Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Management
& PIN
Security
Euronet Pakistan
Secure Financial Transactions
— Any Time, Any Place
CONFIDENTIAL
The information included in this document is confidential information related to the business of Euronet
Pakistan (PVT) Limited ("Euronet"), a private limited company. It is being presented to you based on the
understanding that it will not be used for any reason other than consideration of a commercial relationship with
Euronet, and in particular, will not be used in connection with any decision to trade in securities of Euronet.
Please be advised that any disclosure of the information contained in this presentation to any other person, or
any use of this information in connection with the trading of Euronet securities, may be a violation of Pakistan
laws. The contents of this document may contain trade secrets. This document may not be distributed; its
contents may not be disclosed, in whole or in part, without the express written consent of Euronet Pakistan.
This document is an unpublished work protected under the laws of the Pakistan and other countries. If this
document becomes published the following shall apply: Copyright © 2010-2011 Euronet Pakistan (PVT)
Limited. All rights reserved.
DOCUMENT CONTROL
Objective:
The purpose of this document is to explain the hierarchy of the cryptographic keys used by Euronet to ensure
secure key management and transaction processing.
Applicability:
Policy Administration:
This policy is written in accordance with PCI DSS and VISA PIN Security. It is reviewed at least once a year and
is updated as needed to reflect changes to business objectives or the risk environment.
Table of Contents
1 KEY MATRIX ............................................................................................................................ 7
1.1 LIST OF KEYS ................................................................................................................................................7
1.2 KEY DETAILS .................................................................................................................................................7
1.3 CRYPTOGRAPHIC DEVICES USED FOR KEY GENERATION ..................................................................................8
2 KEY CUSTODIANS .................................................................................................................. 8
2.1 RESPONSIBILITY ............................................................................................................................................9
2.2 RISKS IN NOT ADHERING TO THE POLICY ..........................................................................................................9
2.3 VISA PIN SECURITY PROGRAM COVERAGE....................................................................................................9
3 HARDCOPY STORAGE/ACCESS LOG ................................................................................. 11
4 KEY DESTRUCTION LOG ..................................................................................................... 12
4.1 ATM KEY.................................................................................................................................................... 12
4.1.1 ATM key switch destruction log .............................................................................................................. 12
4.2 TM AND TP KEY ......................................................................................................................................... 13
4.2.1 TM key switch destruction log ................................................................................................................. 13
4.2.2 TP key switch destruction log ................................................................................................................. 13
5 KEY GENERATION PROCEDURES ...................................................................................... 14
5.1 ROLES AND RESPONSIBILITIES .................................................................................................................... 15
5.2 KEY GENERATION CHECKLIST ..................................................................................................................... 15
5.3 KEY CREATION PROCESS FOR LMK............................................................................................................. 16
5.4 KEY CREATION PROCESS FOR ATM ............................................................................................................. 17
5.5 KEY CREATION PROCESS FOR POS DEVICES ............................................................................................... 18
5.6 KEY CREATION PROCESS FOR H2H CHANNELS ............................................................................................ 19
5.7 SINGLE PURPOSE KEY ................................................................................................................................ 20
5.8 KEY HANDING / TAKING OVER PROCESS ...................................................................................................... 20
6 KEY TRANSMISSION PROCEDURE ..................................................................................... 21
6.1 LOCAL M ASTER KEY (LMK) ........................................................................................................................ 21
6.2 TM KEYS .................................................................................................................................................... 21
6.3 TP KEYS .................................................................................................................................................... 21
7 KEY DESTRUCTION PROCEDURE ...................................................................................... 22
7.1 LOCAL M ASTER KEY (LMK) ........................................................................................................................ 22
7.2 TMK DESTRUCTION PROCEDURE ................................................................................................................ 22
8 KEY LOADING PROCEDURE................................................................................................ 23
8.1 KEYS LOADING ON ITM FOR POS (TMK/TPK) ............................................................................................ 23
8.2 KEYS LOADING ON ITM FOR ATM (TMK) .................................................................................................... 24
8.3 KEYS LOADING TO HSM (LMK) .................................................................................................................. 25
8.4 ZONE CONTROL M ASTER KEY (ZCMK) LOADING ......................................................................................... 26
8.5 WORKING KEYS .......................................................................................................................................... 26
9 KEY COMPROMISE PROCEDURE ....................................................................................... 28
9.1 APPLICABILITY:........................................................................................................................................... 28
9.2 KEY COMPROMISE SCENARIOS .................................................................................................................... 28
9.3 REPORTING AND INCIDENT DECLARATION PROCEDURES .............................................................................. 28
9.4 ACTION TO BE TAKEN .................................................................................................................................. 29
9.5 ROOT CAUSE ANALYSIS AND LESSONS LEARNED ........................................................................................ 30
9.6 PLAN TESTING AND TRAINING ...................................................................................................................... 30
9.7 CRITICAL SYSTEMS RESTORE STRATEGY .................................................................................................... 30
10 KEY STORAGE PROCEDURES ............................................................................................ 31
10.1 LOCAL M ASTER KEY (LMK) ........................................................................................................................ 31
10.1.1 LMK Primary Storage .............................................................................................................................. 31
10.1.2 LMK Backup Card Storage ..................................................................................................................... 31
© Euronet Pakistan. All rights reserved Page 5 of 35
Key Management and Pin Security
Secure Financial Transactions
— Any Time, Any Place
1 Key Matrix
2 Key Custodians
2.1 Responsibility
The following policy will be applied to all Key Management Employees.
