Skip to main content

How are cloud payment HSMs used for card and mobile issuing?

PIN (PIN and Offset Generation)

VirtuCrypt next-generation cloud payment HSMs can generate PIN and PIN offset values during payment card issuance. All major PIN generation algorithms are supported. Offsets can be generated from clear PINs or encrypted PIN blocks. Cloud HSMs can be configured to generate new offsets without changing the customer PIN, encrypting clear PINs, and generating offsets of a clear PIN.

Mobile and Web PIN Management

The demand for new methods of accountholder authentication and PIN management has increased. This increase in demand coincides with a growing number of devices and access points to payment systems and ecommerce. Just as solutions have been introduced into the market for software-based PIN entry, so have techniques for cloud-based PIN issuance and management.

When performing a PIN change through an issuer’s website or mobile app, the new PIN is encrypted using the web browser or app’s RSA public key. It is then sent to the VirtuCrypt service instance. Within its FIPS 140-2 Level 3 and PCI HSM compliant boundary, the HSM translates that PIN into an encrypted symmetric PIN block and provides it in a response stored in the issuer’s PIN database for future use.

EMV Key Generation and Derivation

Cloud payment HSMs act as the primary security devices when issuing EMV ICC chip payment cards. By integrating with data preparation and personalization systems, cloud HSMs play a critical role during issuance of the physical EMV credit, debit & prepaid cards by generating the required keys and other potential EMV requirements including:

  • EMV ICC certificate and issuer CSR
  • Generating dCVC3, CVC IV, and Data Authentication Code (DAC)
  • Key derivation from Vendor Master Key
  • Generating & verifying MAC
  • Establish authority between issuer and payment scheme
  • Derive Application Cryptogram (AC) card key from the AC master key & account number
  • Validating EMV cryptograms
Payment Card Issuance & Replacement

Issuing prepaid EMV and debit cards presents unique operational challenges. Unlike typical prepaid debit or storedvalue cards, EMV cards contain an Integrated Circuit Card (ICC) chip and are secured using a Public Key Infrastructure (PKI).

During payment card issuance, the ICC chip is loaded with encrypted data in addition to the magnetic stripe for backward compatibility. The sensitive payment card data is first prepared by the data preparation system which extracts clear sensitive data from issuing institution customer databases. The data preparation system then encrypts sensitive data using three types of keys: Data Transport Key (DTK) for customer data, Key Transport Key (KTK) for encryption keys, and PIN Transport keys (PTK) to encrypt PINs. Each key is derived from the dedicated master key generated by a cloud HSM. Cloud HSMs also provides the necessary encryption keys to the personalization machine that receives, decrypts, and imprints the data from the data preparation system during the card printing process.

Mobile Payment Token Issuance

For issuers allowing customers to make payments via digital wallets (such as Apple Pay, Google Pay, and Samsung Pay), an efficient payment tokenization solution is needed to avoid unnecessary transmission of payment card and PAN data. Digital wallet payment processing utilizes a specific kind of token, payment token, which differs from the acquisition and issuer tokens in that original PAN data is not exposed. Payment tokens are issued via a Token Service Provider (TSP) to registered token requestors (merchants holding payment card credentials) to be utilized as “proxy” or “surrogate” PAN data.

VirtuCrypt next-generation cloud payment HSMs can be integrated as independent Token Service Provider (TSP) or can be configured to allow payment networks or payment processors to become a TSP. In addition to mobile payment token issuance, VirtuCrypt tokenization and P2PE can be used in conjunction with other encryption technologies allowing organizations to potentially eliminate all clear-text PAN data from their networks.

Securing the world's most sensitive data.
Request Demo ▸