DUKPT

Derived Unique Key
Derived Unique Key

Per Transaction (DUKPT)
Per Transaction (DUKPT)
Click to edit Master title style
Derived Unique Key Per Transaction(DUKPT)
Derived Unique Key Per Transaction (DUKPT)

support allows merchants to send transactions
to BASE! usin" a unique P#$ encryption %ey
&or each transaction'
Each terminal security module (TS() or P#$

pad derives the current transaction %ey &rom an
initial %ey) loaded into the TS( on initiali*ation'
The receivin" BASE!+pos security module will

then determine the current transaction %ey
usin" a %ey held on BASE! and non+secret
in&ormation contained in the transaction
messa"e'
Upon receipt o& a terminal request messa"e)

the Standard P,S Device -andler (SPD-) will
access the PTD'
The PTD P#$.E$/01PT.T1P &ield is used to

determine whether the terminal is usin"
DUKPT'
The PTD 0ETA#2E0.#D) KE1D.30,UP and

TE0(.#D will 4e used to access the KE1D'
The Derivation Key 5ile (KE1D) will store the

Derivation Keys used to decrypt the unique
%ey'
/han"e these &ield names to re&lect the actual name on the PTD screen'
BASE24-POS POS TERMINAL DATA PRO1 BNK1 02/05/17 09:47 07 OF 19

TERMINAL ID: TERM01 FIID: BNK1

ENCRYPTION KEYS

PIN PAD CHARACTER:

PIN ENCRYPTION TYPE: 07 (DUKPT
PIN MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000
"ALIDATE PIN: N
DERI"ATION KEY !ROUP:

MAC TYPE: 00 (NO MAC#IN!
MAC MASTER KEY: 0000000000000000 CHECK DI!ITS: 0000

RECORD LAST CHAN!ED: 01/0$/20 10:11 BY USER: 0255 % 00000255 CHAN!E
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
NE' PA!E: FILE DESTINATION: NE' LO!ICAL NET'ORK ID:
F12-HELP
P#$ E$/01PT#,$ T1PE &ield is
used to determine whether this
terminal supports DUKPT (67)
BASE24-POS POS TERMINAL DATA PRO1 02/05/17 09:45 01 OF 19

TERMINAL ID: FIID:
LO!ICAL NET: SPM1
RETAILER !ROUP: RE!ION:

LOCATION: CITY:
STATE: COUNTRY: POSTAL CODE:
TERMINAL TYPE: (&&&&&&&&&&&& PROTOCOL: (N/A
TERMINAL PHONE: 00000000000000000000 BAUD RATE: 99 (N/A
TERMINAL O'NER: TERM !ROUP:
TIME OFFSET: 0 RELEASE (: 00
TERM SIC CODE: 0 MAIL/PHONE SIC CODE: 0
RETAILER ID: RTTN: 00000000000
TERM STATUS: D (DEACTI"ATED BILLIN! INFO:
CLERK ID: LAN!UA!E ID: 0

DH PROCESS NAME: DFLT CHECK ID: (&&&&&&&&&&&
ROUTIN! !ROUP:

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
F12-HELP



ENCRYPTION KEYS

PIN PAD CHARACTER:

"ALIDATE PIN: N


&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Keys to access the correct
KE1D record
BASE24-BASE DERI"ATION KEY FILE PRO1 02/05/1$ 15:)* 01 OF 01

RETAILER ID: KEYD !RP: TERMINAL ID:

DERI"ATION KEY: CHECK DI!ITS:

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
F12-HELP

Based on an 2/,$5 param) this &ile can 4e read into memory at
initiali*ation and accessed &rom memory &or each transaction) or it
can 4e accessed on dis% via an #8, &or each transaction'
,nce the KE1D record is located) SPD- will

send the required in&ormation to the -S( via
SE/UT#2S to translate the P#$ to encryption
under the P#$ (aster Key (intermediate %ey)'


ENCRYPTION KEYS

PIN PAD CHARACTER:

"ALIDATE PIN: N


&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

The new P#$ 4loc% and the intermediate %ey

will 4e loaded in the PST( and &orwarded to
0outer8Auth &or processin"'


ENCRYPTION KEYS

PIN PAD CHARACTER:

"ALIDATE PIN: N


&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& BASE24 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

The DUKPT data which includes the Key Serial

$um4er (KS$) and KS$ descriptor is sent in
to BASE! &rom the terminal'
The KS$ descriptor data is required &or 0acal

Security (odules only'
De&ault KS$ descriptor data placed in the

2/,$5 &ile is used i& the terminal does not
send this data into BASE!'
The DUKPT P#$ 4loc% is translated to a 9:+