13 The mechanisms used to load keys, such as terminals, external PIN pads, key guns, or similar
devices and methods are protected to prevent any type of monitoring that could result in the
unauthorized disclosure of any component
14 All hardware and passwords used for key loading are managed under dual control.
15 The loading of keys or key components must incorporate a validation mechanism such that the
authenticity of the keys is ensured and it can be ascertained that they have not been tampered
with, substituted, or compromised
16 Documented procedures exist and are demonstrably in use (including audit trails) for all key-
loading activities.
18 Unique secret cryptographic keys must be in use for each identifiable link between host computer
systems.
19 Cryptographic keys are only used for their sole intended purpose and are never shared between
production and test systems.
21 Keys used for enciphering PIN Encryption keys, or for PIN Encryption, must never exist outside of
TRSMs, except when encrypted or securely stored and managed using the principles of dual
control and split knowledge.
22 Procedures exist and are demonstrably in use to replace any known or suspected compromised
key and its subsidiary keys (those keys enciphered with the compromised key) to a value not
feasibly related to the original key.
23 Access to cryptographic keys and key material must be limited to a need-to-know basis so that the
fewest number of key custodians are necessary to enable their effective use
24 Secret and private keys and key components that are no longer used or have been replaced are
securely destroyed.
25 Access to secret and private cryptographic keys and key material must be limited to a need-to-
know basis so that the fewest number of key custodians are necessary to enable their effective
use.
26 Logs are kept for any time that keys, key components, or related materials are removed from
storage or loaded to a TRSM.
28 Documented procedures exist and are demonstrably in use for all key administration operations.
29 PIN processing equipment (PEDs and HSMs) is placed into service only if there is assurance that the
equipment has not been substituted or made subject to unauthorized modifications or tampering
prior to the loading of cryptographic keys.
30 Procedures exist that ensure the destruction of all cryptographic keys and any PINs or other PIN-
related information within any cryptographic devices removed from service.
31 Any TRSM capable of encrypting a key and producing cryptograms of that key is protected against
unauthorized use to encrypt known keys or known key components. This protection takes the
form of either or both of the following:
Dual access controls are required to enable the key encryption function.
Physical protection of the equipment (e.g., locked access to it) under dual control.
32 Documented procedures exist and are demonstrably in use to ensure the security and integrity of
PIN-processing equipment (e.g., PEDs and HSMs) placed into service, initialized, deployed, used,
and decommissioned.
TM key number
Signatures
Date of key
destruction
We hereby state that the TM keys for the above mentioned TM key set number were
destroyed in presence of each other
Name of primary
Signature
custodian
All keys at Euronet Pakistan are TDES (Double Length) keys generated using a random-number-generation
component algorithm.
It is the responsibility of the Key manager to manages the entire Key generation process, follow the standard
check list during the key generation ceremony and thorough inspection of the key generation room and
equipment being used to ensure the process is secure and not open to compromise
When the Key will be courier, must ensure courier slip is retained along with documentary evidence of Courier
Form which records date/time of sender, sender name, name of courier person etc.
