Overview of A98's Service Bureau
The Service Bureau Customer registers their ATMs by providing the ATM manufacturer and model along with a unique identification number to TSS. Comvelopes are purchased from TSS in quantities of 100. The Customer's servicers load the contents of the Comvelopes into ATMs as required and place a phone call to the Service Bureau A98 located at TSS's facilities. The servicers report the ATM ID and Comvelope ID. The A98 retrieves the contents of the Comvelopes within the Tamper Resistant Security Module (TRSM) and creates the same key that was just loaded into the ATM. A unique Key Encrypting Key (KEK) shared between each Service Bureau Customer and TSS encrypts the just loaded ATM key under that particular KEK. The A98 sends this cryptogram and the ID of the ATM to the Customer. The information in the message is extracted and entered into the database of the Host ATM Software package. Each time the A98 Service Bureau is used, a new unique key is established in that ATM in a fully compliant manner.
Service Bureau Description
Remote Key Loading
Service Bureau Description
2. Load Key into ATM - When it is time to load an initial key into an ATM, two people selected by the Customer each select a Comvelope at random from the population of Comvelopes. The first person inspects the Comvelope for any signs of tampering. If it has not been tampered, the Comvelope is opened and the contents loaded into the ATM following the manufacturer's instructions. If the ATM reports the Key Check Value (KCV), this person then verifies that the KCV corresponds to the one printed in the Comvelope.
3. Report the Terminal ID and Comvelope ID - The first person calls the TSS A98 and enters their Servicer ID and Access Code. After verification, the Servicer is invited to enter the ATM ID and Comvelope ID. The A98 reports the KCV back via the IVR and the first person verifies the KCV is as expected.
4. The Second Servicer - A second person selects a Comvelope at random from those available and repeats steps 3 and 4. At this point, a unique key has been established in the ATM. That same key now exists on the A98 encrypted under the KEK shared with the Customer.
5. Cryptogram of ATM Keys are sent to the Host - The TSS A98 formats an E-mail message containing the ATM ID, the cryptogram of the ATM key just established and the Key Check Value for the newly established ATM Key. The E-Mail message is sent to the Customer.
6. The Customer receives the E-Mail message - The E-Mail message is received by the Customer and is processed to parse the Terminal ID, the Cryptogram of the ATM Key and the KCV. The ATM key must be translated from encryption under the KEK to encryption under local system HSM's MFK. For an HSM that implements the Atalla architecture, a CMD 13 - Translate Working Key for Storage - is used. Thales and other HSMs have similar commands for translation.
7. Enter the information into the Host ATM Software - A manual process can be used to enter the cryptograms and ATM ID information into the Host ATM Software. Alternatively, the process may be automated.
8. A New PIN Encryption Key is sent to the ATM - After the ATM resumes online status, most ATM software packages will send a new PIN encryption key to the ATM encrypted by the ATM key that was just established. After this step is complete, normal operations resume. The ATM is ready for transactions.
Trusted Security Solutions, Inc. | 704.849.0036 | firstname.lastname@example.org
© Trusted Security Solutions, Inc. All Rights reserved in all media.