VirtuCrypt Cloud Payment HSM

On-demand financial issuing and acquiring

Scalable and compliant cloud cryptography

Cloud payment HSM solutions for the payments industry

The payments industry uses cloud payment HSMs to secure transactions, protect account data, and authenticate payment devices. Futurex offers its solution suite of payment HSMs over the Futurex VirtuCrypt cloud to meet these needs. A cloud payment HSM gives you the same security and functionality as an on-premises HSM but is more cost-effective and quicker to deploy.

Sales brochureSchedule a demo

Transaction acquiring

  • CVV generation and validation
  • EMV validation
  • Mobile payment acceptance
  • PIN translation and verification
  • Payment key management
  • MAC generation and verification

Card and mobile Issuing

  • EMV key generation & derivation
  • Online and mobile PIN management
  • Mobile token issuance (Apple Pay, Google Pay, Samsung Pay, and host card emulation tokens)
  • PIN and offset generation

Point-to-point encryption (P2PE)

  • Cardholder data decryption
  • Cardholder data translation
  • Point-to-point encryption key management

Testing and development

Perform testing, development, and rapid prototyping within a secure code environment (SCE).
VirtuCrypt cloud hsm
Public cloud integration

Integrate VirtuCrypt cloud solutions with major cloud providers, including Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).

Instant scalability

Leverage the power of cloud performance with automated deployment, high availability clusters, and on-demand HSM provisioning.

Standalone cloud HSMs

Use the Futurex VirtuCrypt Cloud HSM service to deploy virtual HSMs with their own major keys, users, and throughput (TPS) allocation.

Why VirtuCrypt cloud HSM solutions?

You can configure our extensive financial payments HSMs to fit your organization’s needs. Rather than a template to which you must conform, it’s a blank canvas on which you can design your ideal infrastructure.

  • Deploy groups of HSMs as a complete infrastructure
  • Spin up single HSMs and integrate them into existing infrastructure
  • License individual functions of HSMs to resolve specific use cases

Payment application migration

Cloud payment HSMs enable organizations to fully migrate payment apps to the cloud. This is perfect for organizations that need a multi-cloud strategy.

"Build your own" HSMs in the cloud

The VirtuCrypt cloud gives you unlimited configuration options. Increase system redundancy, back up and clone cloud HSMs, or spin up individual cryptographic functions.

Lower total cost of ownership (TCO)

By using the Futurex Crypto as a Service (CaaS) model, you can lower the overall TCO of your enterprise security ecosystem.

Reduce scope of compliance

With cloud HSMs, you can host enterprise applications and support HSMs in the cloud with no direct Internet routing. All while maintaining enterprise-level security and reduced compliance scope.

Cloud payment HSM architecture

Deploy cloud-based Futurex hardware security modules (HSMs) using our VirtuCrypt cloud service. We base our cloud payment HSMs on physical hosts. They offer the same financial issuing and financial acquiring functionality but with the added flexibility and cost-effectiveness of the cloud.

Using the VirtuCrypt cloud, you can deploy a complete cryptographic infrastructure or deploy specific functions to address individual use cases. Do it all with the market-leading Futurex FIPS 140-2 Level 3 and PCI HSM-validated technology.

Schedule a demo
Related: Enterprise key management

Check out our key management service backed by Futurex hardware.

See it now

Related: VirtuCrypt compliance

Learn more about VirtuCrypt compliance and industry standards.

See it now

Direct integration with major public cloud providers

AWS cloud HSM integration
Amazon Web Services

Sign up now

Azure dedicated HSM
Microsoft Azure

Sign up now

Google cloud HSM integration
Google Cloud Platform

Request consultation

Direct integration with other services and applications housed outside the public cloud itself is an increasingly popular choice for public cloud usage. Cloud Payment HSMs offer direct integration with public clouds, so you can provision services rapidly through the public cloud marketplace.

Build your own cloud HSM

Choose service models based on functionality, throughput, and redundancy. Through the VirtuCrypt cloud, you gain unlimited options for customization.

Validated and compliant

Futurex VirtuCrypt Cloud HSMs comply with all industry standards, such as PCI HSM, HIPPA, SSAE 16, TIA-942. They are certified under FIPS 140-2 Level 3.

Multi-cloud strategy

Enable a single cloud HSM estate to connect with multiple applications through multiple public cloud regions simultaneously using the VirtuCrypt Intelligence Portal (VIP).