Key Manager Manages the entire Key generation process, Syed Imad Alam
maintain the key generation steps and
IT manager
Security officer Ensure the Key generation steps are execute Saad Siddiqui
securely and as per standard follow the Euronet
Information security officer
Key generation policy.
HSM administrator To manage the key generation device Maaz Qamar
(LAPTOP/HSM) and maintain its security.
System Admin
Key Custodian 1 To authorized the HSM by entering passcode Imad/Saqib
Key Custodian 2 To authorized the HSM by entering passcode Rao Zeeshan/Omair
Key Generator 1 To generate the key as per Euronet standard key Khurram Khurshid Senior
generation scripts(reference 1.3-1.6) and send it Application Consultant
to nominated custodian following Euronet secure
key transmission procedure
Key Generator 2 To generate the key as per Euronet standard key Hammad Rehman
generation scripts(reference 1.3-1.6) and send it Application Consultant
to nominated custodian following Euronet secure
key transmission procedure
6. Retrieve HSM smart cards and appropriate keys from the security Vault
allocated to each custodian
7. To verify the access log should be maintain for smart cards and LMK’s
8. Inspect the environment to ensure that there are no cameras that are
able to observe the keys during generation and that the key generation
laptop is positioned in a way that custodians are not able to observe each
other’s keys during generation
10. Generate key components according to the predefined procedure for each
key in Annexure A once it is confirmed that no tampering of hardware has
occurred
11. To verify the each individual has enter time out and use the biometric
inside to getting out of the room
13. Return HSM laptop, associated cables and smart cards to the safe 1
14. Store key components, smart cards and brass keys in the appropriate
safety deposit boxes and update safe log and safe inventory
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>FK
Encrypted key: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>FK
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Invalid key scheme; please re-enter: U
Enter component type [X,H,T,E,S]: X
Enter number of components [1-9]: 2
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>FK
Encrypted key: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key check value: XXXXXX
5.9
6.2 TM Keys
1. The primary key custodian must receive the ATM key request form from the concerned officials
(Project Manager) when a new ATM needs to be rolled out or a TM Key needs to be loaded
2. ATM key request form will have the details of the bank, name of the ATM custodians, ATM ID, and
address details of the ATM custodians
3. On receipt of this form the primary key custodian will assign the TM key set number to the concerned
ATM ID and primary and secondary key custodians will hand over the tamper proof envelope to two
identified members. This will be recorded in the register.
4. Based on the details of the banks, the member 1 will put the instructions sheet, ATM key destruction
sheet and the clear component 1 tamper proof envelope in a bigger tamper proof envelope and
mention the address details of first ATM custodian on the envelope
5. Based on the details of the banks, the member 2 will put the instructions sheet, ATM key destruction
sheet and the clear component 2 tamper proof envelope in a bigger tamper proof envelope and
mention the address details of second ATM custodian on the envelope
6. The two different couriers will visit the desk of the TIS members to check for delivery of the TM keys
TCS – http://www.tcscouriers.com
OCS – http://www.ocs.com.pk or any other
7. The TMK component are to be sent on two different days, depend on Project Manager to select the
random days
8. The TIS members will dispatch their respective clear components of TM keys (previously sealed in the
tamper proof envelopes) to the ATM Custodians through 2 different couriers
9. The TIS members will ensure the envelopes are in tamper proof condition till it is handed over to the
courier personnel
10. The two key components must not travel together to the ATM site under any circumstances
11. TM Key Destruction Control Sheet has to be filled by the custodian.
12. The Third Party has to sign the destruction form.
6.3 TP Keys
1. On receipt of the ATM key request form, the primary key custodian will email the TM Key set number
and assigned ATM ID to the Technology key custodian handling the TP key switch component
tamperproof envelope
2. The Technology key custodian will hand over the TP key switch component tamper proof envelope and
TP key switch component destruction control sheet to the Integrations team member who configures
the ATM on the ITM switch
3. The Integrations team member post configuring the ITM switch will destroy the TP key switch
component and submit the TP key switch component destruction control sheet to the Technology key
custodian.
Euronet only loads keys to its PA DSS compliant application ITM and their PCI approved HSM 9000
cryptographic devices.
All the encrypted keys which are stored in ITM application are stores in ZSKYRF0P file.
