HSM Use Cases

payShield Certification Course

Q1 2020
CPL Technical Training
Q3 2019 CPL Technical Training
Copyright © and Legal Disclaimer
Technical Training Documentation.
Copyright © 2019 Gemalto, All rights reserved.
The information contained in this document is intended solely for your personal reference. Such information is
subject to change without notice, its accuracy is not guaranteed, and it may not contain all material information
concerning Gemalto (the “Company”).
The Company makes no representation regarding, and assumes no responsibility or liability for, the accuracy or
completeness of, or any errors or omissions in, any information contained herein. In addition, the information
contains projections and forward-looking statements that may reflect the Company’s current views with respect
to future events. These views are based on current assumptions which are subject to various risks and which
may change over time.
Agenda
 Card Payment Ecosystem
 Payment Software Solution Vendors & Integrations
 Payment HSM Market
 HSM Payment Solutions and Use Cases
 Card Transaction Processing (Acquiring, Switching, Authorization)
 Card Issuance (Data Preparation, Card Personalization) of EMV and mag-stripe cards
 Central Card Issuance
 Instant/Branch Card Issuance
 PIN Issuance / PIN Mailing

 OTP with EMV Card (Chip Authentication)

 3D Secure Internet Payments using Payment Card
 Contactless Payment Cards
 NFC Mobile Payments
 Remote ATM Key Loading
 PCI/P2PE Compliance & Fraud Reduction
 WebPin for End-to-End Encryption of Online Credentials
Card Payment Ecosystem
 Card Payment Ecosystem

Payment SW Chip and Card

Vendors Manufacturers
Processors & Payment Network
PSPs Card Schemes

Acquirer Issuer

Merchant Cardholder
Personalization
ATM and POS
Bureaus
Terminal vendors

Card Printer
HSM Vendors
Manufacturer
Payment Ecosystem – Objectives
 Card Schemes & Payment Networks

 Processors

 Payment Service Providers/Payment Gateways

 Chip and Card Manufacturers

 Perso Equipment Vendors and Perso Bureaus

 ATM, POS, and mPOS Vendors

Card Schemes / Payment Networks
Role
 Develop card payment products and related
operating rules and regulations for the scheme.
 Develop payment specifications (e.g., EMV, PCI).
 Operate payment network and process payment
transactions.
 Authorization, Clearing and Settlement
 Act as network processor and switch for credit and
debit transactions.
International Credit & Debit Card Schemes

Note: Regional debit networks (~100 in US) provide

limited functionality (typically network processing).

Regional Debit Networks

Processors
Acquirer Processors Issuer Processors (TP) Issuer Processors (CI)
Role Role Role
 Process transactions on behalf of
 Facilitate the response to the  Facilitate card issuance activities
acquirers by connecting merchant
transactions to payment networks by: authorization request from the on behalf of an issuer such as
merchant on behalf of the issuer card enrollment, preparing and
 Providing the POS device sending the card personalization
 Securely routing transaction from POS information to the card vendor,
device through POS payment gateway to and maintaining the cardholder
payment network
Examples database.
 Securely Managing transactions from

authorization to clearing to settlement First Data
Examples
 FIS  First Data
 Fiserv
Examples 


FIS
FSV Prepaid Fiserv
 Chase Paymentech
 Galileo Prepaid  FSV
 Elavon
  TSYS
 First Data SIX
 SIX
 Global Payment Systems  TSYS
 Self-processing issuers
 Heartland Payment Systems
 RBS WorldPay (Royal Bank of Scotland)
 SIX
 TSYS
Payment Service Providers / Payment Gateways
Acquirer Gateways Issuer Gateways
Role Role
• Facilitate payment transactions between merchants
• Conduit from the card network to the issuer
and processors
processor to securely route transactions from card
• Securely route transactions from merchant POS network to the issuing platform (issuer processor or
devices or other end-points to acquirer processors issuer)
• Provide value-added payment products and • Role can be as an independent gateway, or can be
services to merchants, ISOs, and other players offered by the issuer processor

Examples
 Authorize.net
Examples
 Chase Paymentech  eFunds/FIS
 Cybersource  Star Processing Inc.
 Google Checkout  U.S. Bancorp
 iPayments
 PayPal
 PayWare Connect
 The Logic Group
 WorldPay
 ...
Chip & Card Manufacturers
Chip Manufacturers Card Manufacturers
Role Role
 Design, manufacture, and provide ICs which are  Produce smart cards from sheets
integrated on inlays and/or cards
 Develop OS and card applications
 Normally will load the operating system (OS) of
the chip  Test the cards for quality issues
 Package, ship, and distribute the cards to
personalization bureau

Examples
 Hitachi Examples
 Infineon Technologies  AustriaCard
 INSIDE Secure  CPI Card Group
 NXP Semiconductors  Gemalto
 Samsung  Giesecke & Devrient
 Sony  Morpho Cards
 STMicroelectronics  Oberthur Technologies
Perso Equipment Vendors / Perso Bureaus
Card Printer / Perso HW Vendors Perso Bureau
Role Role
 Manufacture and supply card printers/  Fulfillment of personalized chip card, with all paper inserts;
personalization machines providing preparation for mailing to customer
 Color and graphics printing
 Provide personalization services (optionally also data preparation)
 Embossing
 Magnetic-stripe encoding  Partner with issuers to:
 Chip personalzation  Define card profile, including risk parameters
 Laser engraving  Receive and manage card records and keys to form a record
 Lamination  Generate personalization script
 May provide personalization software or not  Perform key management activities for EMV, CVV/CVC, and PINs between card
manufacturer and personalization bureau and between issuer and personalization
bureau

Examples Examples
 Atlantic Zeiser / Böwe-CardTec  AustriaCard Fiserv
 CIM  ABNote Gemalto
 Datacard
 CPI Card Group Giesecke & Devrient (G&D)
 Matica
 First Data Oberthur Technologies
 Mühlbauer
 NBS Technologies  FIS TSYS
ATM, POS Terminal, and mPOS Vendors
ATM Manufacturers POS Terminal Vendors mPOS Vendors
Role Role Role
 Manufacture and provide ATM
 Manufacture and provide  Develop and provide mPOS
terminals and other self-service
banking equipment standalone POS terminals and apps running on mobile
integrated EMV card readers devices (smartphones, tablets)
 For EMV
 For EMV  Develop and provide secure
 Upgrade ATMs to support contact and/or
contactless EMV chip transactions 
card readers to attach to
EMV-compliant hardware and operating
system platforms mPOS device
 Hardware and software certified for EMV
acceptance  Maintain GlobalPlatform standards  .” 8,4m readers shipped in 2013...“

Examples Examples
 Diebold
Examples  Creditcall
 NCR  MagTek  Handpoint
 Triton  Ingenico  iZettle
 Wincor-Nixdorf  Verifone  Jusp
 LifePay
 ...
 mPowa
 PayLeven
 Square
 SumUp
 ...
Other Use Cases

Card & PIN Issuance

Payment Card Transaction Processing
Concepts & Services
 Protection of Card Transactions across the payments network
(Terminal, Acquirer, Switch, Issuer)

 Security primarily based on symmetric cryptography (primarily 2-key DES3)

 Security Requirements
 User authentication
 Secure PIN processing (“end-to-end” protection requirement)

 Card authentication
 Transaction authentication
 Data confidentiality
 Cryptographic key management…

…involves the use of a certified HSM, mandated by:

 international card schemes
 national payment schemes
Card Transaction Processing - Role of HSM
(mag stripe)

Acquirer Switch 1 Issuer A

Termina
Tl A S1 IA
EPP

2 3
1 2 IB
S2
Each connected pair of entities shares a
Switch 2 Issuer B
Common key to form a key zone
PIN operations Message Authentication operations
1. PIN Encryption 1. MAC Generation
2. PIN Translation 2. MAC Translation (Generation/Verification)
3. PIN Decryption & Verification 3. MAC Verification
Card Issuance
Card Management, Data Preparation, Card Personalization

Applications
 Production & personalization of smart cards & secure documents
 Card types & environments:
 Payment Cards (EMV & mag-stripe credit/debit cards), Fuel/Fleet Cards
 eID/e-Passport Documents
 eHealth Cards
 Telco/SIM Cards
 Loyalty/Gift Cards
 Corporate ID Cards
 Online Banking & Authentication Cards & Tokens
 Personalization data includes private user information (PAN, PIN), keys, and certificates

HSM Usage
 Data Preparation: Server side key, PIN, certificate generation for injection into smart card
 Personalization: Encrypted communications (Secure Messaging) with smart card for chip encoding
 High speed/throughput key generation/derivation – may do thousands of cards per hour
 High availability – cannot tolerate stoppage of automated card processing equipment
 Adherence to relevant standards: EMV, ANSI, ZKA, APCA, GlobalPlatform, ICAO, …
 Certifications: FIPS 140-2 Level 3, PCI-HSM
Card Issuance – Central Back Office
Issuer Card Application
Management System
Data Preparation System

