Key Management Policy V 3.2 PDF

Key
Management
& PIN
Security
Euronet Pakistan
Secure Financial Transactions
— Any Time, Any Place
CONFIDENTIAL
The information included in this document is confidential information related to the business of Euronet
Pakistan (PVT) Limited ("Euronet"), a private limited company. It is being presented to you based on the
understanding that it will not be used for any reason other than consideration of a commercial relationship with
Euronet, and in particular, will not be used in connection with any decision to trade in securities of Euronet.
Please be advised that any disclosure of the information contained in this presentation to any other person, or
any use of this information in connection with the trading of Euronet securities, may be a violation of Pakistan
laws. The contents of this document may contain trade secrets. This document may not be distributed; its
contents may not be disclosed, in whole or in part, without the express written consent of Euronet Pakistan.
This document is an unpublished work protected under the laws of the Pakistan and other countries. If this
document becomes published the following shall apply: Copyright © 2010-2011 Euronet Pakistan (PVT)
Limited. All rights reserved.
© Euronet Pakistan. All rights reserved Page 2 of 35

Key Management and Pin Security
DOCUMENT CONTROL
Document Reference Key Management – Hungary

Document Description Key Management
Document Owner Information Security Officer
Version Date Changes Made Author Initialed
Syed Fahad Hasan & Rehan
A 07-Apr-11 Initial version FH, RH
Hilal
B 08-Apr-11 Addition of transaction log Rehan Hilal RH
C - Change in document ownership
- Change in Process
28-May-11 - Change in formatting Syed Fahad Hasan FH
- Rewriting of PIN management
procedures
D 21 March Revision
Syed Fahad Hasan FH
2012
E 10 Feb 2013 Revision (changes in courier company) Syed Fahad Hasan FH
F 10 Mar 2014 Custodian updated Syed Fahad FH
G 22 Jan 2015 Yearly revision Saad Siddiqui SS
H Changes as per PCI PTS audit
25 April 2016 Saad Siddiqui SS
observations and recommendations

Objective:
The purpose of this document is to explain the hierarchy of the cryptographic keys used by Euronet to ensure
secure key management and transaction processing.
Applicability:
This policy applies to Euronet employees, contractors, and service providers.
Policy Administration:
This policy is written in accordance with PCI DSS and VISA PIN Security. It is reviewed at least once a year and
is updated as needed to reflect changes to business objectives or the risk environment.

Table of Contents
1 KEY MATRIX ............................................................................................................................ 7
1.1 LIST OF KEYS ................................................................................................................................................7
1.2 KEY DETAILS .................................................................................................................................................7
1.3 CRYPTOGRAPHIC DEVICES USED FOR KEY GENERATION ..................................................................................8
2 KEY CUSTODIANS .................................................................................................................. 8
2.1 RESPONSIBILITY ............................................................................................................................................9
2.2 RISKS IN NOT ADHERING TO THE POLICY ..........................................................................................................9
2.3 VISA PIN SECURITY PROGRAM COVERAGE....................................................................................................9
3 HARDCOPY STORAGE/ACCESS LOG ................................................................................. 11
4 KEY DESTRUCTION LOG ..................................................................................................... 12
4.1 ATM KEY.................................................................................................................................................... 12
4.1.1 ATM key switch destruction log .............................................................................................................. 12
4.2 TM AND TP KEY ......................................................................................................................................... 13
4.2.1 TM key switch destruction log ................................................................................................................. 13
4.2.2 TP key switch destruction log ................................................................................................................. 13
5 KEY GENERATION PROCEDURES ...................................................................................... 14
5.1 ROLES AND RESPONSIBILITIES .................................................................................................................... 15
5.2 KEY GENERATION CHECKLIST ..................................................................................................................... 15
5.3 KEY CREATION PROCESS FOR LMK............................................................................................................. 16
5.4 KEY CREATION PROCESS FOR ATM ............................................................................................................. 17
5.5 KEY CREATION PROCESS FOR POS DEVICES ............................................................................................... 18
5.6 KEY CREATION PROCESS FOR H2H CHANNELS ............................................................................................ 19
5.7 SINGLE PURPOSE KEY ................................................................................................................................ 20
5.8 KEY HANDING / TAKING OVER PROCESS ...................................................................................................... 20
6 KEY TRANSMISSION PROCEDURE ..................................................................................... 21
6.1 LOCAL M ASTER KEY (LMK) ........................................................................................................................ 21
6.2 TM KEYS .................................................................................................................................................... 21
6.3 TP KEYS .................................................................................................................................................... 21
7 KEY DESTRUCTION PROCEDURE ...................................................................................... 22
7.2 TMK DESTRUCTION PROCEDURE ................................................................................................................ 22
8 KEY LOADING PROCEDURE................................................................................................ 23
8.1 KEYS LOADING ON ITM FOR POS (TMK/TPK) ............................................................................................ 23
8.2 KEYS LOADING ON ITM FOR ATM (TMK) .................................................................................................... 24
8.3 KEYS LOADING TO HSM (LMK) .................................................................................................................. 25
8.4 ZONE CONTROL M ASTER KEY (ZCMK) LOADING ......................................................................................... 26
8.5 WORKING KEYS .......................................................................................................................................... 26
9 KEY COMPROMISE PROCEDURE ....................................................................................... 28
9.1 APPLICABILITY:........................................................................................................................................... 28
9.2 KEY COMPROMISE SCENARIOS .................................................................................................................... 28
9.3 REPORTING AND INCIDENT DECLARATION PROCEDURES .............................................................................. 28
9.4 ACTION TO BE TAKEN .................................................................................................................................. 29
9.5 ROOT CAUSE ANALYSIS AND LESSONS LEARNED ........................................................................................ 30
9.6 PLAN TESTING AND TRAINING ...................................................................................................................... 30
9.7 CRITICAL SYSTEMS RESTORE STRATEGY .................................................................................................... 30
10 KEY STORAGE PROCEDURES ............................................................................................ 31
10.1.1 LMK Primary Storage .............................................................................................................................. 31
10.1.2 LMK Backup Card Storage ..................................................................................................................... 31
10.1.3 LMK Physical Access Logging ................................................................................................................ 31