All other PED devices are not in the scope of Euronet Pakistan in terms of key loading procedures.
Key loading process are mention below
6. Press enter on the detail screen to retrieve check value & then press F10 2times to store the value and
then F3 to exist the screen.
7. TMK is now loaded onto the system successfully.
8. Next step is to generate TPK under the TMK key (created in above steps)
9. Now create 2 empty keys of type RACALTPK & RSMPOSTPK
10. Generate random key using option 9 against RSMPOSTPK,
11. Select appropriate export key (KEK) & Internal key information value and press enter and F10 to store
the new random key value.
12. Now using option 6, load RACALTPK key & store the value
Provide the encrypted key value from RSMPOSTPK from ITM & clear TMK key value from HSM to the
ISO officer for delivery to bank custodian for entry on POS
6. Press enter on the detail screen to retrieve check value & then press F10 2times to store the value and
then F3 to exist the screen.
7. TMK is now loaded onto the system successfully.
8. Next step is to generate TPK under the TMK key (created in above steps)
9. Now create 2 empty keys of type RACALTPK & RSMATMTPK
10. Generate random key using option 9 against RSMATMTPK,
11. Select appropriate export key (KEK) & Internal key information value and press enter and F10 to store
the new random key value.
12. Now using option 6, load RACALTPK key & store the value
been loading the LMK smart cards are returned to the safe. The Safe Log and Key Custodian Form are
updated accordingly.
2. Checks will be in place to ensure that key loading to HSMs are protected. Loading of keys will not done in-
front of any cameras or unauthorized users. ISO will monitor the entire process.
3. Any physical (e.g., brass) key(s) used to enable key loading will not be in the control or possession of any
one individual. The keys will be kept under dual control with two identified custodians. The Security Officer
will overlook the entire process.
4. Before doing any Key Creation, Loading, Generation Activity on the HSM, must ensure to check all the
cable(s) attached to HSM are thoroughly checked and verified for any sign of tempering or compromised.
It is assumed that the HSM is set for Smartcard mode and Echo On (CS command).
Secure> LK <Return>
LMKs must be erased before proceeding.
Erase LMKs? Y <Return>
Load LMK from components.
Insert card and enter PIN: ***** <Return>
CHECK: XXXX XXXX XXXX XXXX
Load more components? [Y/N]: Y <Return>
Remove the Smartcard. Insert the subsequent Smartcards and repeat the procedure. When all have been
loaded and the HSM displays the check value, record the check value.
CHECK: XXXX XXXX XXXX XXXX
i. RACALZMK - Zone Master Key (ZMK) – Follow the mentioned process on HSM
ii. RACALZPK - Zone PIN Key (ZPK) – Follow the mentioned process on HSM
viii. VISA sends encrypted acquirer/Issuer working keys to Euronet which are generated under common
ZMK at their end.
ix. At Euronet end we import encrypted ZPK i.e. IWK & AWK (sent from VISA) under encrypted VISA ZMK
loaded earlier into ITM with following import process.
Process to generate and share the ZPK/ZCMK for Encrypt/Decrypt the PIN
1. Euronet to generate 3 clear components of Zone Control Master Key (ZCMK) to be sent to 3 custodians of
Bank
2. These three components are entered by Euronet to form/get a Euronet HSM LMK encrypted ZCMK
3. These three components are entered by Bank to form/get a CLIENT HSM LMK encrypted ZCMK
a. The check value should be matched with the composite check value sent by Euronet with three
clear components
b. The output key in step 3 above should be noted down as this will be used to IMPORT the Zone
PIN Key (ZPK)
4. Euronet creates an EXPORTED value of Zone PIN Key (ZPK) i.e. generates the ZPK which is encrypted under
ZCMK formed in step 2 above
5. Euronet sends the exported / encrypted ZPK value to Bank
6. Bank to use IMPORT or equivalent function on HSM to store above received ZPK on Bank
a. The check value of ZPK should match with the one sent by Euronet with the encrypted ZPK in
step 5 above
7. The above stored ZPK should be used by the system which is performing the ‘receive n print’ function for
PIN mailers received by Euronet regularly
4. The ISO will notified on the same and corrective and preventive measures will be implemented post
investigation of the key compromise incident
5. Periodic audit to match the key check value to those in the system will be matched, if in case this is
mismatched then.
