Skip to main content

How are cloud payment HSMs used for Point-to-Point Encryption (P2PE)?

Point-to-Point Encryption, also known as P2PE, is a security standard according to which cardholder data is encrypted at the point of interaction (POI) or point of sale (POS). The encrypted data is sent to the transaction processor, where it is decrypted within the confines of an HSM, and then is sent to the card issuer for validation. To meet your organization’s specific needs, VirtuCrypt can be configured to create a secure P2PE environment through remote key loading and advanced encryption & translation techniques that support DUKPT derived keys and both 3DES and AES encryption.

Cardholder Data Decryption (Using FPE and DUKPT)

After cardholder data is encrypted at a Point-of-Sales (POS) or ATM terminal, data is securely transmitted and decrypted utilizing related keys generated/housed by a cloud HSM (Excrypt Plus) under a secure TLS management platform (Guardian Series 3).

Decryption Using Format-Preserving Encryption

Format-preserving encryption (FPE) allows organizations to encrypt data in the same format as the original data, hence the name “format preserving.” For example, a PAN is typically between 8 and 19 numeric digits, and when using format-preserving encryption, the encrypted PAN data will have the same number of digits. Format-preserving encryption is utilized by organizations with strict database schemas that require field values to share the same length and format.

Encrypted PAN#: 9356030022219797
Decrypted PAN#: 4012888888881881

Decryption Using DUKPT

Derived Unique Key Per Transaction (DUKPT) safeguards data, such as Personal Identification Numbers (PIN) or cardholder Primary Account Numbers (PAN), by providing unique encryption keys for every transaction. Each key cannot lead back to the original key upon which it was based. Each transaction key is erased after use.

Essentially, one Base Derivation Key (BDK) is used to initiate the DUKPT process. The BDK itself is never exposed, but instead is used to create another key, called an initial key. This initial key is injected into the new point of sale (POS) device along with a Key Serial Number (KSN) containing identifying information for the host application. The initial key is used to create a pool of encryption keys, and during each transaction, one of the keys is selected from the pool to encrypt information. After the data is sent to the device, the current key is used to create additional future keys, and then it is erased, removing any information about a previous transaction.

To decrypt data that was encrypted using the Triple DES (3DES) algorithm under a key derived from a DUKPT BDK, a cloud HSM must perform the key derivation process to generate the key needed to decipher the PAN data. Transmitted along with the encrypted PAN data is the Key Serial Number (KSN) which consists of a Device ID and device transaction counter. From the KSN, the receiver then generates the Initial Key and from that generates the Future Key that was used by the device and then the actual key that was used to encrypt the data. With this key, the receiver will be able to decrypt the data.

DUKPT Advantages

Derived keys keep information safe. The process cannot be reversed to lead back to the BDK, and if one of the keys were compromised in a POS device, it would immediately be replaced by a new key in the next transaction. Through derivation, DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation.

Cardholder Data Translation

When transmitting sensitive cardholder data between multiple payment institutions (zones), it is best practice to orchestrate a secure process that does not expose clear data to any institution that is not the issuing bank or financial institution. In addition to the handling of sensitive cardholder data, each zone must securely pass the PIN Encryption Key (PEK) between zones for use by the issuing bank.

To accomplish this task, the data block must be translated and encrypted between each zone through sharing of zone keys or Traffic Encryption Keys (TEK). Traffic Encryption Keys (TEKs) encrypt the data transferred between each zone and must be derived from the original master key or in the case of DUKPT the Base Derived Key (BDK). The TEKs must also be changed out frequently requiring a proper key management solution.

VirtuCrypt next-generation cloud payment HSMs can support the secure translation of sensitive cardholder data reducing PCI DSS compliance scope through the following PAN Translation Methods:

  • DUKPT-to-DUKPT: data encrypted using DUKPT derived key translated to another DUKPT derived key
  • DUKPT-to-Symmetric or Symmetric-to-DUKPT: data encrypted using DUKPT derived key translated to symmetric key, or vice-versa
  • DUKPT-to-RSA with track data: translate and parse data from a key derived using DUKPT to an RSA public key with specific track data
Point-to-Point Encryption Key Management

To meet PCI compliance standards, a cost-effective key management strategy that encompasses all phases of the encryption key lifecycle (generation, storage, distribution, destruction etc.) must be in place. Key management for Point-to-Point Encryption is no exception as financial organizations can create unnecessary complexity or manual effort due to lack of resources or technological limitations.

Remote Key Management

VirtuCrypt’s remote key loading services leverage the power of the cloud to include all the functionality necessary for performing key management for POS terminals, ATMs, and more. With cloud HSMs and key management servers, you can exercise full key management capabilities. By rotating keys over a secured IP network, your organization can conserve the time and resources that would otherwise be spent rotating keys.

The Remote Key Management service provides:

  • Key generation, distribution, injection, deletion, tracking, and certificate hierarchies
  • Flawless integration with the host application that drives your organization’s POS terminals or ATMs
  • Remote management capabilities such as loading Master File Keys (MFK), from virtually anywhere using the Excrypt Touch tablet
Securing the world's most sensitive data.
Request Demo ▸