4yte sin"le len"th master (A$S#) P#$ 4loc%
and passed throu"h to the appropriate
authori*er'
The SPD- messa"e de&inition will 4e modi&ied

to include a 5#D : su4 &id T) which will 4e used
to transmit the Key Serial $um4er (KS$) and
KS$ descriptor &rom the terminal to BASE!'
The P#$ 4loc% may 4e translated a"ain i& the

transaction needs to 4e authori*ed e;ternally'
The <+4yte derivation %eys must 4e encrypted

under the (5K prior to storin" them in the
KE1D' This is done manually'
Transaction 5low
=
=
P
P
$
$
E
E
T
T
=
=
P
P
$
$
E
E
T
T
Sec
Utils
PTD KE1D
9
9' The P,S terminal sends a tran to BASE! containin" a P#$ 4loc% encrypted usin" DUKPT
(and KS$ data &or 0acal)
' SPD- retrieves DUKPT data &rom the PTD and KE1D' #t also retrieves transaction
processin" data &rom the A/$5'
<' The D- uses SE/UT#2S to translate the DUKPT P#$ 4loc% to the sin"le len"th
(aster8Session %ey mana"ement type' The translate procedures use the intermediate P#$
4loc% encryption %ey &rom the PTD (>KE1 &ield'
!' SE/UT#2S will &ormat and send the appropriate command to the -S('
?' The translated P#$ 4loc% is returned to the SE/UT#2S procedures'
:' :' The translated P#$ 4loc% is returned to D-'
7' SPD- uses the request messa"e and data &rom the PTD and KE1D to 4uild the PST( and
the DUKPT to%en) and passes this on to the 0outer8Auth module &or standard processin"'
<
!
?
:
D-
0outer8
Auth
7
@hat P,S data comes
&rom the A/$5 &or an
SPD- transactionA
@hat P,S data comes
&rom the A/$5 &or an
SPD- transactionA
#& DUKPT is supported) the SPD- will retrieve

the appropriate record &rom the KE1D to
o4tain the derivation %ey &or the terminal
The search criteria used &ollowsB

Retailer ID KEYD Group TERMI!" ID
#$ E%act E%act E%act
&$ E%act E%act ''''''''''''''''
($ E%act '''' ''''''''''''''''
)$ ''''''''''''''''''' '''' ''''''''''''''''
(atchin" on asteris%s in Terminal #D &ield will allow a retailer to
have one derivation %ey in all o& their terminals &or a KE1D "roup'
(atchin" on asteris%s in KE1D 3roup A$D Terminal #D will allow
a retailer to have one derivation %ey &or all terminals'
The SPD- will pass all required data to SE/UT#2S

which includesB
+ < 4yte derivation %ey retrieved &rom the KE1D
+ PTD (aster Key (PTD (.KE1)
+ P#$ 4loc%
+ PA$ di"its
+ KS$ and KS$ descriptor &rom messa"e or 2/,$5
value
SE/UT#2S will determine whether 0acal or Atalla is

supported and pass the required data to the -S('
#& the P#$ translate is success&ul) SPD- will &ill the

correspondin" PST( P#$ related &ields as &ollowsB
+ PST('P#$+S#CE D9:E
+ PST('P#$ Encrypted A$S# P#$ 4loc%
output &rom the -S( translation
+ PST('P#$+KE1 PTD (.KE1
+ PST('P#$+50(T D9E (Encrypted A$S# P#$8PA$
P#$ 4loc%)
+ PST('A$S#+,5ST The startin" position in the PA$
o& the 9 ri"htmost di"its)
e;cludin" the chec% di"it used
to create the P#$8PA$ P#$ 4loc%
TSS will not support DUKPT at this time) it will in

the &uture'
The PTD) KE1D and A/$5 will 4e con&i"ured usin"

standard BASE! Pathway'
Feri&yin" the P#$ or translatin" the P#$ 4e&ore

sendin" the transaction to an e;ternal authori*er
will require another call to the -S('
The SPD- is the only device handler enhanced to