10.2 CONTROL M ASTER KEY (ZCMK) ................................................................................................................. 31
10.3 WORKING KEYS .......................................................................................................................................... 31
10.4 INVENTORY CONTROL AND UPDATE .............................................................................................................. 31
11 PIN BLOCK FORMAT ............................................................................................................ 32
11.1 PIN BLOCK ................................................................................................................................................ 32
11.2 PIN BLOCK LOGGING.................................................................................................................................. 32
12 PHYSICAL SECURITY ........................................................................................................... 34
12.1 EQUIPMENT SECURITY................................................................................................................................. 35

1 Key Matrix
1.1 List of Keys

Following table 1.1 has list of keys;
Table 1.1 List of keys
S No Key type / description Purpose/ function of the key
1 Master Key LMK – Local Master Key
1 Key components for ATM/POS Terminal Master Key, this key will be used for
Device Master operating the ATM/POS at customer side.
2 Key components for ATM/POS Terminal Pin Key, this key will be used for
operating the ATM/POS at customer side. ATM/POS Terminal PIN Key used
PIN or Session to encrypt PIN
3 Zone Master Same as ZCMK (Zone Control Master Key)
4 Zone PIN Same as AWK/IWK (Acquirer/Issuer Working Key)
5 AWK (Acquirer Working Key Used to encrypt the PIN Block for transfer from Member to Visa
6 IWK (Issuer Working Key) Used to decrypt the PIN Block for verification from Visa to Member
7 ZCMK (Zone Control Master Key) Used to encrypt the AWK/IWK for transmission from Member to Visa
1.2 Key Details

The following Table 1.2 is the key matrix with details:
Table 1.2 – Key Matrix. List of all cryptographic keys
Key type/ Description of Purpose/function of the How key Details to capture
description level in the key key (including types of shall be
hierarchy: devices using key): distributed
1 Master Key LMK – Local Master The LMKs are used to encrypt all NA Key Custodians and
Key operational keys (including other master storage Procedures
keys). The LMKs installed on a pay Shield
9000 is mix of variant and key block
types with TDES algorithm
2 Device ATM/POS Terminal ATM/POS TMK is a key-encrypting key which Via couriers Who is sending the
Master Master Key is distributed manually. It is used to key, To whom the
distribute data-encrypting keys, key is send to (must
within a local (non-shared) network, to an have two officer
ATM or POS terminal or similar.
2 PIN or ATM/POS HSM receives a PIN-block encrypted under Via couriers Who is sending the
Session Terminal PIN Key TPK together with TPK encrypted under one key, To whom the
used to encrypt PIN of LMK key pairs and ZMK under another key is send to (must
LMK pair. have two officer
3 Zone Master Same as ZCMK ZMK is a key-encrypting key which is Via couriers Who is sending the
distributed manually between two (or key, To whom the
more) communicating sites. key is send to (must
have two officer
4 Zone PIN Same as AWK/IWK ZPK is a data encrypting key which is Via couriers Who is sending the
distributed automatically and is used to key, To whom the
encrypt PINs for transfer between key is send to (must
communicating parties (for example, have two officer
between acquirers and
issuers).
For transmission, a ZPK is encrypted under a
ZMK; for local storage it is encrypted under
one of the LMK pairs
5 AWK Used to encrypt the The encrypted message from acquirer is NA NA
(Acquirer PIN Block for forwarded to the financial institution. Upon

Working Key transfer from receiving the message, the financial
Member to Visa institution decrypts it
6 IWK (Issuer Used to decrypt the The Financial institution encrypts it with the NA NA
Working PIN Block for Issuer Working Key (IWK). The encrypted
Key) verification from message is forwarded to the card Issuer for
Visa to Member decryption and further processing
7 ZCMK (Zone Used to encrypt the Within the VISA environment Via couriers
Control AWK/IWK for
Master Key) transmission from
Member to Visa
8 HSM HSM physical key Use in HSM. The physical key are used or NA
Physical configuration update, to authorize the Hsm, Key Custodians and
Keys any other related work that require physical storage Procedures
keys to be inserted
1.3 Cryptographic devices used for Key generation
The following Table 1.3 is the list of cryptographic devices:

Table 1.3 – List of devices used to generate keys or key components
Device name/ Manufacturer/ Type of key(s) Approved key – Approved
identifier: Model: generated (per generation function Firmware
Table 1.1): (PTS, FIPS & NIST) #(s):
HSM Thales Pay Shield 9000 As per table 1.2 PCI PCI Approved Version,
Version 2.3f
Version 2.3f
Version 2.3f
2 Key Custodians
S. No Primary Custodian Backup Custodian Key Components
Imad Alam Saqib Fareed LMK-1

1 Manager IT System Administrator Left Brass Key
Rao Ali Zeeshan Umair Shaikh LMK-2

2
Manager Finance Sr. Account Officer Right Brass Key
Shahid Latif Madhu Mati
3 LMK-3
CEO HR Manager
Syed Zeeshan Ali

4 N/A AWK
Manager Application Delivery
Dawer Khan
5 N/A IWK
Operations Manager

2.1 Responsibility
The following policy will be applied to all Key Management Employees.
Follow the security procedures and guidelines for

1 Key Custodians
generation of keys on Host Security Module (HSM)
2 ATM / POS Custodians Follow the security procedures and guidelines for
installation of keys on ATMs and POS
4 Information Security Officer (ISO) ISO will be responsible for implementing this manual
and ensure that procedures are followed by team
members
2.2 Risks in not adhering to the policy
 Unauthorized access of keys

 Legal considerations, such as the potential need for proof of origin, dispatch, delivery and acceptance
from the clients
2.3 VISA PIN Security Program Coverage

