Industry terminology
Common key types
- AWK
-
An acquirer working key (AWK) is a key typically used to exchange data between an acquirer/acquirer processor and a network (such as Visa or Mastercard). Historically AWK leverages 3DES for encryption and would be represented as TR31_P0_PIN_ENCRYPTION_KEY.
- BDK
-
A base derivation key (BDK) is a working key used to derive subsequent keys and is commonly used as part of PCI PIN and PCI P2PE DUKPT process. It is denoted as TR31_B0_BASE_DERIVATION_KEY.
- CMK
-
A card master key (CMK) is one or more card specific key(s) typically derived from a Issuer Master Key ,PAN and PSN and are typically 3DES keys. These keys are stored on the EMV Chip during personalization. Examples of CMKs include AC, SMI and SMC keys.
- CMK-AC
-
An application cryptogram (AC) key is used as part of EMV transactions to generate the transaction cryptogram and is a type of card master key.
- CMK-SMI
-
An secure messaging integrity (SMI) key is used as part of EMV to verify the integrity of payloads sent to the card using MAC such as pin update scripts. It is a type of card master key.
- CMK-SMC
-
An secure messaging confidentiality (SMC) key is used as part of EMV to encrypt data sent to the card such as pin updates. It is a type of card master key.
- CVK
-
A card verification key (CVK) is a key used for generating CVV, CVV2 and similar values using a defined algorithm as well as validating an input. It is denoted as a TR31_C0_CARD_VERIFICATION_KEY.
- IMK
-
An issuer master key (IMK) is a master key used as part of EMV chip card personalization. Typically there will be 3 IMKs - one each for AC (cryptogram), SMI (script master key for integrity/signature), and SMC (script master key for confidentiality/encryption) keys.
- IK
-
An initial key (IK) is the first key used in the DUKPT process and derives from the Base Derivation Key (BDK). No transactions are processed on this key, but it is used to derive future keys that will be used for transactions. The derivation method for creating an IK was defined in X9.24-1:2017. When an TDES BDK is used, X9.24-1:2009 is the applicable standard and IK is replaced by Initial Pin Encryption Key (IPEK).
- IPEK
-
An initial PIN encryption key (IPEK) is the initial key used in the DUKPT process and derives from the Base Derivation Key (BDK). No transactions are processed on this key, but it is used to derive future keys that will be used for transactions. IPEK is a misnomer as this key can also be used to derive data encryption and mac keys. The derivation method for creating an IPEK was defined in X9.24-1:2009. When an AES BDK is used, X9.24-1:2017 is the applicable standard and IPEK is replaced by Initial Key (IK).
- IWK
-
An issuer working key (IWK) is a key typically used to exchange data between an issuer/issuer processor and a network (such as Visa or Mastercard). Historically IWK leverages 3DES for encryption and is represented as TR31_P0_PIN_ENCRYPTION_KEY.
- KEK
-
A key encryption key (KEK) is a key used to encrypt other keys either for transmission or storage. Keys meant for protecting other keys typically have a KeyUsage of TR31_K0_KEY_ENCRYPTION_KEY according to the TR-31 standard.
- PEK
-
A PIN encryption key (PEK) is a type of working key used for encrypting PINs either for storage or transmission between two parties. IWK and AWK are two examples of specific uses of pin encryption keys. These keys are represented as TR31_P0_PIN_ENCRYPTION_KEY.
- PGK
-
PGK (Pin Generation Key) is another name for a Pin Verification Key. It's not actually used to generate pins (which by default are cryptographically random numbers) but instead are used to generate verification values such as PVV.
- PVK
-
A PIN verification key (PVK) is a type of working key used for generating PIN verification values such as PVV. The two most common kinds are TR31_V1_IBM3624_PIN_VERIFICATION_KEY used for generating IBM3624 offset values and TR31_V2_VISA_PIN_VERIFICATION_KEY used for Visa/ABA verification values. This can also be known as a Pin Generation Key.
Other terms
- ARQC
-
Authorization Request Cryptogram (ARQC) is a cryptogram generated at transaction time by an EMV standard chip card (or equivalent contactless implementation). Typically, an ARQC is generated by a chip card and forwarded to an issuer or their agent to verify at transaction time.
- CVV
-
A card verification value is a static secret value that was traditionally embedded on a magnetic stripe and used to validate the authenticity of a transaction. The algorithm is also used for other purposes such as iCVV, CAVV, CVV2. It may not be embededd in this way for other use cases.
- CVV2
-
A card verification value 2 is a static secret value that was traditionally printed on the front (or back) of a payment card and is used to verify authenticity for card not present payments (such as on the phone or online). It uses the same algorithm as CVV but the service code is set to 000.
- iCVV
-
iCVV is a CVV2-like value but embedded with the track2 equivalent data on a EMV(Chip) card. This value is calculated using a service code of 999 and is different than the CVV1/CVV2 to prevent stolen information from being used to create new payment credentials of a different type. For instance, if chip transaction data was obtained, it is not possible to use this data to generate a magnetic stripe(CVV1) or for online purchases (CVV2).
It uses a CVK key
- DUKPT
-
Derived Unique Key Per Transaction (DUKPT) is a key management standard typically used to define the use of one-time use encryption keys on physical POS/POI. Historically DUKPT leverages 3DES for encryption. The industry standard for DUKPT is defined in ANSI X9.24-3-2017.