support DUKPT'
The intermediate %ey (PTD (.KE1) can pro"rammatically

4e "enerated i& the request contains a P#$ and the PTD
P#$.E$/01PT.T1P G 67 (DUKPT) or the KS$ is present in
the terminal messa"e and the 2/,$5 parameter P,S+D-+
DUKPT+UPDATE+(ET-,D G D1E
Did # read the spec correctlyA
(d) I* t+e request contains a PI and t+e PTD PI,E-RYPT,TYP . /0123 or t+e 4essa5e
contains a K6 and t+e "-78 para4eter P769D:9DUKPT9UPD!TE,MET:7D is set to /Y23
t+e device +andler uses t+e 6E-UTI"6 procedures to translate t+e DUKPT PI ;loc< to t+e
sin5le len5t+ Master=6ession <ey 4ana5e4ent type$ T+e translate procedures use t+e
inter4ediate PI ;loc< encryption <ey *ro4 t+e PTD M>KEY *ield (t+is 4ay ;e 5enerated i* t+e
PI,E-RYPT,TYP is ;ein5 pro5ra44atically c+an5ed to DUKPT)$
Did # read the spec correctlyA
(d) I* t+e request contains a PI and t+e PTD PI,E-RYPT,TYP . /0123 or t+e 4essa5e
contains a K6 and t+e "-78 para4eter P769D:9DUKPT9UPD!TE,MET:7D is set to /Y23
t+e device +andler uses t+e 6E-UTI"6 procedures to translate t+e DUKPT PI ;loc< to t+e
sin5le len5t+ Master=6ession <ey 4ana5e4ent type$ T+e translate procedures use t+e
inter4ediate PI ;loc< encryption <ey *ro4 t+e PTD M>KEY *ield (t+is 4ay ;e 5enerated i* t+e
PI,E-RYPT,TYP is ;ein5 pro5ra44atically c+an5ed to DUKPT)$
2/,$5 Assi"ns and Params
Assign Name:*.KEYD
Location: \B24.$DATA.PRO1DATA.KEYD
omments: T!e "#$$% &#a$i"ie' "i$e name o" t!e De(i)ation
Ke% *i$e +KEYD,. T!e BA-E24./os De)ice
0an'$e(1Ro#te(1A#t!o(i2ation /(ocess #ses t!is
assign "o( t!e BA-E24./os -tan'a(' PO- De)ice
0an'$e( mo'#$e 3!en A4 stan'a(' PO-
te(mina$s #se
'e(i)e' #ni&#e 5e% /e( t(ansaction +D6KPT,sec#(it%
"o( P4Ns.
Pa(am Name: *.POS-DH-DUKPT-UPDATE-METHOD
Te7t:
omments: A co'e in'icating 3!et!e( t!e -tan'a(' PO- De)ice
0an'$e( +-PD0, mo'#$e can a#tomatica$$% #/'ate t!e
P4N ENRYPT4ON TYPE "ie$' on BA-E24./os Te(mina$
Data "i$es +PTD, sc(een 8 to a )a$#e o" 98 +D6KPT,
3!en t!e Ke% -e(ia$ N#m:e( an' Desc(i/to( "ie$'
+-#:*4D T o" *4D ;, is (ecei)e' in a message "o(
t!e "i(st time an' a De(i)ation Ke% *i$e +KEYD,
(eco(' e7ists "o( t!e -PD0 te(mina$. <a$i' )a$#es
a(e as "o$$o3s:
Y= Yes> a#tomatica$$% #/'ate t!e P4N enc(%/tion met!o' in t!e
BA-E24./os Te(mina$ Data "i$es.
N= No> 'o not a#tomatica$$% #/'ate t!e P4N enc(%/tion met!o' in
t!e BA-E24./os Te(mina$ Data "i$es.
Pa(am De"a#$t: N
Pa(am Name: *.POS-DH-KEYD-READ-FROM-DISK
Te7t:
omments: A co'e in'icating 3!et!e( t!e -tan'a(' PO- De)ice
0an'$e( +-PD0, mo'#$e (ea's t!e De(i)ation Ke%
*i$e +KEYD, "(om 'is5 o( "(om memo(%. <a$i' )a$#es
a(e as "o$$o3s:
Y= Yes> (ea' t!e KEYD "(om 'is5.
N= No> 'o not (ea' t!e KEYD "(om 'is5. T!e "i$e is (ea' "(om
e7ten'e' memo(%. T!e KEYD is $oa'e' into e7ten'e' memo(%
'#(ing initia$i2ation.
Pa(am De"a#$t: N

DUKPT

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

DUKPT

Caricato da

Copyright:

Formati disponibili

Derived Unique Key

Derived Unique Key

Derived Unique Key Per Transaction (DUKPT)

Each terminal security module (TS() or P#$

The receivin" BASE!+pos security module will

Upon receipt o& a terminal request messa"e)

The PTD P#$.E$/01PT.T1P &ield is used to

The PTD 0ETA#2E0.#D) KE1D.30,UP and

The Derivation Key 5ile (KE1D) will store the

,nce the KE1D record is located) SPD- will

The new P#$ 4loc% and the intermediate %ey

The DUKPT data which includes the Key Serial

The KS$ descriptor data is required &or 0acal

De&ault KS$ descriptor data placed in the

The DUKPT P#$ 4loc% is translated to a 9:+

The SPD- messa"e de&inition will 4e modi&ied

The P#$ 4loc% may 4e translated a"ain i& the

The <+4yte derivation %eys must 4e encrypted

#& DUKPT is supported) the SPD- will retrieve

The search criteria used &ollowsB

The SPD- will pass all required data to SE/UT#2S

SE/UT#2S will determine whether 0acal or Atalla is

#& the P#$ translate is success&ul) SPD- will &ill the

TSS will not support DUKPT at this time) it will in

The PTD) KE1D and A/$5 will 4e con&i"ured usin"

Feri&yin" the P#$ or translatin" the P#$ 4e&ore

The SPD- is the only device handler enhanced to

The intermediate %ey (PTD (.KE1) can pro"rammatically

Potrebbero piacerti anche