Bank Encrypted
File(s) Personalizer / Personalization Bureau
Personalization System
Government HSM KEK

Chip Manufacturer

KEK
HSM KMC
Card Manufacturer Card Production System

OS + OS +
App
Card
Application KMC
HSM
Instant Issuance at Branch

HSM
PIN Mailing / Key Mailing
HSM Features
HSM directly attached to printer
PINs never exposed in clear form (outside
of protected HSM environment)
HSM generates and prints PINs to PIN
Mailers
Support of PIN mailer layouts in postscript
format (up to 10 )
PIN printing in words
USB & serial printing
Separate PIN mailer user rolers
Extensive auditing
OTP with EMV Card
Chip Authentication Program (EMV-CAP)
 Payment Card as General-purpose, Secure Authentication
Device

 Card + Offline Reader

 Products: MasterCard CAP & Visa DPA

 Two-factor Authentication (2FA)
 Payment Card (Credit or Debit) & PIN

 Authentication Process
 Payment card inserted into stand-alone reader
 Cardholder authenticates to the chip with PIN entered on the reader
(not interceptable)
 Card produces One-time Password (OTP), not susceptible to “phishing” attacks
 Any chip card loaded with standard MasterCard M/Chip or Visa VSDC payment
application or stand-alone CAP/DPA card

 Advanced Feature: Transaction Signing

3D-Secure Internet Payments
3D-Secure
Credit Card Transactions over the Internet

 A Visa Initiative, but licensed to others:

 Verified by Visa
 MasterCard SecureCode
 JCB J/Secure

 For merchants and financial institutions; specifies authentication

and processing procedures

 Requires some form of cardholder authentication; at this stage,

generally keying of a password/PIN
3D-Secure - Online Card Payment Technology
Purpose
 Increase e-commerce transactions
 Promote consumer confidence
 Increase member and merchant profitability
Features
 Provide global framework for authentication of remote payments
 Reduce operational expense by minimizing chargebacks for unauthorized use
 Can be implemented without special cardholder SW or HW
 Extensible as to authentication methods (e.g., payment smartcards, certificates)
 Enhanceable by Issuer without impacting acquirer or merchant
 Extensible into emerging channels like mobile phones, PDA, digital TV
 Based on globally accepted technical standards
 Provides a centralized archive of payment authentications for use in dispute
resolution

3D-Secure Components
 MPI – Merchant Server Plug-In processes payment messages
 ACS – Access Control Server
 Issuing application requiring FIPS 140-2 Level 3 HSM.
 CAVV – Authentication code for card generated by HSM
 Authenticates cardholder, merchant, and transactions
Contactless Payments
Contactless Cards
 Simpler way to pay, higher convenience, speed

 “Tap & Go” experience (public transport, parking garages,

toll roads, fuel dispensers)

 Minimum impact on existing payment infrastructure

 2 offerings:
 Contactless / (EMV) Chip
 Usually dual interface card (contact and contactless
 Uses standard EMV authentication technologies (SDA/CDA)
 Low-value payments, approved offline by both card and terminal
(for fast transactions)

 Contactless / Mag-Stripe
 Meaning: for magnetic-stripe payment infrastructures
 Potentially other form factors (key fob, watch)
 Online Payments
 New authentication mechanism: Dynamic CVV
(CVC3 / dCVV)
Mobile Payments
NFC Mobile Payments
 “Payment Card“ ( ) on mobile phone
 NFC used for communications (up to 10 cm distance)
 Payment app resides in SE (Secure Element) on mobile
 UICC, MicroSD, Integrated Chip

 Equivalent to contactless/mag stripe card

 No modification to existing (contactless) acceptance
infrastructure
 No mobile network activity during transaction (payment app on
mobile <-> reader/terminal)
 New: OTA (over-the-air) personalization/provisioning
 Issuer Installation (full OTA personalization)
 Service Provider Installation (pre-installation)
 MasterCard and Visa offer such services
ATM Remote Key Loading
ATM Remote Key Loading (RKL)
 RKL means the secure on-line transport to the ATM of its
initial DES/3DES key (A-key, TMK) using public key
techniques, along with associated key and certificate
management.
 RKL eliminates the arduous nature of manual key loading
and the associated compliance tracking.
 The result is dramatically reduced cost and increased
security.
 PCI-DSS compliant (change keys once per year)
 2 Methods:
 Certificate-based (Diebold)
 Signature-based (NCR, Wincor-Nixdorf)
 payShield supports RKL (Remote ATM Initialization)
functionality for Diebold, NCR, and Wincor-Nixdorf ATMs.
PCI-P2PE Compliance & Fraud Reduction
PCI Security & Compliance
 Key Requirements:
 Protect account data (when stored, processed and
transmitted)

 Technologies:
 Network segmentation
 Tokenization reduce PCI scope SAD must not be stored !