Following PIN security requirements are being addressed in the PIN security manual
Reqt no.: VISA PIN Security Program Requirement
3 For online interchange transactions, PINs are only encrypted using ISO 9564–1 PIN Block Formats
0, 1 or 3. Format 2 must be used for PINs that are submitted from the IC reader to the IC.
4 PINs are not stored except as part of a store-and-forward transaction, and only for the minimum
time necessary. If a transaction is logged, the encrypted PIN block must be masked or deleted from
the record before it is logged.
6 Compromise of the key-generation process is not possible without collusion between at least two
trusted individuals
7 Documented procedures exist and are demonstrably in use for all key generation processing
8a Secret or private keys are transferred by physically forwarding the key in at least two separate full-
length components (hard copy, smart card, TRSM) using different communication channels,
9a Any single unencrypted key component is at all times during its transmission, conveyance, or
movement between any two organizational entities is under the continuous supervision of a
person with authorized access to this component
9b Any single unencrypted key component is at all times during its transmission, conveyance, or
movement between any two organizational entities under the continuous supervision of a person
with authorized access to this component is locked in a security container (including tamper
evident packaging) in such a way that it can be obtained only by a person with authorized access to
it
11 Documented procedures exist and are demonstrably in use for all key transmission and
conveyance processing
12 Unencrypted keys are entered into host Hardware Security Modules (HSMs) and PIN Entry Devices
(PEDs) using the principles of dual control and split knowledge

13 The mechanisms used to load keys, such as terminals, external PIN pads, key guns, or similar
devices and methods are protected to prevent any type of monitoring that could result in the
unauthorized disclosure of any component
14 All hardware and passwords used for key loading are managed under dual control.
15 The loading of keys or key components must incorporate a validation mechanism such that the
authenticity of the keys is ensured and it can be ascertained that they have not been tampered
with, substituted, or compromised
16 Documented procedures exist and are demonstrably in use (including audit trails) for all key-
loading activities.
18 Unique secret cryptographic keys must be in use for each identifiable link between host computer
systems.
19 Cryptographic keys are only used for their sole intended purpose and are never shared between
production and test systems.
21 Keys used for enciphering PIN Encryption keys, or for PIN Encryption, must never exist outside of
TRSMs, except when encrypted or securely stored and managed using the principles of dual
control and split knowledge.
22 Procedures exist and are demonstrably in use to replace any known or suspected compromised
key and its subsidiary keys (those keys enciphered with the compromised key) to a value not
feasibly related to the original key.
23 Access to cryptographic keys and key material must be limited to a need-to-know basis so that the
fewest number of key custodians are necessary to enable their effective use
24 Secret and private keys and key components that are no longer used or have been replaced are
securely destroyed.
25 Access to secret and private cryptographic keys and key material must be limited to a need-to-
know basis so that the fewest number of key custodians are necessary to enable their effective
use.
26 Logs are kept for any time that keys, key components, or related materials are removed from
storage or loaded to a TRSM.
28 Documented procedures exist and are demonstrably in use for all key administration operations.
29 PIN processing equipment (PEDs and HSMs) is placed into service only if there is assurance that the
equipment has not been substituted or made subject to unauthorized modifications or tampering
prior to the loading of cryptographic keys.
30 Procedures exist that ensure the destruction of all cryptographic keys and any PINs or other PIN-
related information within any cryptographic devices removed from service.
31 Any TRSM capable of encrypting a key and producing cryptograms of that key is protected against
unauthorized use to encrypt known keys or known key components. This protection takes the
form of either or both of the following:
 Dual access controls are required to enable the key encryption function.
 Physical protection of the equipment (e.g., locked access to it) under dual control.
32 Documented procedures exist and are demonstrably in use to ensure the security and integrity of
PIN-processing equipment (e.g., PEDs and HSMs) placed into service, initialized, deployed, used,
and decommissioned.

3 Hardcopy Storage/Access Log

This form will be used for accessing the storage of keys, Safe and other highly confidential information. This
form is updated every time on each access of individual. Only Key custodians are the authorize personal to
access.

4 Key Destruction Log

4.1 ATM key
Following is the procedure for key destruction
i. After ATM key loading, the key components shall be securely destroyed
ii. The key components on paper shall be securely destroyed by shredding or burning
iii. After the destruction of the keys the ATM custodians shall fill the destruction control log (See 4.1.1 for
the ATM Key destruction log)
4.1.1 ATM key switch destruction log

KINDLY SIGN ON THE KEY DESTUCTION CONTROL SHEET AND COURIER IT BACK TO EURONET OFFICE.
ADDRESS IT TO: MANAGER OPERATIONS Euronet Pakistan Private Limited, First Floor, Bahria Complex III, M. T. Khan Road, Karachi -
Pakistan
TM key number
Date of key destroyed
Name of ATM custodian – 1
Name of ATM custodian – 2
Signatures
ATM custodian - 1 ATM custodian - 2
Signature .......................................... Signature ..........................................
To be filled by the: Third Party I ___________________________ hereby confirm

that the material is properly destroyed and I have
personally witnessed this process.
Name .......................................... Signature ..........................................

4.2 TM and TP Key

After the destruction of the keys, the key custodians must fill the TM and TP Key log (See Section 4.2.1 and
4.2.2)
4.2.1 TM key switch destruction log
TM key set number
Date of key
destruction
Details of the personnel involved in TM key destruction
We hereby state that the TM keys for the above mentioned TM key set number were
destroyed in presence of each other
Name of primary
Signature
custodian
Name of secondary Signature

custodian
Third Party Name Signature
4.2.2 TP key switch destruction log

TP Key is not stored anywhere hence no need to be destroyed.

