related &ields as &ollowsB + PST('P#$+S#CE D9:E + PST('P#$ Encrypted A$S# P#$ 4loc% output &rom the -S( translation + PST('P#$+KE1 PTD (.KE1 + PST('P#$+50(T D9E (Encrypted A$S# P#$8PA$ P#$ 4loc%) + PST('A$S#+,5ST The startin" position in the PA$ o& the 9 ri"htmost di"its) e;cludin" the chec% di"it used to create the P#$8PA$ P#$ 4loc% Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style
TSS will not support DUKPT at this time) it will in
the &uture'
The PTD) KE1D and A/$5 will 4e con&i"ured usin"
standard BASE! Pathway'
Feri&yin" the P#$ or translatin" the P#$ 4e&ore
sendin" the transaction to an e;ternal authori*er will require another call to the -S('
The SPD- is the only device handler enhanced to
support DUKPT' Derived Unique Key Per Transaction(DUKPT) Click to edit Master title style
The intermediate %ey (PTD (.KE1) can pro"rammatically
4e "enerated i& the request contains a P#$ and the PTD P#$.E$/01PT.T1P G 67 (DUKPT) or the KS$ is present in the terminal messa"e and the 2/,$5 parameter P,S+D-+ DUKPT+UPDATE+(ET-,D G D1E Derived Unique Key Per Transaction(DUKPT) Did # read the spec correctlyA (d) I* t+e request contains a PI and t+e PTD PI,E-RYPT,TYP . /0123 or t+e 4essa5e contains a K6 and t+e "-78 para4eter P769D:9DUKPT9UPD!TE,MET:7D is set to /Y23 t+e device +andler uses t+e 6E-UTI"6 procedures to translate t+e DUKPT PI ;loc< to t+e sin5le len5t+ Master=6ession <ey 4ana5e4ent type$ T+e translate procedures use t+e inter4ediate PI ;loc< encryption <ey *ro4 t+e PTD M>KEY *ield (t+is 4ay ;e 5enerated i* t+e PI,E-RYPT,TYP is ;ein5 pro5ra44atically c+an5ed to DUKPT)$ Did # read the spec correctlyA (d) I* t+e request contains a PI and t+e PTD PI,E-RYPT,TYP . /0123 or t+e 4essa5e contains a K6 and t+e "-78 para4eter P769D:9DUKPT9UPD!TE,MET:7D is set to /Y23 t+e device +andler uses t+e 6E-UTI"6 procedures to translate t+e DUKPT PI ;loc< to t+e sin5le len5t+ Master=6ession <ey 4ana5e4ent type$ T+e translate procedures use t+e inter4ediate PI ;loc< encryption <ey *ro4 t+e PTD M>KEY *ield (t+is 4ay ;e 5enerated i* t+e PI,E-RYPT,TYP is ;ein5 pro5ra44atically c+an5ed to DUKPT)$ Click to edit Master title style 2/,$5 Assi"ns and Params Assign Name:*.KEYD Location: \B24.$DATA.PRO1DATA.KEYD omments: T!e "#$$% &#a$i"ie' "i$e name o" t!e De(i)ation Ke% *i$e +KEYD,. T!e BA-E24./os De)ice 0an'$e(1Ro#te(1A#t!o(i2ation /(ocess #ses t!is assign "o( t!e BA-E24./os -tan'a(' PO- De)ice 0an'$e( mo'#$e 3!en A4 stan'a(' PO- te(mina$s #se 'e(i)e' #ni&#e 5e% /e( t(ansaction +D6KPT,sec#(it% "o( P4Ns. Click to edit Master title style 2/,$5 Assi"ns and Params Pa(am Name: *.POS-DH-DUKPT-UPDATE-METHOD Te7t: omments: A co'e in'icating 3!et!e( t!e -tan'a(' PO- De)ice 0an'$e( +-PD0, mo'#$e can a#tomatica$$% #/'ate t!e P4N ENRYPT4ON TYPE "ie$' on BA-E24./os Te(mina$ Data "i$es +PTD, sc(een 8 to a )a$#e o" 98 +D6KPT, 3!en t!e Ke% -e(ia$ N#m:e( an' Desc(i/to( "ie$' +-#:*4D T o" *4D ;, is (ecei)e' in a message "o( t!e "i(st time an' a De(i)ation Ke% *i$e +KEYD, (eco(' e7ists "o( t!e -PD0 te(mina$. <a$i' )a$#es a(e as "o$$o3s: Y= Yes> a#tomatica$$% #/'ate t!e P4N enc(%/tion met!o' in t!e BA-E24./os Te(mina$ Data "i$es. N= No> 'o not a#tomatica$$% #/'ate t!e P4N enc(%/tion met!o' in t!e BA-E24./os Te(mina$ Data "i$es. Pa(am De"a#$t: N Click to edit Master title style 2/,$5 Assi"ns and Params Pa(am Name: *.POS-DH-KEYD-READ-FROM-DISK Te7t: omments: A co'e in'icating 3!et!e( t!e -tan'a(' PO- De)ice 0an'$e( +-PD0, mo'#$e (ea's t!e De(i)ation Ke% *i$e +KEYD, "(om 'is5 o( "(om memo(%. <a$i' )a$#es a(e as "o$$o3s: Y= Yes> (ea' t!e KEYD "(om 'is5. N= No> 'o not (ea' t!e KEYD "(om 'is5. T!e "i$e is (ea' "(om e7ten'e' memo(%. T!e KEYD is $oa'e' into e7ten'e' memo(% '#(ing initia$i2ation. Pa(am De"a#$t: N