Key Management


  • Encrypting PIN Pads (EPPs), the tamper resistant security modules (TRSMs) at ATMs and POS devices, store a master cryptographic key, BDKs, sub-keys inside the device.
  • Asymmetric Key Loading, also referred to as Remote Key Loading, is the most common method today and uses public key cryptography to establish trust. TSS offers solutions to facilitate remote key loading for any remote key enabled EPP on the market, supporting the two dominant methods: Certificate- and Signature-Based Protocols. The flexibility of the A98 system design allows for seamless integration in to even the most complicated and heterogeneous environments, supporting a mixture of ATM types, protocols, and Terminal Handlers. TSS has SHA2 and TR34 support for the latest PCI 3.0 EPPs.


  • Legacy symmetric key loading requires two custodians to separately load individual key components in to the EPP which have to match the key components loaded on the Host. This process is manual, error prone and cumbersome.
  • TSS’s patented “Comvelope™ process” turns legacy, symmetric key loading on its head. In this process, key custodians each select and open two random numbers (Comvelopes) to create a unique key inside the ATM. Using an Interactive Voice Response (IVR) or a web portal, the custodians report the identifier of the random numbers used to the A98 System. The A98 takes care of the rest by combining the same values inside a host security module (HSM) and uploads a cryptogram of the new key into the host, records the activity and new key check value (KVC) documenting the event. Manual key loading is now compliantly accomplished in a fraction of the time and expense it would take using legacy methods.


  • Dual Currency Conversion (DCC) and other third party applications may require “Custom Application Keys” (CAK). CAKs allow sensitive information to be sent to a host other than the primary transaction host encrypted in similar fashion to PIN data. By using remote key loading or Comvelopes™, custom keys are generated and stored compliantly in the EPP’s memory for use as needed. A cryptogram of the same key is also transmitted to the application host, translated and then stored. This key is the used to authenticate data received by the application.

As the financial services market continues to evolve and mature, FIs are looking to differentiate themselves from their competitors by building custom branch Kiosks with PIN pads for “on us” traffic. As with the ATM, there’s an important need for an independent means to generate and automatically load “PIN Encrypting Keys” (PEKs) and other sub-keys into the device EPPs. Leveraging the A98 and TSS experience, you can do this while simultaneously retaining more control of the process. TSS solutions remain among the most cost effective, efficient, and compliant solutions for independent remote key loading of these devices.