 |
|
|
Key Management SimplifiedSecure card issuers and personalization bureaus need to stay on top of the latest requirements for key management established by the network brands - Visa, MasterCard, Discover, American Express and JCB. This requires a variety of internal expertise, and programming resource to keep a key management system in compliance. The Bank Card Security System (BCSS) gives you a better way to meet requirements for key management. It lets you focus your resources on what gives you a competitive advantage rather than developing and maintaining key management. BCSS also makes it easier for non-technical key custodians to play their designated role in key management. BCSS key management is a comprehensive, software-based system that incorporates hardware cryptography for secure operations. It was designed to simplify the process of creating keys properly and storing them securely. In addition, BCSS gives you a migration path to EMV, which has much more complex key management requirements. BCSS lets you securely generate, store, distribute and delete cryptographic keys. Depending on the intended use, keys can consist of both binary values as well as attributes that describe the keys' intended use (sometimes collectively referred to as key profiles). BCSS manages all of the keys necessary for magnetic-stripe and EMV card issuance and authorization. BCSS supports the most current industry standards for card security codes, PINs, and EMV application keys and issuer certificates as well as card keys. As the network brands evolve requirements, BCSS is enhanced to meet the latest standards, relieving your developers of that responsibility. BCSS has built-in processes and workflows that meet key management requirements established by the network brands and standards bodies. BCSS key management consists of four elements:
BCSS functionality supports best practices for implementing organizational security policies and procedures including key management. Users with specific access privileges manage the creation of keys in the BCSS configuration program. All user access is recorded in an authenticated log file that is used for compliance auditing. Shared responsibility and split knowledge are supported. Clear keys and PIN values never appear in diagnostic trace files. BCSS product data files are encrypted on the host computer. Both application level and API-level functionality is available and provides an interface to host and production systems. Cardholder management systems and production management systems can access BCSS when building production files and/or in real-time processing. BCSS supports both static and dynamic key management and simplifies implementation of the hardware security features provided by the Thales HSM. Thales HSMs are tamper-resistant and meet FIPS 140-2 Level 3 requirements. BCSS key management stores Local Master Keys (LMKs) inside the HSM where encryption of all other keys, including key encrypting keys, takes place. Subsequently only LMK-encrypted key values are stored in the BCSS database on the host computer and made available for card issuance and authorization processes. Only encrypted key values previously generated by the Thales HSM are entered and stored in the BCSS key vault database. Keys remain encrypted at all times - in creation, storage and use - so that the security offered by the HSM is never compromised. Using BCSS saves time and money by reducing the need for your developers to update code to meet new industry mandates for key management. Most importantly, BCSS keeps the secret keys that are so vital to your card issuing environment safe from internal and external threats.
|
 |
 |