5 Key Generation procedures
All keys at Euronet Pakistan are TDES (Double Length) keys generated using a random-number-generation
component algorithm.
It is the responsibility of the Key manager to manages the entire Key generation process, follow the standard
check list during the key generation ceremony and thorough inspection of the key generation room and
equipment being used to ensure the process is secure and not open to compromise
i. All keys always have to be generated using a dedicated Laptop.

ii. The HSM LAPTOP is secured and kept under designated security safe vault when not in use.
iii. The Key generation room rack is physically locked with alloy element key and in order to generate or
create any of the key management then approval is need.
iv. Additionally, the physical access to key generation room is managed by dual control mechanism and
biometric device for access logging.
v. The Password of the HSM console laptop is divided into two half’s following Euronet standard password
complexity requirement, each holder has to be present physically in order to access the laptop.
vi. The Information Security Officer can enter this area and will escort key custodians for the key creation
activity.
vii. The Key manager ensures and observe the entire key generation activity to be conducted as per
Euronet key generation checklist.
viii. Minimum two (2) authorized individuals need to be present during the process to verify that no
disclosure of keys has occurred.
ix. Two authorized individuals are required to generate and transport the key components to maintain the
dual control and secrecy of key components.
x. The training sessions of PIN Audit will be conducted for the members.
When the Key will be courier, must ensure courier slip is retained along with documentary evidence of Courier
Form which records date/time of sender, sender name, name of courier person etc.

5.1 Roles and Responsibilities
Title/Role Duties/Responsibilities Name/Designation
Key Manager Manages the entire Key generation process, Syed Imad Alam
maintain the key generation steps and
IT manager
Security officer Ensure the Key generation steps are execute Saad Siddiqui
securely and as per standard follow the Euronet
Information security officer
Key generation policy.
HSM administrator To manage the key generation device Maaz Qamar
(LAPTOP/HSM) and maintain its security.
System Admin
Key Custodian 1 To authorized the HSM by entering passcode Imad/Saqib
Key Custodian 2 To authorized the HSM by entering passcode Rao Zeeshan/Omair
Key Generator 1 To generate the key as per Euronet standard key Khurram Khurshid Senior
generation scripts(reference 1.3-1.6) and send it Application Consultant
to nominated custodian following Euronet secure
key transmission procedure
Key Generator 2 To generate the key as per Euronet standard key Hammad Rehman
generation scripts(reference 1.3-1.6) and send it Application Consultant
to nominated custodian following Euronet secure
key transmission procedure
5.2 Key Generation Checklist

Key Type (LMK, ZMK,ZPK, TMK & TPK)
YES NO
1. Retrieve HSM Laptop and associated cables from secure storage
2. Sign into HSM secure room using Biometric device
3. Install and power on the LAPTOP in Key generation room
4. Login via Laptop using dual control mechanism to maintain split of

knowledge
5. Verify the LAPTOP standard security and HyperTerminal back scroll

setting should b 0

6. Retrieve HSM smart cards and appropriate keys from the security Vault
allocated to each custodian
7. To verify the access log should be maintain for smart cards and LMK’s
8. Inspect the environment to ensure that there are no cameras that are
able to observe the keys during generation and that the key generation
laptop is positioned in a way that custodians are not able to observe each
other’s keys during generation
9. To verify the required individuals are present at the time of key

generation
10. Generate key components according to the predefined procedure for each
key in Annexure A once it is confirmed that no tampering of hardware has
occurred
11. To verify the each individual has enter time out and use the biometric
inside to getting out of the room
12. Sign out of HSM secure room
13. Return HSM laptop, associated cables and smart cards to the safe 1
14. Store key components, smart cards and brass keys in the appropriate
safety deposit boxes and update safe log and safe inventory
15. Confirm that no disclosure of keys has taken place
5.3 Key Creation process for LMK

LMK generation follows the general rules described above. LMK is created under triple control. After generating
the LMK it is mandatory to save the newly created LMK on 3 different smartcards. LMK is created under the
technical procedure provided by the product supplier. The administrative procedure includes assigning three
custodians for different components and physical keys/access of HSM. The management will decide the
custodians.
The command and parameter for GK, which is used to generate the LMK components. The HSM must be in
secure mode for this command to run.
GK command is used on HSM,
The parameters are the as follows
LMK component set [1-9]: 1 <Return>
Enter secret value A: <Return>
Enter secret value B: <Return>
Enter value C: <Return>
Insert blank card and enter PIN: ***** <Return>
Writing keys
Checking keys

Writing keys
Checking keys
Writing keys
Checking keys.
5.4 Key Creation process for ATM

1. Bank requests Euronet for new ATM keys.
2. Two different custodians of Euronet generates TMK component A & TMK component B for ATM TMK.
3. Once generated Euronet custodians sends these key components separately to two different
custodians of bank (e.g. Couriers to addresses requested by bank)
4. Bank custodians enters clear key components of TMK (i.e. A & B) physically on ATM and requests
Euronet for key download to new ATM.
5. Euronet loads encrypted TMK key in ITM.
6. Verify TMK key check value with bank, it should be same in ITM & at ATM
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key length [1,2,3]: 2
Enter key type: 002
Enter key scheme: U
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX
Key check value: XXXXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key type: 002
Enter key scheme: U
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Online-AUTH>FK
Enter LMK id [0-9]:

Enter key type: 002
Enter key scheme: U
Invalid key scheme; please re-enter: U
Enter component type [X,H,T,E,S]: X

Enter number of components [1-9]: 2
Enter component 1: ***************************************
Enter component 2: ***************************************
Encrypted key: UXXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
5.5 Key Creation process for POS devices

1. Bank requests Euronet for new POS keys.
2. Two different custodians of Euronet generates Clear TMK component & encrypted TMK component
from HSM for point of sale devices.
3. Encrypted TMK which is generated from HSM configured on ITM to get encrypted TPK.
4. Euronet key custodians sends these clear TMK and encrypted TPK key components separately with
two different custodians of bank (e.g. Couriers to addresses requested by bank)
Below is the complete script for POS scenario
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key type: 002
Enter key scheme: U
Encrypted component: UXXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key type: 002
Enter key scheme: U
Online-AUTH>FK
Enter LMK id [0-9]:
Enter key type: 002
Enter key scheme: U
Enter component 1: ***************************************

Enter component 2: ***************************************
5.6 Key Creation process for H2H Channels

