Credit Card Merchant Account Key Management

All issuers, card acceptors and credit card merchant account service providers that maintain cardholder PINs and encryption keys need to be fully in compliance with the Payment Card Industry PIN Security Requirements.

Following are several best practices on how this is to be done:

• Only install compliant point-of-sale (POS) terminals. Purchase only POS equipment that have been PCI approved. Work with your merchant services provider or Encryption and Support Organization (ESO) to come up with a plan that makes sure that all of the installed POS machines are approved by Visa and MasterCard and are utilizing Triple Data Encryption Standards (TDES).
• Do not ever save PIN blocks. Even though PINs are safely kept in an encrypted or enciphered form within the credit card merchant account user processes the transactions. Many payment operations have implemented programs that are devised to overwrite or mask PIN blocks. Yet, any processor of PIN-based payments service provider must evaluate all inbound and outbound PIN-based messages to ensure that there is no storing of PIN blocks within any one system. Additionally, any intermediary logging function for payment evaluation or troubleshooting needs to provide for the actual removal of PIN blocks. This requirement helps prevent the gathering and subsequent attacking of any large storage of encrypted PINs.
• Always maintain secure key injection procedures. Whenever POS terminals and host security platforms are initially installed, they need to be securely loaded with the associated encryption keys. Whatever the type of tamper-resistant security terminals being installed, the rules of dual control and split knowledge need to be be kept in place at all times to achieve the secrecy of the key being implemented. Moreover, credit card merchant account users must devise procedures that keep any one person from having access to all elements of a single encryption key. If a card acceptor uses an ESO for key injection into a POS machine, the acquirer must register that ESO with Visa and MasterCard.
• Make sure that all terminals have unique keys. Cryptographic keys stored within a POS machine must be unique to that terminal. This includes initialization keys, key-exchange keys, and PIN-encryption keys. By making sure that these keys are unique to each machine, a credit card merchant account user will make their terminals an unattractive targets for a hacker attack. The reason is that a unique key that has been hacked exposes only those PINs that were actually keyed into the attacked device. On the other hand, compromise of a key used for a number of machines could potentially expose all PINs injected into all of those devices. When ensuring compliance with this rule, technical personnel should also examine weak keys (also called default, predictable, or simple keys).