In the Age of DUKPT, It Makes Sense to Own Your Device Keys

Every time your customers swipe, dip, tap, or connect to one of your unattended POS devices, they depend on you to protect their data. They trust that your security measures are protecting them from fraud. This is vital especially now that e-commerce fraud is on the increase.

Data security has come a long way. We started with basic end-to-end encryption (E2EE) and then expanded to tokenization — and now the industry has taken another giant leap forward. The most secure encryption technology available today is Derived Unique Key Per Transaction (DUKPT).

What Is DUKPT?

DUKPT is a key management scheme that sends a unique encryption key with each transaction. So, if one transaction is compromised, the rest of the transactions are safe.

Originally created by Visa in the late 1980s, DUKPT is addressed in Part 3 of the ANSI X9.24 guidelines for Retail Financial Services Symmetric Key Management.

How Does DUKPT Work?

The DUKPT process can be broken down into two parts: what happens during the manufacturing of each device, and what happens during each transaction.

Manufacturing Process

The DUKPT process starts in manufacturing with a base derivation key (BDK), which is used to create an initial key. Both the initial key and a key serial number (KSN) are injected into the POS device.

The initial key is used to create a series of unique encryption keys for future transactions. Then the initial key is erased.

Once the POS device is deployed in your business location, the DUKPT process continues.

Transaction Process

For every POS device transaction, one of those unique keys is used for encryption. A transaction counter is incremented forward, and that encryption key is combined with the KSN to derive more keys, and the encryption key is erased.

When the encrypted transaction reaches its destination, the receiving KSN matches with the BDK to derive encryption keys using the same process but in the inverse.

By recycling keys after they’re used, DUKPT is efficient and secure. Even if a fraudster intercepted an encrypted payload and reverse engineered the data, they’d have access to only a single transaction.

The process works flawlessly and is easy to implement … except if a company decides to change platforms or processors.

Why? Because certain base derivation keys can’t be transferred.

BDKs Are Often Owned by Suppliers

The base derivation key used during the manufacturing process is often a proprietary key owned by the supplier or payment processor. Every key derived from that BDK is proprietary as well.

So, when companies make the decision to change payment processors, they find themselves in a bit of a situation.

For example, companies are pondering the decision to migrate from MSR to EMV before Visa and Mastercard processing fees increase. For some, that means looking for another payment processor – one that has all the bells and whistles to adapt to whatever comes next on the payments horizon.

The problem is their POS devices are using keys that will have to be transferred or replaced. And, it should come as no surprise that payment processors aren’t terribly keen on transferring their proprietary keys to competitors.

So that leaves companies with one option: changing, or reinjecting, device keys.

The Problem With Key Reinjection

Device keys can be reinjected manually or remotely. Neither option is ideal.

Manual Reinjection

Manual reinjection involves shipping your POS devices to a key injection facility, where they are plugged into a computer, injected with a new key, and sent back.

For instance, a taxi company has hundreds or thousands of cars, each with a separate device that would have to be removed, shipped to and from the facility for reinjection, and reinstalled. Not only is this costly, transactions are essentially on hold until the cabs have their devices back.

Remote Key Injection

Remote Key Injection (RKI) allows you to update keys on unlimited POS devices via a network. It saves time, but the price tag is enough to give anyone sticker shock. RKI costs range from $20 to $50 per device. When your business has 10,000 devices, that’s a cost of $200,000 to $500,000 just to change the keys.

Fortunately, there’s another option. You can own your BDK.

Why Owning Your Base Derivation Key Makes Sense

Owning the BDK for your POS devices is a smart move for several reasons — and they all come down to flexibility:

  • It eliminates the need for costly RKI.
  • Your business can shift from platform to platform, partner to partner, and gateway to gateway without having to change keys.
  • You maintain control of the key and can even delete it, should your company choose.

Keep in mind that some payment processors don’t allow clients to own their keys and require them to use proprietary keys, which impacts changes to devices and platforms.

That’s not how we do things.

Owned Key or Not, We Can Handle It

We’ve seen how difficult it is for companies to find out their previous payment processor won’t transfer device keys. It forces those businesses to spend money they don’t have in their budget for RKI.

Even worse, some have to choose between the cost of extended downtime or investing in new devices if their keys have to be injected manually.

At Worldnet Payments, we can accommodate any scenario our clients bring to us:

  • Owned BDK and need POS devices
  • Owned BDK and have existing POS devices
  • Need to reinject BDK on existing POS devices

We’re happy to use our proprietary keys or use yours. And we’ll work with hardware providers to ensure both the test and live devices are set up correctly before they’re shipped. That way, you’re ready to go live as soon as they arrive.

Our goal is to get your business migrated and up and running as quickly and efficiently as possible. Contact us today to talk about the fastest and most cost-effective way to take advantage of our platform. Let’s get your business ready for the future of payments.

 

Self serve payment preferences

 

 

Back to Blog