Online PIN Keys
In the United States and some European countries, card transactions need to be verified and authorized in real time via online PIN verification with the acquirer/processor from the PIN Entry Device (PED). Elsewhere, PIN verification and authentication takes place between the terminal and the card chip, known as offline PIN verification.
In countries with online PIN verification, payment terminals need to be injected with special encryption keys to enable them to encrypt the PIN (known as Online PIN Keys or OPKs). This process of key injection takes place in a Key Injection Facility (KIF) which is a highly secure environment subject to PCI PIN and TR-39 standards, amongst others.
As the Online PIN verification occurs between the PED and the acquirer/processor, it is the acquirer which issues the OPK to the KIF which is usually unique to the KIF.
P2PE (SRED) Keys
SRED is an acronym for Secure Reading and Exchange of Data, and refers to the Point of Interaction (POI) security standard as it is outlined in the PIN Transaction Security (PTS) requirements. The POI is the initial point where cardholder data is captured. The SRED portion of the PTS protocols lists a variety of requirements to ensure all POI devices used to process payment cards abide to an acceptable level of security.
The SRED security standard is applied in the encryption of card data from the POI to the Payment Gateway, thus the term Point to Point or P2PE, and the encryption method requires the POI device being injected with the ‘P2PE keys’ or 'Data keys'. Once the encrypted card data is received at the Payment Gateway it is securely decrypted in the PCI certified decryption environment for transmission to the acquirer.
Remote Key Injection (RKI)
Currently ChipDNA Mobile injects certain PIN pads (Miura) with P2PE keys and OPK keys in some instances. ChipDNA requests a TMS update and checks if the PIN pad has the necessary encryption keys. If not, ChipDNA Mobile will request the appropriate keys, and inject them securely into the PIN pad.
Manual Key Injection vs Remote Key Injection
Creditcall’s RKI of P2PE keys and OPKs eliminates the need for an off-site secure KIF and its associated cost, inventory complexities and distribution delays by utilizing a secure channel to remotely inject PIN pads. This is safely and securely injected, no matter where the PIN pad is located. For OPKs specifically, this will override any pre-existing OPKs on the device thus enabling devices to swiftly be transferred from using one acquirer to another.
*Factory resetting a device will wipe any injected keys.
**Creditcall has been audited and assessed to comply with the American National Standards Institute (ANSI) TR-39 and PCI PIN.
For more information on the above topics, please refer to the Creditcall website.