BCSS & Thales HSMs

BCSS Works Seamlessly with Thales HSMs

If you are a secure card issuer or secure personalization bureau using Thales HSMs, Prime Factors' Bank Card Security System (BCSS) can save you time and money. With BCSS, there is no need to learn a proprietary machine level language to deploy Thales HSM capabilities. Plus you no longer need to constantly upgrade your custom code to take advantage of new functionality in the Thales HSM firmware.

BCSS eliminates all the programming required to make Thales hardware security modules (HSMs) work in accordance with requirements established by the network brands for security code creation, and key management. To incorporate an HSM into your secure card issuing or personalization solution is no trivial undertaking. It requires a variety of internal expertise, and programming resource to keep a key management system in compliance.

BCSS Key Management Includes Thales HSMs

BCSS key management is a comprehensive, software-based system that incorporates Thales hardware cryptography for secure operations. It was designed to simplify the process of creating keys properly and storing them securely.

BCSS key management stores Local Master Keys (LMKs) inside the Thales HSM where encryption of all other keys, including key encrypting keys, takes place. Subsequently only LMK-encrypted key values are stored in the BCSS database on the host computer and made available for card issuance and authorization processes.

Only encrypted key values previously generated by the Thales HSM are entered and stored in the BCSS key vault database. Keys remain encrypted at all times - in creation, storage and use - so that the security offered by the HSM is never compromised.

BCSS also gives you a migration path to EMV, which has much more complex key management requirements.

Subroutines Do the Work For You

BCSS has a library of subroutines that handles more than 100 functions that access the BCSS key vault database and a Thales HSM. Therefore, BCSS eliminates the need to know Thales' proprietary host commands and makes it easier to issue calls from popular programming languages such as C, C++, C#, COBOL, Java and Visual Basic. BCSS subroutines include those that call the HSM to create and verify security codes (CVVs, CVCs, CSCs, PVVs, etc.) and PINs.

BCSS includes subroutines that support transaction switching and verification environments. For these applications, BCSS can perform functions such as PIN translation, PIN changes, verification of PINs and card security codes.

BCSS capabilities extend to subroutines that work with your Thales HSM to print PIN mailers. This provides a secure environment for the generation of PIN mailers directly from a Thales tamper resistant device.

Typical Card-Issuing And Processing Environments

A typical secure card issuing and authorizing environment includes a cardholder database, the BCSS key management system consisting of a database of cryptographic keys and security options, the BCSS library of subroutines, and one or more Thales HSMs. When a card production emboss file needs to be created, cardholder and magnetic stripe data are processed quickly and securely by BCSS and the HSMs in accordance with the payment brand requirements for hardware cryptography. This can be accomplished directly from a mainframe program processing the emboss file.

BCSS also supports environments with multiple HSMs and provides load balancing and automatic backup in case an HSM fails.

EMV Support

BCSS works with Thales HSMs to support EMV smart card on-line authentication and issuance. Authentication functions include ARQC verification and ARPC generation that comply with EMV96, EMV2000, and EMV 4.1 standards. BCSS provides subroutines to support Thales HSM commands that cryptographically prepare data for issuing smart cards. These data preparation functions include generating and managing card issuer public key certificates, and generating unique card keys and certificates. Also available with BCSS and Thales HSMs are dynamic CVV/CVC3 verification, and CVC3 generation for contactless cards.

EMV transaction processing, including ARQC/ARPC application cryptograms and secure messaging are supported.

Next Steps: