Enhanced Remote Key Loader

for PIN Encryption Devices

Overview

Enhanced Remote Key Loader (ERKL) ensures the secure loading of the Terminal Master Keys (also
known as PIN Device Master Keys) and other key formats from the ERKL server onto the ATM EPPs and
EFTPOS PINPads.
Remote key management techniques have recently become more and more necessary as a response
to the newest regulations mandated by several card organizations or other institutions (VISA, MasterCard, PCI
and ANSI X9) regarding the key management for the terminals used in card transactions. These regulations
ask banks to ensure meeting the following requirements:
- use 3DES encryption on all card processing terminals that use PIN blocks;
- use unique Master Key per terminal;
- ensure renewing cardholder data encryption keys periodically, at least once a year;
- use secure environment, equipments and procedures to manage encryption key;
- always use dual control and keep tracking of all key management operations.
The easiest and cheapest way to be in line with all these requirements is to implement a remote key
management solution. However, this is not always a simple task and banks should also be worrying about the
efforts they have to spend to integrate such solutions with their existing environment: the card processing host
and the host security modules.
Printec’s ERKL solution has been designed to ensure conformity with all the security requirements
but also to directly interact with existing HSMs or processing hosts with as least modifications as possible.
ERKL works on PKI technology by exchanging cryptograms and verifying digital signatures or
certificates in conjunction with a special TRSM HSM. Therefore, the solution is applicable to all vendors’ ATMs
and EFTPOSes that use EPPs or PINPads which are ready for remote key management technology.

Benefits

- No more need to send bank’s key custodians to ATM locations to renew master keys;
- Excellent speed and operational management across the whole ATM network;
- In line with card organizations and PCI regulations;
- Tremendous cost savings compared to the on-site interventions.

Technical prerequisites

- In case of ATMs:
o EPP compliant with remote key loading (in NCR’s case, firmware ver. 7.xx);
o XFS platforms compatible with EPP versions ready for remote key loading (in NCR’s
case, XFS ver. 4.51);
o Digital certificates or digitally signed pairs of keys for each PINPad;
- In case of EFTPOS terminals:
o Operating system and software features ready for remote key loading;
o Digital certificates or digitally signed pairs of keys for each PINPad;

Technical description

The ERKL solution has the following components:

- the ERKL Master (server) hardware platform;
- the ERKL Master software platform;

1
 - ERKL ATM agent;
- an HSM with RSA license (in case it is not possible to use an already existing HSM with RSA
license of the bank).
The ERKL server is installed in bank’s premises and has direct connectivity with an HSM, called
ERKL_HSM further on, and with the card processing server, called Host further on. The connection with
ERKL_HSM is needed because the ERKL server does not do any cryptographic operation (key generation,
digital signing, signature verification etc.) by itself, but in conjunction with such a tamper resistant security
module (TRSM). The ERKL_HSM role could be taken by any RSA ready HSM already existing at the bank or
could be a separate one optionally provided together with the ERKL solution.
The access on the ERKL server console is only permitted through a dual access means (two or more
separate security officers with their own logon and operating credentials), even though on the ERKL server no
cleartext keys or key components operations are carried out. This feature is directly implemented within the
server software.
The ERKL ATM agent is to be installed on each ATM running Windows operating system and XFS
platform (the commands to the EPP are exchanged via XFS commands). There are some minimal technical
prerequisites to be met by the ATM configuration, depending on the ATM make – for instance, in case of NCR
ATMs, the EPP firmware version should be at least 7.xx.
In case of EFTPOS terminals, there is no predefined terminal agent, but the remote key functionality
has to be developed within the POS application; in case of VeriFone terminals, the required application
functionality is provided by Printec.

2
There are two different sets of operations in order to use the ERKL solution:
1. The implementation phase. In this phase, the bank goes through the following steps:
a. Ensure their terminals have been made ready for remote key loading (have unique digital
certificates signed by their vendors’ CAs and have suitable hardware and software
installed);
b. Install the ERKL server and the ERKL_HSM in a secure facility and create bank’s own
digital certificates or pairs of public/private keys;
c. Goes through the ceremony to have their own certificates or pair of PKI keys signed by an
external CA, such as the terminal vendors’ CAs;
d. Store the bank’s Private key encrypted ERKL_HSM encrypted under this HSM’s LMK;
e. Install on ERKL_HSM the ZMKERKL shared with the HSM used by the card host.

2. Routine operations for remote key loading:

a. A new master key (TMK) is defined for a given terminal (ATM or EFTPOS). The new TMK
creation can be carried out in several ways:
ƒ have it created by the host (in conjunction with its associated HSM) and then to
export it encrypted under ZMKERKL; and import it in ERKL server’s database;
ƒ have it created by the ERKL server (in conjunction with its associated HSM),
store it locally on ERKL server encrypted under ZMKERKL and also have it
exported to be imported at the host side;
ƒ manually enter cleartext components from key mailers held by two security
officers; this operation is carried out directly on ERKL_HSM’s console (a TRSM
device) which stores them encrypted under LMK.
b. The terminal which is to get the new TMK and the ERKL server authenticate themselves;
c. The new TMK is encrypted with terminal’s public key, signed by ERKL server and sent to
the terminal which verifies it, decrypts it and installs it.
d. The newly created TMK(s) are encrypted by ERKL_HSM in ZMKERKL and exported so that
they can afterwards be imported and used by the card host.
Points a., b., c. and d each include a number of other functional steps whose explanations are
beyond the scope of this document, but fact is that all cryptographic operations are carried out only
within HSM(s) and all keys are securely stored either in HSM(s) or in encrypted format in ERKL’s
database.

Features of ERKL solution:

- uses a FIPS140-2 Level 3 certified TRSM device (Thales E-Security 8000 HSM);
- are intended to be used installed in a secure data room, controlled by dual access;
- operates themselves only under dual control (two security officers are needed to log in);
- keys are never entered, transferred, stored in cleartext on ERKL server;
- none of the two devices (ERKL server and ERKL_HSM) are networked except between each
other (they can import or export encrypted keys only via external memory supports);
- the ERKL server and ERKL_HSM keep logs of all activities and events;
- the ERKL server keeps an internal database with all terminal definitions (including makes, types,
SNs, terminal IDs) and creates reports about all key loading (keeping track of each key signature
has been assigned to each terminal);
- application on ERKL server has been designed to enforce best security practices that security
officers have to follow;
- the whole solution has been designed in conformity with the following security standards:
o “Payment Card Industry PIN Security Requirements, ver. 2.0, January 2008”;
o “Payment Card Industry (PCI) Data Security Standard. Requirements and Security
Assessment Procedures. Version 1.2, October 2008”
and with the security standards referenced throughout these documents.