1. Bank requests Euronet for new cryptographic keys for H2H channel i.e. IVR & Core Banking interface.
2. Two different custodians of Euronet generates ZPK component A & ZPK component B to share with
bank.
3. Once generated Euronet custodians sends these ZPK components separately to two different
custodians of bank (e.g. Couriers to addresses requested by bank)
4. Euronet XOR both ZPK component to get encrypted value which loads into ITM.
5. Composite key check value of encrypted ZPK is also shared with bank along with ZPK components
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key type: 001
Enter key scheme: U
Online-AUTH>GC
Enter LMK id [0-9]:
Enter key type: 001
Enter key scheme: U
Online-AUTH>FK
Enter LMK id [0-9]:

Enter key type: 001
Enter key scheme: U
Enter component 1: ***************************************

Enter component 2: ***************************************

5.7 Single Purpose Key

1. All the Cryptographic keys are only used for their sole intended purpose and are never shared between
production and test systems, this will be implied on (LMK, TM, TP etc.) that are generated are the
Single Purpose Key and will only be used for that particular purpose.
2. Encryption keys must only be used for the purpose they were intended.
3. This is necessary to limit the magnitude of exposure should any key(s) be compromised. Using keys
only as they are intended to be used also significantly strengthens the security of the underlying
system.
4. Keys must never be shared or substituted in a processor's production and test systems.
5.8 Key Handing / Taking over Process

1. The Key Handing and Taking over will be initiated by the departmental head in the formal mail to ISO
mentioning the name of the person handing over the task to and also the person taking over the task.
2. The person handing over the task will brief the detail to the person taking over, both will acknowledge
via email.
3. Persons taking over will be then briefed on the VISA Pin Audit session by the ISO.
4. The entire will be monitored by the ISO.

5.9
6 Key Transmission procedure

6.1 Local Master Key (LMK)
Not applicable.
6.2 TM Keys
1. The primary key custodian must receive the ATM key request form from the concerned officials
(Project Manager) when a new ATM needs to be rolled out or a TM Key needs to be loaded
2. ATM key request form will have the details of the bank, name of the ATM custodians, ATM ID, and
address details of the ATM custodians
3. On receipt of this form the primary key custodian will assign the TM key set number to the concerned
ATM ID and primary and secondary key custodians will hand over the tamper proof envelope to two
identified members. This will be recorded in the register.
4. Based on the details of the banks, the member 1 will put the instructions sheet, ATM key destruction
sheet and the clear component 1 tamper proof envelope in a bigger tamper proof envelope and
mention the address details of first ATM custodian on the envelope
5. Based on the details of the banks, the member 2 will put the instructions sheet, ATM key destruction
sheet and the clear component 2 tamper proof envelope in a bigger tamper proof envelope and
mention the address details of second ATM custodian on the envelope
6. The two different couriers will visit the desk of the TIS members to check for delivery of the TM keys
TCS – http://www.tcscouriers.com
OCS – http://www.ocs.com.pk or any other
7. The TMK component are to be sent on two different days, depend on Project Manager to select the
random days
8. The TIS members will dispatch their respective clear components of TM keys (previously sealed in the
tamper proof envelopes) to the ATM Custodians through 2 different couriers
9. The TIS members will ensure the envelopes are in tamper proof condition till it is handed over to the
courier personnel
10. The two key components must not travel together to the ATM site under any circumstances
11. TM Key Destruction Control Sheet has to be filled by the custodian.
12. The Third Party has to sign the destruction form.
6.3 TP Keys
1. On receipt of the ATM key request form, the primary key custodian will email the TM Key set number
and assigned ATM ID to the Technology key custodian handling the TP key switch component
tamperproof envelope
2. The Technology key custodian will hand over the TP key switch component tamper proof envelope and
TP key switch component destruction control sheet to the Integrations team member who configures
the ATM on the ITM switch
3. The Integrations team member post configuring the ITM switch will destroy the TP key switch
component and submit the TP key switch component destruction control sheet to the Technology key
custodian.

7 Key Destruction Procedure

N/A
7.2 TMK Destruction Procedure

1. After ATM key loading the key components must be securely destroyed
2. Basic Principles of ATM key destruction:
1. A secure destruction method for key components on paper consist of shredding or burning
2. After the destruction of the keys the ATM Custodians must fill the destruction control sheet
and send it to the central location
3. After the destruction of the keys the key custodians must fill the destruction control sheet

8 Key Loading Procedure
Euronet only loads keys to its PA DSS compliant application ITM and their PCI approved HSM 9000
cryptographic devices.
All the encrypted keys which are stored in ITM application are stores in ZSKYRF0P file.
All other PED devices are not in the scope of Euronet Pakistan in terms of key loading procedures.
Key loading process are mention below
8.1 Keys Loading on ITM for POS (TMK/TPK)
1. Login onto ITM.

2. Use “WRKITMF SEC” command to access SEC files
3. Create a key type of RACALTMK in ZSKYRF0P file press F6 to create new key with below parameters,
4. Enter encrypted TMK value & its checksum in above file

5. After TMK entry , load the key using option# 6

6. Press enter on the detail screen to retrieve check value & then press F10 2times to store the value and
then F3 to exist the screen.
7. TMK is now loaded onto the system successfully.
8. Next step is to generate TPK under the TMK key (created in above steps)
9. Now create 2 empty keys of type RACALTPK & RSMPOSTPK
10. Generate random key using option 9 against RSMPOSTPK,
11. Select appropriate export key (KEK) & Internal key information value and press enter and F10 to store
the new random key value.
12. Now using option 6, load RACALTPK key & store the value
Provide the encrypted key value from RSMPOSTPK from ITM & clear TMK key value from HSM to the
ISO officer for delivery to bank custodian for entry on POS
8.2 Keys Loading on ITM for ATM (TMK)
1. Login onto ITM.

2. Use “WRKITMF SEC” command to access SEC files
3. Create a key type of RACALTMK in ZSKYRF0P file press F6 to create new key with below parameters,

4. Enter encrypted TMK value & its checksum in above file

5. After TMK entry , load the key using option# 6
6. Press enter on the detail screen to retrieve check value & then press F10 2times to store the value and
then F3 to exist the screen.
7. TMK is now loaded onto the system successfully.
8. Next step is to generate TPK under the TMK key (created in above steps)
9. Now create 2 empty keys of type RACALTPK & RSMATMTPK
10. Generate random key using option 9 against RSMATMTPK,
11. Select appropriate export key (KEK) & Internal key information value and press enter and F10 to store
the new random key value.
12. Now using option 6, load RACALTPK key & store the value
8.3 Keys Loading to HSM (LMK)

LMK components are loaded from smart cards. LMK smart cards are stored in separate safes. Key Custodians
take LMK smart cards from the safes, and record their action in the Safe Logs. Key custodians and Security
Officer enter the secure area to perform key loading. Security Officer connects to an HSM using serial console
from dedicated machines. Each key custodian loads one LMK component using a LMK smartcard/PIN
combination. After LMK key has been loading the LMK smart cards are returned to the safe. The Safe Log and
Key Custodian Form are updated accordingly. Security Officer connects to an HSM using serial console from
dedicated machines.
1. Each key custodian loads one LMK component using a LMK smartcard/PIN combination. After LMK key has

been loading the LMK smart cards are returned to the safe. The Safe Log and Key Custodian Form are
updated accordingly.
2. Checks will be in place to ensure that key loading to HSMs are protected. Loading of keys will not done in-
front of any cameras or unauthorized users. ISO will monitor the entire process.
3. Any physical (e.g., brass) key(s) used to enable key loading will not be in the control or possession of any
one individual. The keys will be kept under dual control with two identified custodians. The Security Officer
will overlook the entire process.
4. Before doing any Key Creation, Loading, Generation Activity on the HSM, must ensure to check all the
cable(s) attached to HSM are thoroughly checked and verified for any sign of tempering or compromised.
It is assumed that the HSM is set for Smartcard mode and Echo On (CS command).
Secure> LK <Return>
LMKs must be erased before proceeding.
Erase LMKs? Y <Return>
Load LMK from components.
Insert card and enter PIN: ***** <Return>
CHECK: XXXX XXXX XXXX XXXX
Load more components? [Y/N]: Y <Return>
Remove the Smartcard. Insert the subsequent Smartcards and repeat the procedure. When all have been
loaded and the HSM displays the check value, record the check value.
CHECK: XXXX XXXX XXXX XXXX
8.4 Zone Control Master Key (ZCMK) Loading

ITM: Each component of the ZCMK is loaded separately by respective key custodian. Key custodians log into
the system using own login names and passwords. Utilizing the key entry soft-menu option key custodian
further logs in to the HSM via designated, unique-per-key-custodian HSM user name. When all three
components are entered the security officer activates the ZCMK and enters the encrypted value of the H2H
key.
Refer to “Thales HSM Reference Guide - Document Version 1” for the process under the following, must
ensure that HSM is in AUTH mode.
i. RACALZMK - Zone Master Key (ZMK) – Follow the mentioned process on HSM
ii. RACALZPK - Zone PIN Key (ZPK) – Follow the mentioned process on HSM
8.5 Working keys

i. Working keys are always encrypted under ZCMK.
ii. No clear values are available to anyone under any circumstances.
iii. Encrypted working keys are loaded.
iv. ZCMK is different on Test (VISA test keys are used) and Production (three different custodian are
selected for the Key)
v. Import is done via ITM System through HSM.
Process to generate encrypted ZMK

vi. VISA sends 3 ZCMK components to custodians of Euronet. Simultaneously they will generate & load
encrypted ZMK against these ZCMK at their system.
vii. Euronet custodians will enter 3 components separately on Euronet HSM (LMK) and generates
encrypted ZMK component, which further loaded into ITM systems.
Process to generate encrypted ZPK VISA ZPK (Issuer & acquirer working key import)
viii. VISA sends encrypted acquirer/Issuer working keys to Euronet which are generated under common
ZMK at their end.
ix. At Euronet end we import encrypted ZPK i.e. IWK & AWK (sent from VISA) under encrypted VISA ZMK
loaded earlier into ITM with following import process.
Process to generate and share the ZPK/ZCMK for Encrypt/Decrypt the PIN
1. Euronet to generate 3 clear components of Zone Control Master Key (ZCMK) to be sent to 3 custodians of
Bank
2. These three components are entered by Euronet to form/get a Euronet HSM LMK encrypted ZCMK
3. These three components are entered by Bank to form/get a CLIENT HSM LMK encrypted ZCMK
a. The check value should be matched with the composite check value sent by Euronet with three
clear components
b. The output key in step 3 above should be noted down as this will be used to IMPORT the Zone
PIN Key (ZPK)
4. Euronet creates an EXPORTED value of Zone PIN Key (ZPK) i.e. generates the ZPK which is encrypted under
ZCMK formed in step 2 above
5. Euronet sends the exported / encrypted ZPK value to Bank
6. Bank to use IMPORT or equivalent function on HSM to store above received ZPK on Bank
a. The check value of ZPK should match with the one sent by Euronet with the encrypted ZPK in
step 5 above
7. The above stored ZPK should be used by the system which is performing the ‘receive n print’ function for
PIN mailers received by Euronet regularly

9 Key Compromise Procedure

9.1 Applicability:
Cryptographic keys can be compromised in many different ways, the following are the some examples in
which cryptographic key compromise incident plan is applicable and triggered.
1. The unauthorized substitution of one stored key, or the replacement of any portion of key, whether
encrypted or unencrypted, must be prevented.
2. Ensure that keys no longer needed are destroyed, especially those keys used to encipher other keys
for distribution.
3. To ensure a proactive, well-conceived plan is established for expedient and efficient execution should
a key compromise occur, in order to minimize the fraudulent activities and also the potential adverse
effects to other organizations that may result due to key compromise, and to effectively communicate
such to all interested parties including Visa
4. Ensure that test keys are not used in a production environment and to ensure that production keys
are not used in a test environment.
5. Ensure there is a separation of keys to minimize misuse (for example so that HSMs cannot be
“tricked” into decrypting PINs with a “Decrypt Data” command through the use of a mechanism that
ensures that the commands recognize the purpose of the keys and force the use of separate types of
keys).
9.2 Key Compromise scenarios
1. Incorrect delivery of keys and machines activated

2. TMK set numbers incorrect and machines activated
3. Keys components package opened by single person and machines activated
4. Tampered envelope delivery and machines activated
5. Keys not stored under dual control and machines activated
6. Keys compromised during installation
7. Single custodian entering key components.
8. HSM console laptop not up to the security recommended setting.
9. Skimming of the key through vigilance or key logging.
9.3 Reporting and Incident Declaration Procedures
1. Euronet Management will be notified immediately if there is a possibility of a compromise.

2. Senior Management will determine the extent of the compromise and action to be taken.
3. If the Keys in one or more ATMs/ POS have been compromised
a. The machine (s) will be shut down.
b. New Keys will be generated and handed over to key custodian to be entered prior to the
machine (s) being activated following the generation, transmission, loading and destruction
procedures documented in the Key Management & PIN Security

4. The ISO will notified on the same and corrective and preventive measures will be implemented post
investigation of the key compromise incident
5. Periodic audit to match the key check value to those in the system will be matched, if in case this is
mismatched then.
6. The Information security personnel should be notified immediately of any suspected or real
cryptographic key security incidents. If it is unclear as to whether a situation should be considered a
security incident, Information security personnel should be contacted to evaluate the situation.
With the exception of steps outlined below, it is imperative that any investigative or corrective action be
taken only by Information security personnel or under the oversight of information security personnel, to
assure the integrity of the incident investigation and recovery process.
7. Information security personnel should inform Euronet Global team at first after the confirmation of
any cryptographic key compromise as early as possible.
When faced with a potential situation you should do the following,
 If the incident involves a compromised cryptographic key;
o Do not alter the state of the HSM and server.
o The computer systems should remain on and all currently running computer programs left as
is. Do not shutdown the computer or restart the computer.
 Report the security incident.
o Information security personnel’s official numbers should be well known to all employees and
its hard copy should be placed on a notice board or any easily viewable or accessible place.
o No one should communicate with anyone outside of their supervisor(s) or the information
security personnel about any details or generalities surrounding any suspected or actual
incident. All communications with law enforcement or the public will be coordinated by the
information security personnel.
Document any information you know while waiting for the information security personnel to respond to the
incident. If known, this must include date, time, and the nature of the incident. Any information provided
should be as aid in responding in an appropriate manner.
The Error! Unknown document property name. will first attempt to determine if the security incident justifies
a formal incident response.
In cases where a security incident does not require an incident response the situation will be forwarded to the
appropriate area of IT to ensure that all technology support services required are rendered.
9.4 Action to be taken

For any incidents involving potential compromises of cardholder or PIN data, the Euronet information Security
team will use the following procedure:
 Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss
or theft of account information within twenty-four (24) hours of the compromise. To facilitate the
investigation:
o Log all actions taken (e.g., bound notebook, video camera, etc).
o Utilise chain of custody techniques during all transfers of equipment and information related to
the incident.
o Do not access or alter compromised systems

o Do not turn off the compromised machine. Instead, isolate compromised systems from the
network. To preserve the evidence for a forensic investigation it is extremely important to not
access the system.
o Preserve logs and electronic evidence.
Be on high alert and monitor all cardholder data systems
9.5 Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of the Error! Unknown document property name.
and all affected parties will meet to review the results of the investigation to determine the root cause of the
compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to
determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security
control can be made more effective or efficient, must be updated accordingly. Upon conclusion of the
investigation, systems will be restored to their non-compromised state.
9.6 Plan Testing and Training

At least once a year, a mock-incident will be initiated to facilitate testing of the current plan. The exact
incident to be tested will be at the discretion of the Euronet information security team. Once complete, a
follow-up session, as detailed above in section 5.5, will be held.
All Euronet Pakistan employees that could have an active role within incident response will be part of the test
process.
Training regarding incident response responsibilities must be performed regularly to ensure employee’s
readiness for test and actual incidents
9.7 Critical Systems Restore Strategy

In case of an incident where critical systems used to perform normal operations are made unavailable due to
an attack or a forensic investigation, the Euronet information Security team must guarantee that critical
business functions continue with minimal impact until all systems are restored to normal operations.

10 Key Storage procedures

After loading the LMK components into HSM, each key custodian seals the LMK component that he/she entered
in a separate tamper-evident envelope. All three components are placed in safe, key custodians must record
the serial number of the HSM card in the corresponding safe logs. A key custodian creates a new entry in the
safe log and signs the logs.
10.1.1 LMK Primary Storage

Euronet maintains the 2 physical fireproof security vault and one security box to store the primary sets of LMK
cards at their office. All the Key components (i.e. 3 LMK smart cards and brass keys) are physical segregated
and stored in tamper evident authenticable packaging. Right and left brass keys are also physically segregated
in 2 different boxes with 2 custodians.
10.1.2 LMK Backup Card Storage

Euronet maintains the copies of backup LMK cards in their security vault, which is placed in the Karachi Data
center. Further to maintain the physical security boundary between LMK1, LMK2 and LMK3, all the three
backup cards stores separately in small security safe inside a security vault.
10.1.3 LMK Physical Access Logging

Access logs sheets for LMK1, LMK2 and LMK3 are placed inside their security vaults. Every time a safe is
opened, the key custodians must log the event in the safe log, recording exact date/time of opening and
reason for opening. Each entry in the safe log must be signed by the key custodians responsible for the safe.
The logging is maintains for both primary and backup LMK set of keys.
10.2 Control Master Key (ZCMK)

ZCMK components are never stored.
10.3 Working keys

Working key components are never stored.
10.4 Inventory control and update

All Keys are stored encrypted in ITM security files for processing purposes. The list of keys name and their
check values are mentioned and be treated as keys inventory.