High availability & disaster recovery

Easily create multiple instances of cloud HSMs to ensure high availability and disaster recovery. You can also automate cloud HSMs as a failover mechanism.

Bring your own keys

Administrators can securely load major keys into Cloud HSMs by using several methods, including bring your own key (BYOK), key agent services, and HSM-generated keys.

Cloud-based testing and development

You can do development and proof-of-concept testing without ever stepping inside a data center, ending challenges associated with managing evaluation hardware.

VirtuCrypt cloud HSM dashboard

VIP Dashboard

The VirtuCrypt Intelligence Portal (VIP) provides customers with control and visibility of their cloud in the field or corporate office. VirtuCrypt CryptoTunnels ensure secure communication between applications and HSMs.

  • On-demand cloud HSM provisioning
  • User-managed high availability clustering
  • Centralized log management and reporting
  • RESTful API for integrating VirtuCrypt programmatically
Sign up nowLogin

Cloud payment HSM specifications

VirtuCrypt cloud payment HSM compliance

VirtuCrypt services undergo annual audits to ensure that all compliance and certification requirements are met and maintained. Industry and regulatory compliance includes maintaining VISA Approved Service Provider status, TR-39, FIPS 140-2 Level 3, PCI Data Security Standard (PCI DSS), PCI Point-to-Point Encryption (PCI P2PE), and PCI PIN Transaction Security (PCI PIN) requirements.

PCI Point-to-Point Encryption (PCI P2PE) compliance

PCI P2PE

PCI Data Security Standard (PCI DSS) compliance

PCI DSS

PCI PIN Transaction Security (PCI PIN) compliance

PCI PIN

VISA Approved Service Provider status

VISA ASP

Powered by Futurex hardware

VirtuCrypt cloud HSM and key management services are powered by a complete suite of Futurex hardware security modules, key management servers, and other technologies regionally distributed across highly secured data centers. All Futurex HSMs within our VirtuCrypt services are FIPS 140-2 Level 3-validated secure cryptographic devices and comply with Payment Card Industry (PCI) and ASC X9.24 Part 1 and 2 requirements.

hardware security module
Hardware compliance

FIPS 140-2 Level 3 PCI HSM

FIPS 140-2 Level 3 and PCI HSM validated HSMs for data encryption and cryptographic key protection, on-premises and in the cloud.
enterprise key management
Hardware compliance

FIPS 140-2 Level 3 PCI HSM

Securely manage the lifecycle of cryptographic keys and certificates with a scalable architecture for dynamic cryptographic environments.
crypto management
Hardware compliance

FIPS 140-2 Level 3 PCI HSM

Technology to streamline and automate large-scale deployments of enterprise cryptographic hardware.

VirtuCrypt facilities certifications

VirtuCrypt facilities comply with the following regulatory requirements regarding security:

  • SSAE 16 (SOC 1, 2, and 3)
  • PCI
  • TIA-942 Tier 4
  • HIPAA
VirtuCrypt cloud HSM data centers

Frequently Asked Questions

Cloud payment HSMs handle all common encryption tasks and form the basis of an organization’s enterprise data  security ecosystem. With VirtuCrypt, they can be quickly configured and integrated into existing infrastructure. This  makes them great all-in-one solutions for enterprises of any size.

The features and capabilities of next-generation cloud payment HSMs include:

Core-to-Cloud Architecture and Automation

A big advantage of the Futurex cloud payment HSM is the level of automation it affords. Instant provisioning within the VirtuCrypt Intelligence Portal (VIP) simplifies migration to the cloud. You can then access your device on the VIP dashboard once it’s been provisioned by VirtuCrypt engineers. Another aspect of this automated process is rapid migration from on-premises HSMs to cloud HSMs. This feature allows certain users to shift their infrastructure to the cloud quickly and easily, instead of having to undergo an exhaustive migration process. VirtuCrypt also provides a cloud HSM Software Development Kit (SDK) that lets you integrate cloud cryptographic processing and key management into your organization’s applications and services, whether they are on-premises or in the cloud.

