Payment Key Management Simplified

Key management is complex from both a developer and a user stand point. It requires key management expertise to develop a system, and an understanding of key management to use the system. Both are in short supply so it makes sense to purchase Prime Factors’ Bank Card Security System (BCSS) which simplifies software development and use of key management.

BCSS reduces the need for in-house expertise to program and keep a key management system constantly up-to-date, and makes it easier for non-technical key custodians to play their designated role in key management for both magnetic stripe and EMV card issuance.

Prime Factors’ BCSS key management is a comprehensive, software-based system that incorporates hardware cryptography for secure operations. BCSS has built-in processes and workflows that meet key management requirements established by the network brands and standards bodies. BCSS key management consists of four elements:

  • A key vault database for storage of key values and attributes.
  • Access to the systems needing key values - in the form of an API.
  • A Thales hardware security module (HSM) to ensure the secrecy and integrity of key values and attributes, and to perform mathematically intensive key value generation.
  • Controls that govern who may access the BCSS key management system and what tasks they are allowed to perform.

Key Management Features

  • Provides a library of subroutines that handles more than 100 functions that access the BCSS key vault database and a Thales HSM
  • Manages all the keys necessary for magnetic-stripe and EMV card issuance and authorization
  • Both application level and API-level functionality is available
  • Provides an interface to cardholder management systems and production management systems; they can access BCSS when building production files and/or in real-time processing.
  • Supports both static and dynamic key management.
  • Simplifies implementation of the hardware security features provided by the Thales HSM.
  • Depending on the intended use, keys can consist of both binary values as well as attributes that describe the keys' intended use (sometimes collectively referred to as key profiles).
  • BCSS stores Local Master Keys (LMKs) inside the HSM where encryption of all other keys, including key encrypting keys, takes place. Subsequently only LMK-encrypted key values are stored in the BCSS database on the host computer and made available for card issuance and authorization processes.
  • Only encrypted key values previously generated by the Thales HSM are entered and stored in the BCSS key vault database. Keys remain encrypted at all times - in creation, storage and use - so that the security offered by the HSM is never compromised.


  • Eliminates the need to have the expertise to stay on top of the latest requirements for key management established by the network brands - Visa, MasterCard, Discover, American Express and JCB.
  • Eliminates the need to stay current with constantly changing industry standards for creating card security codes, PINs, and EMV application keys and issuer certificates as well as card keys.
  • As the network brands evolve requirements, BCSS is enhanced to meet the latest standards, relieving your developers of that responsibility.

Taking The Complexity Out Of EMV Key Management

The Bank Card Security System (BCSS) gives you a migration path to EMV, which has much more complex key management requirements. It takes you painlessly beyond basic key management for security code and PIN generation to unique private and private/public key pairs, secure messaging and determination and configuration of risk parameter settings. BCSS supports Public Key Infrastructure (PKI) and shared/secret key environments utilizing symmetric and asymmetric keys. And it runs on all major hardware platforms including your legacy system where cardholder records are managed and emboss files are created for card issuance.

BCSS key management for EMV streamlines and manages all of the additional intensive cryptographic functions needed for EMV data preparation including:

  • Generating keys
  • Importing keys
  • Exporting keys
  • Distributing keys
  • Protecting keys

BCSS makes it much easier to incorporate these key management processes into your existing card issuing environment including the ability to accommodate key profiles with both key values and key attributes, derived keys, key versioning, and signed certificates.

With key management for EMV, card issuance is as familiar and simple as your magnetic stripe issuance is today.

Simplified Use For Key Custodians

The Bank Card Security System (BCSS) makes it easier for non-technical key custodians to play their designated role in key management, and was designed to simplify the process of creating keys properly and storing them securely. BCSS lets you securely generate, store, distribute and delete cryptographic keys. BCSS functionality supports best practices for implementing organizational policies and procedures for key management including:

  • Users with specific access privileges manage the creation of keys in the BCSS configuration program.
  • All user access is recorded in an authenticated log file that is used for compliance auditing.
  • Shared responsibility and split knowledge are supported.
  • Clear keys and PIN values never appear in diagnostic trace files.
  • BCSS product data files are encrypted on the host computer.