11 PIN Block Format

11.1 PIN Block
For secure transmission of the PIN from the point of PIN entry to the card issuer, the encrypted PIN block
format must comply with ISO 9564–1 format 0, ISO 9564–1 format 1, or ISO 9564–1 format 3.
The PIN block format used by Euronet ITM in Pakistan is ANSI PIN Block format 0 which is equivalent to VISA
PIN block format 1.
11.2 PIN Block Logging

PIN Block is actually the triple DES encrypted value of PIN information transmitted with the transaction
between ATM and the controller and between controller and Visa. While storing the transaction information in
the logs, the PIN block is masked with asterisks. PIN block is not stored in any transaction data files. Below are
some of the screenshots from the logs.
Figure 1
Figure 2
Figure 3
Figure 4

Figure 5

12 Physical Security
The HSM is placed inside the Data Center, the access of Data Center is based on several control ranging from
Physical Card Access, Visitor Log, Guards and separate steel rack in which HSM is placed.
Following are the features and practices followed.
1. The HSM is enclosed in a dedicated steel rack environment which has proximity access inside Data
Center and Data Center building, and take authorized employee snap on each access, as well as two
key locks for which the keys are held with the two different team that are Data Center Team and
Infrastructure Team.
2. A CCTV camera monitors the inside of Data Center rack area (Entrance and Exit)
3. Shatterproof glass in work areas
4. 24 x 7 x 365 Operations coverage
5. Full CCTV coverage and access control security
6. Visitor LOG management control
7. Visitor security badges
8. External cameras monitors people entering and exiting the Data Center premises
9. A dedicated hardened desktop is kept with the Data Center operations team to be used as console for
HSM for which the access password is split into half. Hyper Terminal is used for doing any of the
activity on the HSM.
10. The LMKs are kept in a steel locker with two keys. Inside the steel locker a small steel locker with dual
keys contains the LMKs.
11. The LMKs inside the small locker are kept in tamper proof envelopes (smartcard 1, smartcard 2 and
smartcard 3). The envelopes are signed and the last usage date is mentioned on it. Each custodian
while putting the envelopes has to sign the Safe Log sheet. The Information Security Officer is involved
in the entire process.
12. The password for each card(s) is maintained among separate teams.
13. A register is maintained for big locker access and LMK locker access.
14. The keys for the HSMs are also kept in separate tamper proof envelopes in the small locker mentioned
above. Each key has a tag attached to it having information i.e. (HSM serial number, placed at)
15. A register is maintained for Data Centre visitor access
16. The register entries are verified on a periodic basis by the DC supervisor.
17. Any kind of HSM access has to be initiated via request management or incident management and the
access of the LMKs, keys, console access, will have to be approved by the Information Security Officer
and Manager IT and Infrastructure.
18. The HSMs are configured to run in the sensitive mode which would mean that the HSM will wipe the
LMKs entries inside it in case the device is moved.
19. The Incident Management process documented for any type of incident related to HSM.

12.1 Equipment Security
1. HSM should be properly inspected and verified once removed from the box packing. Equipment
Inspection should ensure that packing is not counterfeit.
2. HSM Verification form will be filled after unpacking the HSM from the box.
3. HSM Commissioning and Decommissioning checklist will be used and followed for the settings. The
details are to be followed by the checker. After doing this HSM Verification Form should be signed by
the two individuals.


Key Management Policy V 3.2 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Key Management Policy V 3.2 PDF

Caricato da

Copyright:

Formati disponibili

Key

© Euronet Pakistan. All rights reserved Page 2 of 35

Document Reference Key Management – Hungary

© Euronet Pakistan. All rights reserved Page 3 of 35

This policy applies to Euronet employees, contractors, and service providers.

© Euronet Pakistan. All rights reserved Page 4 of 35

10.1.3 LMK Physical Access Logging ................................................................................................................ 31

© Euronet Pakistan. All rights reserved Page 6 of 35

1.1 List of Keys

1.2 Key Details

(Acquirer PIN Block for forwarded to the financial institution. Upon

1.3 Cryptographic devices used for Key generation

The following Table 1.3 is the list of cryptographic devices:

S. No Primary Custodian Backup Custodian Key Components

Imad Alam Saqib Fareed LMK-1

Rao Ali Zeeshan Umair Shaikh LMK-2

Syed Zeeshan Ali

© Euronet Pakistan. All rights reserved Page 8 of 35

Follow the security procedures and guidelines for

2.2 Risks in not adhering to the policy

 Unauthorized access of keys

2.3 VISA PIN Security Program Coverage

© Euronet Pakistan. All rights reserved Page 9 of 35

© Euronet Pakistan. All rights reserved Page 10 of 35

3 Hardcopy Storage/Access Log

© Euronet Pakistan. All rights reserved Page 11 of 35

4 Key Destruction Log

4.1.1 ATM key switch destruction log

Date of key destroyed

Name of ATM custodian – 1

Name of ATM custodian – 2

ATM custodian - 1 ATM custodian - 2

Signature .......................................... Signature ..........................................

To be filled by the: Third Party I ___________________________ hereby confirm

Name .......................................... Signature ..........................................

© Euronet Pakistan. All rights reserved Page 12 of 35

4.2 TM and TP Key

4.2.1 TM key switch destruction log

TM key set number

Details of the personnel involved in TM key destruction

Name of secondary Signature

Third Party Name Signature

4.2.2 TP key switch destruction log

© Euronet Pakistan. All rights reserved Page 13 of 35

5 Key Generation procedures

i. All keys always have to be generated using a dedicated Laptop.

© Euronet Pakistan. All rights reserved Page 14 of 35

5.1 Roles and Responsibilities

Title/Role Duties/Responsibilities Name/Designation

5.2 Key Generation Checklist

1. Retrieve HSM Laptop and associated cables from secure storage

2. Sign into HSM secure room using Biometric device

3. Install and power on the LAPTOP in Key generation room

4. Login via Laptop using dual control mechanism to maintain split of

5. Verify the LAPTOP standard security and HyperTerminal back scroll

© Euronet Pakistan. All rights reserved Page 15 of 35

9. To verify the required individuals are present at the time of key

12. Sign out of HSM secure room

15. Confirm that no disclosure of keys has taken place

5.3 Key Creation process for LMK

Enter secret value A: <Return>

5.4 Key Creation process for ATM

Enter LMK id [0-9]: