Introduction
This guide is designed to familiarize system administrators with the process of setup ID TECH SecureKey M series to work with HPP, generation of base derivation key (BDK) for ID Tech devices and BDK tokenization process using StrongAuth.
To learn more about business-related key management process, please follow the
link.
Intended Audience
This guide will be useful for technical users that want to know how to set up ID TECH SecureKey M series and transfer the key information to administrative users and support team if needed.
What is ID TECH SecureKey?
ID TECH SecureKey M is an encrypted keypad with a magnetic reader. It provides the cardholders with a complete and reliable security solution. This device provides infallible reading while encrypting magnetic stripe data. It does not replace the scope of PCI-DSS standard. The ID Tech SecureKey M ensures all data transactions are protected reducing fraud and data compromises.
Data encryption prevents access to cardholder information that is being stored or in transit. It also allows customers to choose decryption algorithms for them. The ID Tech SecureKey M supports TDES and AES data encryption.
How to setup ID TECH SecureKey M series to work with HPP
1. Attach a reader to your computer.
2. Verify that the reader is working in
Keyboard Emulation mode. To do this, open Notepad and swipe the test card. If you see the characters appearing in the Notepad, the Keyboard Emulation mode is active. Otherways, you need to set up the reader to work in Keyboard Emulation mode.
3. To set up the reader to work in Keyboard Emulation mode, send appropriate commands via
SecureKey USB Demo software. Such commands are shown in the first column of all the following tables.
The first output byte will be 06h for successful execution and FDh or 15h otherwise for all commands.
For more information, please see
User Manual.
4. You must know current Security Level of the reader. This is an important feature to help resolution of possible problems. To get the reader’s current Security Level, execute the following command:
Output example:
06 02 7E 01 33 03 4A,
where 33 is ASCII presentation of 3. So current Security Level is 3.
5. If it is necessary to reset all of the settings to default values, you should execute the following command:
Please note: The SecureKey is shipped from the factory with the default settings already programmed. For a table of default settings, see Appendix A in
User Manual.
Part number for the device that should be used is IDKE-534833BEM
Base Derivation Key (BDK) generation for ID Tech devices
1. The key custodians receive the key parts from ID-Tech. The key is stored in the two separate files:
KeyPart1.txt and
KeyPart2.txt. Each file contains the part of the key and checksums for both this part and the whole key.
Example of the content within these files is provided below:
2. To combine the key parts, download and run the following program: Key Checkvalue Generation Utility 1.03.
Select 2 in Key Parts dropdown and click Start button.
3. Copy the key value from the KeyPart1.txt (Left and Right values combined) and paste it into the Key Part #1 textbox. Then click OK button.
4. The program will return the check value. It must coincide with the check value from the KeyPart1.txt. If it coincides, click OK button.
5. Copy the key value from the KeyPart2.txt and paste it into the Key Part #2 textbox. Then click OK button.
8. The program will return the check value. It must coincide with the check value from the KeyPart2.txt. If it coincides, click OK button.
Note that after OK button is pressed, the combined key will be displayed on the screen. Therefore, necessary security measures must be taken.
7. Generated BD key should now be visible on the screen.
BD key can be stored either in tokenization appliance or in the database (encrypted). It is recommended to store the key in the appliance that is used for account numbers storage.
BDK Tokenization Process using StrongAuth
To store generated BDK within the StrongAuth appliance, the following steps must be taken:
1. Log in to the gateway and navigate to the following URL:
https://[server-name]/util/tokenizationEncoder.jsp
Tokenization Encode Form should now be visible on the screen.
2. Enter the generated BDK into the User Data textbox.
3. Enter the host of tokenization appliance into the Host textbox.
4. Enter username and password of the tokenization appliance into the corresponding textboxes and click Process button.
Generated token should now be visible in the Result section. This token can be used for subsequent configuration of the processing.
Key Replacement
If a key is suspected to be compromised, the key must be replaced immediately. All further transactions must be halted until key changes are completed. New key creation, change control and destruction processes must be followed even during an emergency key replacement.
Key destruction is accomplished when the previous key is compromised or no longer required for decryption of information. If the key is compromised, it gets deleted after a new key is established and necessary data is encrypted with the new key. Otherwise, the key is kept until it is no longer needed or for one year from the expiration date.
Note that to make the deleted key unrecoverable, a secure utility must be used.