Host Connection
User Interface
Automated Features
A98-D & MultiVendor Middleware

  • Eliminates manual on-site key loading
  • Reduces key management costs
  • Conforms to ANSI, PCI and TG-39 security standards
  • Implements NCR, Diebold, Wincor-Nixdorf, Nautilus Hyosung, Triton and GRG protocols
  • Provides the most efficient and complete solution for both legacy and remote key ready ATMs

The A98-R automates both the generation and distribution of cryptographic keys for ATMs. The A98-R is compatible with ATMs that use RSA-enabled encrypting pin-pads (EPPs). The A98-R delivers random master keys in compliance with the latest ANSI standards (X9.24 Part 2), TR-39 Section 5, PCI, and with all known network mandates for Triple-DES and unique keys per ATM.

The A98-R implements Diebold's and Triton’s Certificate Based Protocols (CBP), and NCR, Wincor, Nautilus Hyosung, and GRG's Signature Based Protocol (SBP). Other remote key protocols will be provided in future releases as they become publicly available. The Diebold and Triton approaches uses X.509 certificates and PKCS message formats to transport key data. NCR, Wincor, Nautilus Hyosung, and GRG's methods rely on digital signatures to ensure data integrity. Both processes require the ATM's EPP to be loaded at the factory with signed public keys or certificates. In addition, A98 generated public keys or certificates must be signed by the ATM manufacturer’s designated Certificate Authority (CA) or Trust Authority (TA) and imported back into the A98 system. The A98 has easy to follow procedures for both the export and import of these keys and certificates per manufacturer.

The remote key process requires the A98 and ATM to establish trust. With basic protocols, generally the EPP serial number is sent to the A98 encrypted by the EPP public key or certificate. The A98 recovers the EPP serial number, then sends a message back to the EPP, a portion of which includes the A98 signed public key or certificate. Assuming successful authentication from both ends, the A98 stores the EPP serial number received and generates a new DES key, encrypts it with the EPP's public key, prepares the required message format, and sends this new master key to the ATM. When the EPP responds that it successfully loaded the key, A98 sends a cryptogram of this new key to the host for loading into the terminal data base.

With newer protocols supporting PCI PTS 3.0 and higher EPPs, techniques per ATM manufacturer diverge further from one another in efforts to meet PCI compliance. for more information on this subject, download our "Current State of Remote Key Loading".

TSS provides a complete end to end solution for customers using ACI’s BASE24® and Postilion® to drive their ATMs. For other platforms, either the host vendor has a working interface to the A98 or an interface can be accomplished with minor modification to the ATM terminal handler, router, or procedures. Feel free to contact TSS to inquire further about specific host requirements. Contact us at

By integrating the remote key module into the conventional A98 platform, Trusted Security Solutions continues to lead the industry by providing the most efficient, compliant and cost-effective key establishment solution for all ATMs.

Base 24™ and Postilion™ are registered trademarks of Transaction Systems Architects, Inc.

Related documents:
Remote Key Brochure (PDF 748kb)
Remote Key Brochure En Español (PDF 704kb)


Trusted Security Solutions, Inc. | 704.849.0036 |

© Trusted Security Solutions, Inc. All Rights reserved in all media.