Cloud Payment HSM Management and Snapshot Technology

The Futurex cloud payment HSM can take cloud HSM snapshots. These can be used for backups, migration to new systems, and streamlining new deployments. Cloud HSM snapshots allow for easy management because users can save instances of a cloud HSM. They can also enable and disable cloud HSMs with the click of a button for both testing and production environments. Users can store cloud payment HSM snapshots on the VirtuCrypt cloud HSM backup service and re-provision them on-demand. With these snapshots, users can build HSM templates that make establishing new environments simple while preventing errors. Cloud HSM major keys can be randomly generated, cloned from existing cloud HSMs, compliantly loaded using VirtuCrypt’s key agent services, and fully customer-loaded and controlled from anywhere in the world.

Crypto Infrastructure Intelligence and Orchestration

Futurex’s cloud HSMs simplify monitoring for true HSM orchestration. HSM orchestration allows cloud HSMs to be provisioned or modified based on user-defined scenarios. The VIP allows for centralized log management, auditfriendly reporting, and integrated monitoring and alerting. The ability to natively integrate with third-party applications and cloud monitoring tools gives users more flexibility.

VirtuCrypt is Futurex’s award-winning cloud hardware security module (HSM) and key management platform. VirtuCrypt provides cloud-based access to Futurex’s cryptographic solution suite: encryption, key management, tokenization, PKI & certificate authority, data protection, remote key loading for POS/ATM/IoT, and much more.

Advanced Cloud Encryption & Key Management, Powered by Futurex HSMs

VirtuCrypt’s advanced encryption and key management applications set it apart from other cloud security platforms. VirtuCrypt is powered by FIPS 140-2 Level 3 and PCI HSM validated hardware. Futurex cloud payment HSMs also support a wide range of cryptographic interfaces, such as PKCS #11, Java JCA/JCE, and Microsoft CNG. This, along with the expertise of Futurex’s Solutions Architect team, form a comprehensive platform unmatched by any other cloud services provider.

You can manage VirtuCrypt services and applications in the VirtuCrypt Intelligence Portal (VIP) management interface. VirtuCrypt instances are located in high-security data centers across six continents. VirtuCrypt provides flexible and powerful data security options on a global scale, all with the convenience of the cloud.

The primary use cases for cloud payment HSMs are transaction acquiring and card and mobile issuance, including functions such as point-to-point encryption (P2PE) and database encryption. However, their use cases and deployment models continually evolve to keep pace with modern security needs. Below are examples of how VirtuCrypt cloud payment HSMs may be deployed:

  • Full VirtuCrypt cloud: payment application hosted in public cloud with VirtuCrypt cloud HSMs
  • Hybrid: on-premises Futurex HSMs and on-premises payment application, with VirtuCrypt cloud payment HSMs for scalability and disaster recovery
  • Full public cloud integration: application workloads running in public clouds such as AWS, Microsoft Azure, or Google Cloud, with native integration to VirtuCrypt cloud HSMs

Payment HSM utilization is typically split into two main categories: payment acquiring, and card and mobile issuing. Point-to-point encryption is an important part of payment acquiring.

Payment Acquiring

Payment acquiring is how merchants and banks process transactions, either through traditional card-based transactions or mobile payments.

PIN (translation and verification)
  • 3DES and AES PIN blocks
  • All PIN validation methods (ISO 8583, Visa, and many others)
CVV generation and validation
  • All card brands (Visa, MasterCard, Amex, Discover, and others)
  • All variations (CVV, CVV2, CVC, CVC2, Dynamic CVV, etc.)
EMV validation
  • ARQC validation and ARPC generation
  • All current and past key derivation methods
Message Authentication Code (MAC) generation and verification
  •  ISO 9797 Part 3 (financial MAC)
  • CMAC
Key management
  • Network key exchange
  • Key derivation methods (DUKPT, ISO 800-108)
Mobile payment acceptance
  • Google Pay, Apple Pay, and Samsung Pay token acceptance
Card and Mobile Issuing

Card and mobile issuing refers to how banks issue payment cards and provisioning mobile payment tokens.

PIN (PIN & offset generation)
  • IBM 3624, Visa, Diebold
Online & mobile PIN management
  • Supports translating PIN from RSA to symmetric PIN block
  • Asymmetric cryptography for mobile app integration
EMV key generation & derivation
  • Supports card personalization and data preparation
  • All current and past key derivation methods
Mobile payment token issuance
  • Google Pay, Apple Pay, and Samsung Pay token issuance

Due to PCI regulatory requirements, acquiring and issuing processes are typically carried out in separate HSMs. This restriction does not apply to organizations beyond the scope of PCI, however.

