Payment Key Management

Managing Cryptographic Payment Keys can be very complex from both information security and developer standpoints. It requires specialized expertise to develop a payment key management system from scratch and replicate compliance requirements related to issuing payment credentials and processing payment transactions. But any initial effort to set up a system with proper payment key management is just the starting point. Payment Key management functionality must be constantly updated to keep up with the ever-evolving payment security landscape. It’s complex, but Prime Factors’ Bank Card Security System (BCSS) can help. 

BCSS-lifecyce-chart

BCSS Payment Key Management has processes and workflows that meet payment key management requirements established by the standards bodies and the network brands, such as such as Visa, MasterCard, Discover, American Express, and JCB. BCSS Payment Key Management typically consists of four elements:

BCSS Payment Key Vault – secure database for storing and protecting key values and attributes.
High-level APIs – Simplify access to the payment systems that need to use key values.
Payment Hardware Security Module (HSM) – perform mathematically intensive key value generation.
Access controls – govern what tasks a user may perform in BCSS Payment Key Management.

Simple & Secure

The Bank Card Security System makes it easier for non-technical key custodians to play their designated role in key management. BCSS was designed to simplify the process of creating cryptographic payment keys properly and storing them securely, while supporting best practices for implementing organizational policies and procedures for key management, such as:

Restrict ability to create and manage keys to only the users with specific access privileges.
Enforce split knowledge for key generation and management.
Record user access in an authenticated log file for compliance auditing.
Encrypt keys at all times – in creation, storage and in use.

BCSS fits into an existing card issuing environment and can accommodate key profiles with both key values and key attributes, derived keys, key versioning, and signed certificates. Payment network brands continue to evolve requirements, but an annual major software release of BCSS ensures that the cryptographic payment keys used by our global customers remain secure and compliant.

Broad functionality

BCSS provides a library of subroutines that handle more than 100 functions that access the BCSS key vault database and a payment HSM. This makes it easier to securely generate, export, import, store, rotate, expire, and delete payment-specific cryptographic keys and EMV certificates.

Payment Key Management

> Manages all of the highly specialized cryptographic keys related to payments.
> Provides an application programming interface (API) to cardholder management systems and production management systems.
> Provides support for both static and dynamic payment and EMV key management.
> Manages Key Profiles – both a key’s binary values as well as attributes that describe a key’s intended use.
> Leverages the stored Local Master Key (LMK) in the HSM encryption of all other types of payment keys.
> Stores LMK-encrypted key values in the BCSS key vault for card issuance and transaction processing.
> Forces multi-user key component entry, rejects weak keys, and adjusts keys to odd parity.
> Supports RSA public/private key pairs utilizing the chain of trust built into Public Key Infrastructure (PKI) that is necessary for authenticating chip card transactions.