Prime Factors Blog

Back to blogs

How Bank Card Security System Ensures Peace of Mind for Today’s and Tomorrow’s Payment Industry Challenges

by Justin Teitt
August 8, 2023

Imagine if you could seamlessly integrate any new Payment Card Industry (PCI) PIN requirement throughout your custom payment application with minimal effort, saving time and reducing development costs. That’s a reality for many companies. 

Using Prime Factors Bank Card Security System (BCSS), integrating industry changes into in-house payment applications is seamless, without requiring extensive development work or the need for cryptography experts to make changes. Instead, Prime Factors customers simply update to the latest version of BCSS, which already natively supports the features and functions required to meet recent changes required by the payment card industry. 

To put it simply, companies who control their own payment applications and use BCSS don’t even bat an eye when updating their payment security. By using BCSS, organizations simplify their cryptographic key management and eliminate hours of re-architecture to comply with security standards now, and in the future. 

Why now is the right time to implement Bank Card Security System (BCSS) for custom payment applications 

If you have a custom payment application, any new PCI PIN update will result in countless hours spent re-architecting your payment card environment. But with BCSS, you can streamline your integration with new security requirements and hardware changes with minimal to no development. 

Here are a couple reasons why now is the right time for you to consider BCSS to future proof your custom applications: 

1. Payment card industry changes, such as TR-31 Key Blocks

When the PCI Security Standards Council (PCI SSC) introduced the latest PCI PIN 18-3 Requirements, Key Blocks Compliance, BCSS customers smoothly migrated their existing keys to Key Blocks.

The new requirement better protects keys used with Triple Data Encryption Algorithm (TDEA or TripleDES) and Advanced Encryption Standard (AES). The requirement states that “encrypted symmetric keys must be managed in structures called Key Blocks,” which is a standard method to ensure security and intended usage of cryptographic keys. Key Blocks focuses on improving protection of symmetric keys shared among payment systems participants to protect PINs and other sensitive information.

The Key Block implementation rolls out in three phases*:

  • Phase 1 – Deadline Passed
    Implement Key Blocks for internal connections and key storage within service provider environments. This includes all applications and databases connected to hardware security modules (HSMs). Phase 1 became effective June 1, 2019; this date was not extended.
  • Phase 2 - Deadline Passed
    Implement Key Blocks for external connections to associations and networks. New effective date: January 1, 2023 (replaces previous date of June 1, 2021).
  • Phase 3 – Deadline January 1, 2025
    Implement Key Blocks extends to all merchant hosts, POS devices and ATMs. New effective date: January 1, 2025 (replaces previous date of June 1, 2023).

*PCI PIN Security Requirements 18-3 – Key Blocks Requirements, PCI Security Standards Council (July 2022)

While Phase 1 and Phase 2 Key Blocks deadlines have passed, Phase 3 Key Blocks which apply to merchant hosts, POS devices and ATMs has extended until 2025 due to delays from COVID-19.

If you have developed your own applications to process PINs, you will need to re-architect your applications to support Key Blocks. For most custom-developed application owners, this can be a long, burdensome, and resource-intensive process, but it doesn’t have to be.

BCSS enables you to migrate to Key Blocks easily, eliminating the need for complex application re-development on your end. Simply update to the latest BCSS version and enable support for Key Blocks. This means no experts are needed to re-work your application, saving you hours and cost on re-architecture. Prime Factors also always ensures BCSS is up to date with the latest PCI PIN changes, ensuring that your applications are prepared for any new requirements down the road.

As PCI SSC continues to amend its PIN requirements, Prime Factors continues to enhance BCSS to accommodate these changes, so users of the platform can easily adapt to industry updates with minimal effort on their end.

2. Changes to payment hardware platforms, such as the release of the payShield 10K

In addition to PCI PIN updates, BCSS makes transitions from end-of-life systems painless. Whenever there is a shift in a hardware vendor, BCSS ensures a smooth transition while providing turnkey compatibility. This protects the end user during these transitions to ensure the process is seamless with no rework of their payment applications.

For example, when Thales announced the end of life for its payShield 9000 family of hardware security modules (HSMs), those with BCSS purchased payShield 10K HSMs and selected the 10K hardware option within BCSS. There was no additional work needed, no developer hours, and no application re-architecture, saving any costs that might have otherwise been incurred to update custom payment applications to accommodate these changes. With BCSS, it’s easy and painless to implement new hardware, load balance across various hardware types during transition, and manage hardware infrastructure over time, with better visibility and control.

Don’t delay future-proofing your payment card security

For organizations with BCSS already implemented, migrating to Key Blocks has been a straightforward process: simply update your BCSS software to the latest version, migrate existing keys to Key Blocks, enable exchanging keys using Key Blocks, and then you’re done. No further re-work or application architecture changes are needed.  As the payment card industry continues to evolve, technology will continue to shift and requirements will inevitably change, and those with custom payment applications utilizing BCSS will never fall behind. BCSS helps facilitate better security, visibility, efficiency, and compliance for payment applications, even as industry standards change.  If your enterprise is managing a custom payment application yourself, without leveraging BCSS, now is the perfect time to future-proof your payment application with BCSS.

To learn how BCSS helps modernize your custom payment applications, get in touch with a payment security expert.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram