The verification process for online PINs for both magnetic stripe card and EMV card transactions begins when a point-of-sale (POS) device or ATM encrypts the cardholder PIN block and sends the PIN block to the card issuer for authentication through the acquiring bank or processor. BCSS receives the encrypted PIN block, then sends the secret keys and security information to the HSM for decryption and use, so that the PIN and keys are never in the clear. The expected security code is compared to the one in the transaction. If the codes match, the transaction is authorized. CVV and CVC security codes are similarly sent from the POS to the acquirer or issuer for verification using cryptographic keys inside the HSM. The important thing is that the keys are securely stored and only available for use inside the secure execution engine of the HSM.
In an EMV transaction environment, the card initiates, at the POS terminal, a transaction authorization request called an application request cryptogram (ARQC) that incorporates transaction data encrypted using card-unique keys. The ARQC is sent by the terminal through the acquirer network to the issuer for verification and transaction authorization. At the issuer host system, the ARQC is verified by a BCSS and integrated HSM application which returns an authorization response cryptogram for that specific transaction. The response, called an ARPC, is sent back to the POS terminal and card.
Prime Factors’ Bank Card Security System (BCSS) plays an important role in the verification and authorization process for digital payment transactions. BCSS meets standards for security code verification and authorization established by the network brands including use of a hardware security module (HSM), as well as mutual authentication the Global Platform specifications. BCSS also supports all PIN management functions such as PIN translation, PIN selection, PIN bridging and PIN verification.
The ability for BCSS to help manage Payment Hardware Security Modules (HSM) coupled with its robust payment key management functionality speeds up and simplifies the development and implementation of in-house payment authorizations systems.
Please note: Prime Factors is not a payment processor and does not offer payment processing services. Our customers can leverage Prime Factors software to help accelerate the development of their applications and secure their data, however, Prime Factors does not process, store, or otherwise access payment transactions or related data of our End Users.