Point-to-Point Encryption (P2PE)

P2PE is a compliance standard developed by the PCI Security Standards Council. The P2PE standard is the framework by which organizations encrypt card data as soon as it is captured by a payment terminal. It is a function of payment acquiring. Doing so avoids sending card data “in the clear” through merchant networks, increasing data security in general.

Cardholder data decryption
  • Supports 3DES and AES P2PE
  • Supports multiple key derivation method, including DUKPT
  • Supports Format Preserving Encryption, including VAES and BPS
Cardholder data translation
  • Supports translating to processor-specific data formats
  • Supports multiple cipher translations
Point-to-Point Encryption key management
  • Full point-to-point key management lifecycle supported, including distribution to relevant entities

The data security architecture of the financial sector is in the process of transitioning away from on-premises infrastructure to cloud-hosted infrastructure. Initially, payment applications and payment HSMs were managed onpremises at an organization’s own data centers. Over time, many organizations migrated to the cloud in order to increase scalability and reduce internal IT operating costs.

As organizations moved to partial cloud environments, payment applications were moved to the cloud while HSMs were maintained on-premises. This hybrid approach allowed for flexibility and redundancy for the payment application. But there was still the burden of managing HSMs on-premises. This included staff training, compliance audits, and higher up-front capital expenditure.

After fully realizing the benefits of the cloud, many payment services providers found that moving HSMs to the cloud provided more opportunities to lower their total cost of ownership (TCO) while raising efficiency. Today, many organizations host their payment applications with a public cloud provider and their HSMs with a cloud HSM service, such as Futurex’s VirtuCrypt cloud payment HSM service. These organizations reap the benefits of hosting in the cloud – flexibility, customizability, reduced cost – and maintain the high standard of hardware-backed security. Organizations self-manage the connection between their payment applications and their cloud HSMs.

When using cloud HSMs that are natively integrated with public cloud providers, operational burdens are significantly reduced. Networking infrastructure is simplified, onboarding is faster, and high availability (multi-cloud and multiregion) is easier to attain. As an added bonus, operational tasks like invoicing and payments are built on top of the organization’s existing public cloud account management structure.

PIN Translation & Verification

Organizations can configure VirtuCrypt cloud payment HSMs to translate and validate PIN blocks. The cloud payment HSMs execute the translation commands needed to prepare PIN blocks for each transaction zone. These commands include:

  • TPIN: Translate PIN blocks from one key to another
  • TPIN IBM: Translate the incoming PIN block encrypted via the IBM 4736 ATM algorithm
  • TPIN DUKPT: Allows the incoming DUKPT encrypted PIN block to be translated under an outgoing key

Like PIN translation, VirtuCrypt cloud payment HSMs support a variety of PIN verification methods including Visa, NCR, Diebold, ICM 3624, and IBM 4736 and can be configured to operate with offline & online PIN solutions.

EMV Validation

EMV (originally Europay, Mastercard, and Visa) has become the standard when issuing payment cards. As such, financial organizations must continue to expand their capabilities to effectively manage EMV validation & response. Organizations can offload EMV authorization request (ARQC) validation & response generation (ARPC) to cloud payment HSMs to quickly receive validation of EMV card transactions prior to approving funds for a purchase.

MAC Generation & Verification

You can eliminate the complexity and risk of key management by centralizing authorization processes into VirtuCrypt. Ensure strong data integrity and authenticity by generating and verifying message authentication code (MAC) in cloud HSMs specifically configured for the payments industry.

Our cloud payment HSMs can be configured to:

  • Generate standard, DUKPT, or hashed messaging code
  • Generate ISO Variant 3, or HMAC and PBKDF2 obfuscated value
  • Verify standard MAC and MAC using DUKPT
  • Generate & verify cipher-based MAC (CMAC)
Key Management & Derivation

Proper encryption key management for network keys is vital to any payment processing environment. VirtuCrypt’s next-generation cloud payment HSMs support a range of features used for these purposes:

  • Network key exchange under a common Key Exchange Key (KEK)
  • Key translation between a range of formats
  • Key derivation for a variety of methods including DUKPT & ISO 800-108 recommended methods (Counter, Feedback, and Double-Pipeline Iteration)
  • Mastercard On Behalf Key Management (OBKM)
CVV Generation & Validation

Organizations can securely validate card security codes (CVC, CVV, CVC2, CSC) from major payment providers including Visa, MasterCard, Discover and American Express with next-gen cloud payment HSMs. Administrators can appropriately configure cloud HSMs to generate and verify specific types of verification codes through API commands.