 Encryption
 Point-to-point encryption (P2PE)
What is PCI P2PE?
 “A point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a
combination of secure devices, applications and processes that encrypt data from the point of
interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s
secure decryption environment.”

 Encrypts sensitive cardholder data at the earliest opportunity – directly within the PED/terminal

PSP / P2PE Solution Provider

Encrypted
Cardholder data Cardholder data only
decrypted within secure
X%)?#ä9oafjmx0 decryption environment

Cardholder data
encrypted
directly at
terminal FIPS 140-2 L3 or PCI-HSM certified HSM
is required by P2PE decryption provider

https://www.pcisecuritystandards.org/documents/P2PE_v1_1_FAQs_Aug2012.pdf
Technologies for P2PE
 DUKPT
 Derived Unique Key Per Transaction (DUKPT): a key management scheme used
extensively in the payments world, especially for POS transactions
 ANSI Standard defined under X9.24
 DUKPT is a key management standard, not an encryption standard
 Provides a way of generating unique, per-transaction specific PIN encryption, MAC,
and data encryption keys (for P2PE) without the need to store large volumes of keys
 DUKPT functions are provided by payment HSMs

 Format Preserving Encryption (FPE)

 Enables encryption of well defined data (e.g., PIN or PAN)
 Preserves the data format of the original clear text
 Allows encrypted data to be used without application modification
 Several algorithms available
 Several PED vendors offer format-preserving encryption algorithms
 As with DUKPT, FPE functions should be provided by the HSM
DUKPT
Derived Unique Key Per Transaction

 A key management scheme in which for every transaction

a unique key is used which is derived from a fixed key
 Benefits:
 If a derived key is compromised, future and past transaction data are still protected
since the next or prior keys cannot be determined easily
 Acquirer only needs to manage 1 super key (BDK), not one for every device, while still
working wíth unique device keys
 DUKPT specified in ANSI X9.24 part 1
 Typically used to encrypt PIN information acquired by Point-Of-Sale
(POS) devices
 3 use cases:
 PIN encryption
 Transaction Authentication (MAC)
 Data Encryption (e.g. PAN) – PCI-DSS relevance, P2PE
DUKPT
Derived Unique Key Per Transaction

Functionality Function Name Function Code

payShield supports:
Key Generation BDKGEN EE0408
 Console and Host commands
Key Printing KEY Mailer - DUKPT EE040B
to load/generate BDK
Key Derivation DUKPT IK-Derive EE040A
 IK Derivation
DUKPT IK-Derive-2 EE040C
 IK Printing to Key Mailer
PIN Operations PIN-TRAN-2 EE0602
 Intrinsic support for DUKPT in
 PIN operations … many more …
 MAC operations MAC Operations MAC_GEN_FINAL EE0701
 Data Encryption/ … many more …
Decryption Data Encryption ENCIPHER_2 EE0800
via key specifier 20 … many more …
Internet Banking E2E Application
Application
Web Server Server/Host

Internet

 Typical internet security from the browser to web server is SSL, terminated at the web server
 End-to-end encryption, browser to host, provides totally secure online transactions - end-to-
end PIN / password protection
 RSA encryption at client with Java applet – HSM decryption and verification at host
 Supports numeric (card) PINs and (alphanumeric) passwords (4-30 characters)
 PIN/password change option
 Online PINs can be converted to card PINs for processing by Card Payment (Authorization)
System
OBM Components
 OBM Java applet and/or JavaScript module
 Java/JS code to encrypt the Password/PIN at the browser
 Support for all common web browsers:
 IE, Firefox, Chrome, Safari, Opera

 Applet preparation utility

 A utility which can extract the Public key from the HSM and inject it
into the applet

 Samples
 HTML code to make use of the Applet
 Thank you.

www.thalesgroup.com CPL Technical Training