PCI Compliance



VISA announced they will apply the PCI Security Council Requirement 18-3 on a set schedule.  FI processors and financial institutions  must implement these changes per PCI’s required schedule.

You must convert DES key cryptograms to key blocks in storage and for internal connections by June 2019. Additional deadlines loom for June 2021 and June 2023.


The KBI system is an end-to-end solution to diagnose, recommend and implement the necessary changes to become PCI compliant. TSS’s proprietary software will help you determine what changes are needed for key bundling compliance.   In addition to the KBI system, TSS can also provide understaffed clients with custom turn-key consulting solutions.


You get fast, efficient and affordable diagnostic tools providing forensic details around key use and insight into the changes you need to implement for compliance.  TSS also provides expert technicians to answer questions and provide support throughout the process.



Key Block Integrator fits seamlessly in between your software and your HSM to identify every key-related command coming to or from your HSM, indicating if key blocks are being used according to PCI recommendations or where your commands are not compliant.

Typical client HSM network prior to using TSS’s Key Block Integrator:

KBI graphic_before

In a typical environment, e.g. a test network, multiple systems will be issuing key commands directly to the HSM.

The following information may not be known:
– what commands are being issued
– if those commands can support Key Blocks
– if those commands are using Key Blocks


Why work alone on this specialized cryptographic project when you can get it done faster with experts who serve other customers solving these same challenges?  Using Key Block Integrator software tools, developed specifically for PCI requirement 18-3, speeds up the internal development pace freeing up your IT resources for other strategic initiatives.

A typical client using TSS’s KBI tool:

KBI graphicAFTER OUT.jpg


System A issued a A0 (Generate a Key) command which was Key Block compliant
System A issued a QY (Validate RSA Signature) Command which was not Key Block compliant
System B issued a A0 (Generate a Key) Command which was not Key Block compliant
System B issued a M0 (Encrypt Data Block) Command which does not appear to be well-formed
System C issued a A6 (Import a Key) Command which was not Key Block compliant
System C issued a NO (HSM Status) Command which is Key Block agnostic.

The Trusted Security Solutions Key Block Integrator runs on a customer-owned system and is configured to sit between the Host Security Module (HSM) and one or more of the command issuing systems.  The tool passes HSM-related traffic transparently between the issuing systems and the HSM so that routines and operations are not interrupted.  If the tool cannot be placed in-line, options exist to load existing trace logs through the tool.  Issues commands are logged along with command and key block compliance details.  These are then reviewed by the customer team or in collaboration with TSS’s Key Block experts to determine how to re-mediate identified gaps in key block coverage.