Professional Documents
Culture Documents
EMV Key Managment AC ENC MAC
EMV Key Managment AC ENC MAC
EMV Key Managment AC ENC MAC
Datacard Confidential
What Do these Operations have in Common?
On-line Authentication
Key Management
Tokenization
Datacard Confidential 2
What is Key Management?
Datacard Confidential 3
On-line Authentication Key
Dynamic Cryptogram
Payment Acquirer
Brand
Dynamic Cryptogram
ARQC
Issuer
Shared Key
Datacard Confidential 4
On-line Authentication Keys
Dynamic Cryptogram
Payment Acquirer
Brand
Product 1 Key 1
Product 2 Key 2
Product 3 Key 3
Product 4 Key 4
Product 5 Key 5
Product 6 Key 6
Issuer Product….. Key ……
Datacard Confidential 5
Off-line Authentication Keys and Certificates
Public MC V AM D JCB
Certificate
Authority
Private
Cert
Payment Acquirer
Brand MC V AM D JCB
Public Private
Issuer
Datacard Confidential 6
EMV Post Issuance Keys
• Updating EMV data on already issued cards
• EMV Scripts
Payment Acquirer
Brand
MDK AC Key
Datacard Confidential 7
EMV Post Issuance Keys
• Updating EMV data on already issued cards
• EMV Card Update Scripts
Payment Acquirer
Brand
Datacard Confidential 8
Smart Card Inventory Security
Transport Keys
Datacard Confidential 9
Why is Key Management Important?
Datacard Confidential 10
Who Has to Manage EMV Keys
• Payment Brand
• Issuers
• Issuer Authorization Processors
• Issuer Card Personalization Bureaus
• Acquirers
Datacard Confidential 11
Key Distribution
Key type Auth EMV Script CMS Data Perso / Service Provider /
System Generator Prep Bureau VISA NET
PVK/ Key ü ü ü
MDKac ü ü ü ü
MDKenc ü ü
MDKmac ü ü
MDKidn ü ü ü
MDKicvv ü ü ü
KEK ü ü
ZMK ü ü ü
Datacard Confidential
Key Transportation
Key Ceremony
Datacard Confidential 13
Keys Transport using KEKs
Shared Key
Datacard Confidential 14
EMV Key Exchanges
Product 1 Issuer
Product 1
Product 2
Product 1
Product 3 Product 1
Product 4 Product 1
Product 1
Product 5
Product 1
Product …..
Product …
Datacard Confidential 15
Key Management Evolution
Step 1: PIN Key Management
Step 2: PCI Data Security Compliance
Step 3: EMV Key Management
Datacard Confidential 16
Key Management Evolution Continues…..
SE
Issuer 1
TSM
Issuer 1
Issuer 1
TSM SE
Issuer 1
Issuer 1
TSM
SE
Issuer 1
Datacard Confidential 17
Continue to Evolve
Issuer 1
Issuer 1
Virtual
Issuer 1 Cards or
Wallets
Issuer 1
Issuer 1
Issuer 1
Datacard Confidential 18
Key Management Evolution
Datacard Confidential 19
Key Management Considerations
• Tactical EMV Migration Questions
– Where will keys be generated?
– How often will keys be changed over time?
– What will be the process for rolling over keys?
– How will you transport keys to each location?
• One at a time in components?
• Encrypted under a KEK (Key Encrypting Key)
– How will you assure the key security through the complete
issuance process?
• What are your future plans for Key Management
Datacard Confidential 20
EMV Key Management
Why Should You Care?
Guy R. Berg
Global Industry Consultant
Datacard Group
651.354.6808
Guy_berg@datacard.com
Datacard Confidential