BCSS

Essential functionality for issuing and verifying credit, debit and prepaid cards.

Prime Factor's Bank Card Security System (BCSS) plays a central role for our customers who issue and verify credit, debit and prepaid cards. BCSS is middleware that facilitates communication between cardholder databases and hardware encryption devices (Host Security Modules or HSMs) to create encrypted keys, card security codes and PINs. Security information is generated by HSMs and stored in the secure BCSS database for use during card-related processes. BCSS supports generation and verification of standard security codes such as CVV, CVV2, CVC, CVC2, CVC3, CSC, PVV, ABA Code, PIN, PIN Offset, ARQC and ARPC.

The typical BCSS environment
A typical card processing environment includes a cardholder database, the BCSS database of cryptographic keys and security options, the BCSS library of subroutines, and one or more Thales HSM 8000s. The BCSS database stores encrypted 3DES keys and RSA public/private keys used to support EMV2000 for chip cards. The database also contains information such as a user-defined name, status flag (active or not), text description, PIN related fields, Primary Account Number (PAN) length and CVV Service Code.

Compliance with security standards
Banks, third-party bank card processors, retail chains and card manufacturers use BCSS for a variety of tasks including compliance with security standards established by VISA, MasterCard, American Express and others. BCSS also keeps issuers and acquirers current with security requirements for different types of plastic media: magnetic-stripe cards, smartcards (chip cards) or contactless cards (RFID cards).

Cardholder verification
Some card processors use BCSS exclusively to verify transactions. BCSS decrypts PIN blocks and verifies security codes. The verification process begins when a point-of-sale device encrypts the cardholder PIN block, and sends it to the issuing bank or processing center. BCSS decrypts the PIN block, calculates the expected security code and compares the expected security code to the one in the transaction. If there's a match, the transaction is approved.

The alternative to custom programming
BCSS is the cost-effective alternative to hiring programmers to create custom code that is complex and needs to be upgraded constantly to keep current with new mandates and security requirements. BCSS customers include some of the largest card producers and issuers in the business. Prime Factors works with them to keep BCSS ahead of any changes to security requirements.

Summary of functionality
BCSS is a mature product that runs on a variety of computer platforms. It has been enhanced for more than 20 years, and provides the following off-the-shelf functionality:

• Communication between card management systems and HSMs.
• Host commands necessary for an HSM to create encrypted keys.
• A secure database of encrypted keys, PIN options, PIN block formats, PVV options, CVV options and smart card parameters.
• An intuitive user interface for managing the database of encrypted keys and security options.
• An audit log of all changes to the BCSS database showing who changed what, and when they did it.
• A library of subroutines that streamlines calls from a card management system to the HSM 8000 to create and verify security codes.
• The ability to call BCSS from all major high-level programming languages and from CICS.
• A debug trace of communications with HSMs.
• Secure key exchange between banks, networks and plastic vendors.
• The ability to migrate from software to hardware encryption.
• HSM statistics monitoring for resource allocation and customer billing.
• A card utility for small organizations that creates the output data to issue plastic cards and send out PIN mailers.

BCSS reflects our knowledge about security
Prime Factors has been in business since 1981 and accumulated a great deal of knowledge about security over the years. This knowledge has been built into BCSS, making it more powerful yet easy-to-use. For example BCSS:

• Forces multi-user key component entry.
• Rejects weak keys.
• Adjusts parity.
• Delivers specific error messages that guide the user to fix the error.
• Provides subroutine return codes that make it easy for the user to stay on track.
• Features an authenticated log that records changes to user IDs and user privileges to discourage unauthorized tampering.

Support for the Thales HSM 8000
BCSS is designed to work with the Thales HSM 8000, and together they meet the FIPS 140-2 Level 3 security standard issued by the U.S. Government. BCSS builds commands for the HSM 8000, manages Ethernet (TCP/IP) communication and stores a database of encrypted keys created by the HSM 8000. BCSS also supports the Thales Security Resource Manager (SRM) for load balancing multiple HSM 8000s and other communication protocols such as ESCON.

NOTE: Because BCSS uses secret cryptographic keys known only to the card issuer, BCSS is not intended for point-of-sale use by merchants.

Host Platforms
IBM: zSeries (z/OS),
iSeries (formerly AS/400) (OS/400),
pSeries (formerly RS6000) (AIX)
Microsoft: Windows NT, Windows 2000,
Windows XP, Windows Vista
Other: Sun (Solaris)
HP (HP9000, Integrity) (HPUX),
PC (RedHat Linux, others on request)

Product Details
Fitting into the Prime Factors’ Product Matrix

For Green Screen User Interface (zSeries & iSeries Servers):
English Product Datasheet
Spanish Product Datasheet

For Graphical User Interface (All Other Servers):
English Product Datasheet
Spanish Product Datasheet

Follow-up Steps
If you have additional questions contact us.

To see how BCSS can help you, please start a free trial.