Key Block Integrator (KBI)

Trusted Security Solutions brings over 20 years of cryptographic key management innovation, FI security, and encryption leadership. 

As industry innovators of products and services that solve symmetric and asymmetric cryptographic key challenges, TSS uses the latest “standards compliant” technology available. TSS provides customized or off-the-shelf, flexible key encryption and key management solutions that help safeguard your customers’ financial data.

Key Block Integrator (KBI), is TSS’s latest product innovation.  It includes a combination of tools and expert resources to help companies analyze DES key usage and identify changes needed to successfully convert to key bundling, a PCI mandate.



VISA announced they will apply the PCI Security Council Requirement 18-3 on a set schedule.  FI processors and financial institutions need to implement these changes per PCI’s required schedule.

The requirement states that DES key cryptograms need conversion to key blocks in storage and for internal connections.  The deadline to complete this was June 2019. Additional deadlines loom for June 2021 and June 2023.


The KBI system is an end-to-end solution to diagnose and recommend the necessary changes to become PCI compliant.  In addition to the KBI system, TSS can also provide other consultation to get you on the right path to implement key bundling.


You get fast, efficient and affordable diagnostic tools providing forensic details around key use and insight into the changes you need to implement for compliance.  TSS also provides expert technicians to answer questions and provide support throughout the process.



Key Block Integrator fits seamlessly in between your software and your HSM to identify every key-related command coming to or from your HSM, indicating if key blocks are being used according to PCI recommendations or where your commands are not compliant.

Typical client HSM network prior to using TSS’s Key Block Integrator:

KBI graphic_before

In a typical environment, e.g. a test network, multiple systems will be issuing key commands directly to the HSM.

The following information may not be known:
– what commands are being issued
– if those commands can support Key Blocks
– if those commands are using Key Blocks


Why work alone on this specialized cryptographic project when you can get it done faster with experts who serve other customers solving these same challenges?  Using Key Block Integrator software tools, developed specifically for PCI requirement 18-3, speeds up the internal development pace freeing up your IT resources for other strategic initiatives.

A typical client using TSS’s KBI tool:

KBI graphicAFTER OUT.jpg


System A issued a A0 (Generate a Key) command which was Key Block compliant
System A issued a QY (Validate RSA Signature) Command which was not Key Block compliant
System B issued a A0 (Generate a Key) Command which was not Key Block compliant
System B issued a M0 (Encrypt Data Block) Command which does not appear to be well-formed
System C issued a A6 (Import a Key) Command which was not Key Block compliant
System C issued a NO (HSM Status) Command which is Key Block agnostic.

The Trusted Security Solutions Key Block Integrator runs on a customer-owned system and is configured to sit between the Host Security Module (HSM) and one or more of the command issuing systems.  The tool passes HSM-related traffic transparently between the issuing systems and the HSM so that routines and operations are not interrupted.  If the tool cannot be placed in-line, options exist to load existing trace logs through the tool.  Issues commands are logged along with command and key block compliance details.  These are then reviewed by the customer team or in collaboration with TSS’s Key Block experts to determine how to remediate identified gaps in key block coverage.