6. The Information security personnel should be notified immediately of any suspected or real
cryptographic key security incidents. If it is unclear as to whether a situation should be considered a
security incident, Information security personnel should be contacted to evaluate the situation.
With the exception of steps outlined below, it is imperative that any investigative or corrective action be
taken only by Information security personnel or under the oversight of information security personnel, to
assure the integrity of the incident investigation and recovery process.
7. Information security personnel should inform Euronet Global team at first after the confirmation of
any cryptographic key compromise as early as possible.
When faced with a potential situation you should do the following,
If the incident involves a compromised cryptographic key;
o Do not alter the state of the HSM and server.
o The computer systems should remain on and all currently running computer programs left as
is. Do not shutdown the computer or restart the computer.
Report the security incident.
o Information security personnel’s official numbers should be well known to all employees and
its hard copy should be placed on a notice board or any easily viewable or accessible place.
o No one should communicate with anyone outside of their supervisor(s) or the information
security personnel about any details or generalities surrounding any suspected or actual
incident. All communications with law enforcement or the public will be coordinated by the
information security personnel.
Document any information you know while waiting for the information security personnel to respond to the
incident. If known, this must include date, time, and the nature of the incident. Any information provided
should be as aid in responding in an appropriate manner.
The Error! Unknown document property name. will first attempt to determine if the security incident justifies
a formal incident response.
In cases where a security incident does not require an incident response the situation will be forwarded to the
appropriate area of IT to ensure that all technology support services required are rendered.
o Do not turn off the compromised machine. Instead, isolate compromised systems from the
network. To preserve the evidence for a forensic investigation it is extremely important to not
access the system.
o Preserve logs and electronic evidence.
Be on high alert and monitor all cardholder data systems
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
12 Physical Security
The HSM is placed inside the Data Center, the access of Data Center is based on several control ranging from
Physical Card Access, Visitor Log, Guards and separate steel rack in which HSM is placed.
Following are the features and practices followed.
1. The HSM is enclosed in a dedicated steel rack environment which has proximity access inside Data
Center and Data Center building, and take authorized employee snap on each access, as well as two
key locks for which the keys are held with the two different team that are Data Center Team and
Infrastructure Team.
2. A CCTV camera monitors the inside of Data Center rack area (Entrance and Exit)
3. Shatterproof glass in work areas
4. 24 x 7 x 365 Operations coverage
5. Full CCTV coverage and access control security
6. Visitor LOG management control
7. Visitor security badges
8. External cameras monitors people entering and exiting the Data Center premises
9. A dedicated hardened desktop is kept with the Data Center operations team to be used as console for
HSM for which the access password is split into half. Hyper Terminal is used for doing any of the
activity on the HSM.
10. The LMKs are kept in a steel locker with two keys. Inside the steel locker a small steel locker with dual
keys contains the LMKs.
11. The LMKs inside the small locker are kept in tamper proof envelopes (smartcard 1, smartcard 2 and
smartcard 3). The envelopes are signed and the last usage date is mentioned on it. Each custodian
while putting the envelopes has to sign the Safe Log sheet. The Information Security Officer is involved
in the entire process.
12. The password for each card(s) is maintained among separate teams.
13. A register is maintained for big locker access and LMK locker access.
14. The keys for the HSMs are also kept in separate tamper proof envelopes in the small locker mentioned
above. Each key has a tag attached to it having information i.e. (HSM serial number, placed at)
15. A register is maintained for Data Centre visitor access
16. The register entries are verified on a periodic basis by the DC supervisor.
17. Any kind of HSM access has to be initiated via request management or incident management and the
access of the LMKs, keys, console access, will have to be approved by the Information Security Officer
and Manager IT and Infrastructure.
18. The HSMs are configured to run in the sensitive mode which would mean that the HSM will wipe the
LMKs entries inside it in case the device is moved.
19. The Incident Management process documented for any type of incident related to HSM.
1. HSM should be properly inspected and verified once removed from the box packing. Equipment
Inspection should ensure that packing is not counterfeit.
2. HSM Verification form will be filled after unpacking the HSM from the box.
3. HSM Commissioning and Decommissioning checklist will be used and followed for the settings. The
details are to be followed by the checker. After doing this HSM Verification Form should be signed by
the two individuals.