- EMV
-
EMV
(originally Europay, Mastercard, Visa) is a technical body that works with payment stakeholders to create interoperable payment standards and technologies. One example standard is for chip/contactless cards and the payment terminals they interact with, including the cryptography used. EMV key derivation refers to method(s) of generating unique keys for each payment card based on an initial set of keys such as an IMK - HSM
-
A Hardware Security Module (HSM) is a physical device that protects cryptographic operations (for example, encryption, decryption, and digital signatures) as well as the underlying keys used for these operations.
- KCV
-
Key Check Value (KCV) refers to a variety of checksum methods primary used to compare to keys to each other without having access to the actual key material. KCV have also been used for integrity validation (especially when exchanging keys), although this role is now included as part of key block formats such as TR-31. For TDES keys, the KCV is computed by encrypting 8 bytes, each with value of zero, with the key to be checked and retaining the 3 highest order bytes of the encrypted result. For AES keys, the KCV is computed using a CMAC algorithm where the input data is 16 bytes of zero and retaining the 3 highest order bytes of the encrypted result.
- KDH
-
A Key Distribution Host (KDH) is a device or system that is sending keys in a key exchange process such as TR-34. When sending keys from AWS Payment Cryptography, it is considered the KDH.
- KIF
-
A Key Injection Facility (KIF) is a secure facility used for initializing payment terminals including loading them with encryption keys.
- KRD
-
A Key Receiving Device (KRD) is a device that is receiving keys in a key exchange process such as TR-34. When sending keys to AWS Payment Cryptography, it is considered the KRD.
- KSN
-
A Key Serial Number (KSN) is a value used as an input to DUKPT encryption/decryption to create unique encryption keys per transaction. The KSN typically consists of a BDK identifier,a semi-unique terminal ID as well as a transaction counter that increments on each transition processed on a given payment terminal.
- MPoC
-
MPoC (Mobile Point of Sale on Commercial hardware) is a PCI standard that addresses the security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile devices.
- PAN
-
A Primary Account Number (PAN) is a unique identifier for an account such as a credit or debit card. Typically 13-19 digits in length. The first 6-8 digits identifies the network and the issuing bank.
- PIN Block
-
A block of data containing a PIN during processing or transmission as well as other data elements. PIN block formats standardize the content of the PIN block and how it can be processed to retrieve the PIN. Most PIN block are composed of the PIN, the PIN length, and frequently contain part or all of the PAN. AWS Payment Cryptography supports ISO 9564-1 formats 0, 1, 3 and 4. Format 4 is required for AES keys. When verifying or translating PINs, there is a need to specify the PIN block of the incoming or outgoing data.
- POI
-
Point of Interaction (POI), also frequently used synonymously with Point of Sale (POS), is the hardware device that the cardholder interacts with to present their payment credential. An example of a POI is the physical terminal in a merchant location. For the list of certified PCI PTS POI terminals, see the PCI website
. - PSN
-
PAN Sequence Number (PSN) is a numeric value used to differentiate multiple cards issued with the same PAN.
- Public key
-
When using asymmetric ciphers (RSA), the public key is the public component of a public-private key pair. The public key can be shared and distributed to entities that need to encrypt data for the owner of the public-private key pair. For digital signature operations, the public key is used to verify the signature.
- Private key
-
When using asymmetric ciphers (RSA), the private key is the private component of a public-private key pair. The private key is used to decrypt data or create digital signatures. Similar to symmetric AWS Payment Cryptography keys, private keys are securely created by HSMs. They are decrypted only into the volatile memory of the HSM and only for the time needed to process your cryptographic request.
- PVV
-
A PIN verification value (PVV) is a type of cryptographic output that can be used to verify a pin without storing the actual pin. Although it is a generic term, in the context of AWS Payment Cryptography, PVV refers to the Visa or ABA PVV method. This PVV is a four digit number whose inputs are card number, pan sequence number, the pan itself and a PIN verification key. During the validation stage, AWS Payment Cryptography internally recreates the PVV using the transaction data and compares it again the value that has been stored by the AWS Payment Cryptography customer. In this way, it is conceptually similar to a cryptographic hash or MAC.
- RSA Wrap/Unwrap
-
RSA wrap uses an asymmetric key to wrap a symmetric key (such as a TDES key) for transmission to another system. Only the system with the matching private key can decrypt the payload and load the symmetric key. Conversely, RSA unwrap, will securely decrypt a key encrypted using RSA and then load the key into the AWS Payment Cryptography. RSA wrap is a low level method of exchanging keys and does not transmit keys in key block format and does not utilize payload signing by the sending party. Alternate controls should be considered to ascertain providence and key attributes are not mutated.
TR-34 also utilizes RSA internally, but is a separate format and is not interoperable.
- TR-31
-
TR-31 (formally defined as ANSI X9 TR 31) is a key block format that is defined by the American National Standards Institute (ANSI) to support defining key attributes in the same data structure as the key data itself. The TR-31 key block format defines a set of key attributes that are tied to the key so that they are held together. AWS Payment Cryptography uses TR-31 standardized terms whenever possible to ensure proper key separation and key purpose. TR-31 has been superceded by ANSI X9.143-2022
. - TR-34
-
TR-34 is an implementation of ANSI X9.24-2 that described a protocol to securely distribute symmetric keys (such as 3DES and AES) using asymmetric techniques (such as RSA). AWS Payment Cryptography uses TR-34 methods to permit secure import and export of keys.