  • Card Identification Number (CID)
  • Card Security Code (CSC)
  • Card Validation Code (CVC & CVC2)
  • Card Verification Data (CVD)
  • Card Verification Value (CVV)

VirtuCrypt cloud payment HSMs can also be configured to validate CVVs with set validation conditions. Configurable conditions include output length, card verification key referencing, compatibility modes, and other functions.

Mobile Payments Acceptance

VirtuCrypt cloud payment HSMs support Google Pay, Apple Pay, and Samsung Pay.

The services related to mobile payments include:

  • Decrypting Apple Pay, Google Pay, Samsung Pay tokens
  • Generating Host Card Emulation (HCE) mobile cryptograms, magstripe verification values, and mobile keys
  • Verifying HCE mobile cryptograms and magstripe verification values
PIN (PIN and Offset Generation)

VirtuCrypt next-generation cloud payment HSMs can generate PIN and PIN offset values during payment card issuance. All major PIN generation algorithms are supported. Offsets can be generated from clear PINs or encrypted PIN blocks. Cloud HSMs can be configured to generate new offsets without changing the customer PIN, encrypting clear PINs, and generating offsets of a clear PIN.

Mobile and Web PIN Management

The demand for new methods of accountholder authentication and PIN management has increased. This increase in demand coincides with a growing number of devices and access points to payment systems and ecommerce. Just as solutions have been introduced into the market for software-based PIN entry, so have techniques for cloud-based PIN issuance and management.

When performing a PIN change through an issuer’s website or mobile app, the new PIN is encrypted using the web browser or app’s RSA public key. It is then sent to the VirtuCrypt service instance. Within its FIPS 140-2 Level 3 and PCI HSM compliant boundary, the HSM translates that PIN into an encrypted symmetric PIN block and provides it in a response stored in the issuer’s PIN database for future use.

EMV Key Generation and Derivation

Cloud payment HSMs act as the primary security devices when issuing EMV ICC chip payment cards. By integrating with data preparation and personalization systems, cloud HSMs play a critical role during issuance of the physical EMV credit, debit & prepaid cards by generating the required keys and other potential EMV requirements including:

  • EMV ICC certificate and issuer CSR
  • Generating dCVC3, CVC IV, and Data Authentication Code (DAC)
  • Key derivation from Vendor Master Key
  • Generating & verifying MAC
  • Establish authority between issuer and payment scheme
  • Derive Application Cryptogram (AC) card key from the AC master key & account number
  • Validating EMV cryptograms
Payment Card Issuance & Replacement

Issuing prepaid EMV and debit cards presents unique operational challenges. Unlike typical prepaid debit or storedvalue cards, EMV cards contain an Integrated Circuit Card (ICC) chip and are secured using a Public Key Infrastructure (PKI).

During payment card issuance, the ICC chip is loaded with encrypted data in addition to the magnetic stripe for backward compatibility. The sensitive payment card data is first prepared by the data preparation system which extracts clear sensitive data from issuing institution customer databases. The data preparation system then encrypts sensitive data using three types of keys: Data Transport Key (DTK) for customer data, Key Transport Key (KTK) for encryption keys, and PIN Transport keys (PTK) to encrypt PINs. Each key is derived from the dedicated master key generated by a cloud HSM. Cloud HSMs also provides the necessary encryption keys to the personalization machine that receives, decrypts, and imprints the data from the data preparation system during the card printing process.

Mobile Payment Token Issuance

For issuers allowing customers to make payments via digital wallets (such as Apple Pay, Google Pay, and Samsung Pay), an efficient payment tokenization solution is needed to avoid unnecessary transmission of payment card and PAN data. Digital wallet payment processing utilizes a specific kind of token, payment token, which differs from the acquisition and issuer tokens in that original PAN data is not exposed. Payment tokens are issued via a Token Service Provider (TSP) to registered token requestors (merchants holding payment card credentials) to be utilized as “proxy” or “surrogate” PAN data.

VirtuCrypt next-generation cloud payment HSMs can be integrated as independent Token Service Provider (TSP) or can be configured to allow payment networks or payment processors to become a TSP. In addition to mobile payment token issuance, VirtuCrypt tokenization and P2PE can be used in conjunction with other encryption technologies allowing organizations to potentially eliminate all clear-text PAN data from their networks.

Point-to-Point Encryption, also known as P2PE, is a security standard according to which cardholder data is encrypted at the point of interaction (POI) or point of sale (POS). The encrypted data is sent to the transaction processor, where it is decrypted within the confines of an HSM, and then is sent to the card issuer for validation. To meet your organization’s specific needs, VirtuCrypt can be configured to create a secure P2PE environment through remote key loading and advanced encryption & translation techniques that support DUKPT derived keys and both 3DES and AES encryption.

Cardholder Data Decryption (Using FPE and DUKPT)

After cardholder data is encrypted at a Point-of-Sales (POS) or ATM terminal, data is securely transmitted and decrypted utilizing related keys generated/housed by a cloud HSM (Excrypt Plus) under a secure TLS management platform (Guardian Series 3).

Decryption Using Format-Preserving Encryption

Format-preserving encryption (FPE) allows organizations to encrypt data in the same format as the original data, hence the name “format preserving.” For example, a PAN is typically between 8 and 19 numeric digits, and when using format-preserving encryption, the encrypted PAN data will have the same number of digits. Format-preserving encryption is utilized by organizations with strict database schemas that require field values to share the same length and format.

Example:
Encrypted PAN#: 9356030022219797
Decrypted PAN#: 4012888888881881

Decryption Using DUKPT

Derived Unique Key Per Transaction (DUKPT) safeguards data, such as Personal Identification Numbers (PIN) or cardholder Primary Account Numbers (PAN), by providing unique encryption keys for every transaction. Each key cannot lead back to the original key upon which it was based. Each transaction key is erased after use.

Essentially, one Base Derivation Key (BDK) is used to initiate the DUKPT process. The BDK itself is never exposed, but instead is used to create another key, called an initial key. This initial key is injected into the new point of sale (POS) device along with a Key Serial Number (KSN) containing identifying information for the host application. The initial key is used to create a pool of encryption keys, and during each transaction, one of the keys is selected from the pool to encrypt information. After the data is sent to the device, the current key is used to create additional future keys, and then it is erased, removing any information about a previous transaction.

To decrypt data that was encrypted using the Triple DES (3DES) algorithm under a key derived from a DUKPT BDK, a cloud HSM must perform the key derivation process to generate the key needed to decipher the PAN data. Transmitted along with the encrypted PAN data is the Key Serial Number (KSN) which consists of a Device ID and device transaction counter. From the KSN, the receiver then generates the Initial Key and from that generates the Future Key that was used by the device and then the actual key that was used to encrypt the data. With this key, the receiver will be able to decrypt the data.

DUKPT Advantages

Derived keys keep information safe. The process cannot be reversed to lead back to the BDK, and if one of the keys were compromised in a POS device, it would immediately be replaced by a new key in the next transaction. Through derivation, DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation.

Cardholder Data Translation

When transmitting sensitive cardholder data between multiple payment institutions (zones), it is best practice to orchestrate a secure process that does not expose clear data to any institution that is not the issuing bank or financial institution. In addition to the handling of sensitive cardholder data, each zone must securely pass the PIN Encryption Key (PEK) between zones for use by the issuing bank.

To accomplish this task, the data block must be translated and encrypted between each zone through sharing of zone keys or Traffic Encryption Keys (TEK). Traffic Encryption Keys (TEKs) encrypt the data transferred between each zone and must be derived from the original master key or in the case of DUKPT the Base Derived Key (BDK). The TEKs must also be changed out frequently requiring a proper key management solution.

VirtuCrypt next-generation cloud payment HSMs can support the secure translation of sensitive cardholder data reducing PCI DSS compliance scope through the following PAN Translation Methods:

  • DUKPT-to-DUKPT: data encrypted using DUKPT derived key translated to another DUKPT derived key
  • DUKPT-to-Symmetric or Symmetric-to-DUKPT: data encrypted using DUKPT derived key translated to symmetric key, or vice-versa
  • DUKPT-to-RSA with track data: translate and parse data from a key derived using DUKPT to an RSA public key with specific track data
Point-to-Point Encryption Key Management

To meet PCI compliance standards, a cost-effective key management stra