Imagine if you could seamlessly integrate any new Payment Card Industry (PCI) PIN requirement, such as new Key Block mandates, throughout your custom payment application with minimal effort, saving time and reducing development costs. That’s a reality for many companies.
Using Prime Factors Bank Card Security System (BCSS), integrating industry changes into in-house payment applications is seamless, without requiring extensive development work or the need for cryptography experts to make changes. Instead, Prime Factors customers simply update to the latest version of BCSS, which already natively supports the features and functions required to meet recent changes required by the payment card industry.
To put it simply, companies who control their own payment applications and use BCSS don’t even bat an eye when updating their payment security. By using BCSS, organizations simplify their cryptographic key management and eliminate hours of re-architecture to comply with security standards now, and in the future.
Bank Card Security System Ensures Peace of Mind for Today's and Tomorrow's Payment Industry Challenges
If you have a custom payment application, any new PCI PIN update will result in countless hours spent re-architecting your payment card environment. But with BCSS, you can streamline your integration with new security requirements and hardware changes with minimal to no development.
Here are a couple reasons why now is the right time for you to consider BCSS to future proof your custom applications:
1. Payment card industry changes, such as TR-31 Key Blocks
The PCI Security Standards Council (PCI SSC) is constantly revising its requirements, including the implementation of Key Blocks. To implement or make changes to Key Blocks in custom built payment applications, it can take specialized skill and hours of redevelopment work. However, when PCI SSC introduced their latest PCI Key Block mandate (PCI PIN 18-3 Requirements), BCSS customers were able to smoothly migrate their existing keys to Key Blocks without needing to re-architect their applications.
The new Key Block requirement better protects keys used with Triple Data Encryption Algorithm (TDEA or TripleDES) and Advanced Encryption Standard (AES). The requirement states that “encrypted symmetric keys must be managed in structures called Key Blocks,” which is a standard method to ensure security and intended usage of cryptographic keys. Key Blocks focuses on improving protection of symmetric keys shared among payment systems participants to protect PINs and other sensitive information.
The Key Block implementation rolls out in three phases*:
- Phase 1 – Deadline Passed
Implement Key Blocks for internal connections and key storage within service provider environments. This includes all applications and databases connected to hardware security modules (HSMs). Phase 1 became effective June 1, 2019; this date was not extended. - Phase 2 - Deadline Passed
Implement Key Blocks for external connections to associations and networks. New effective date: January 1, 2023 (replaces previous date of June 1, 2021). - Phase 3 – Deadline January 1, 2025
Implement Key Blocks extends to all merchant hosts, POS devices and ATMs. New effective date: January 1, 2025 (replaces previous date of June 1, 2023).
*PCI PIN Security Requirements 18-3 – Key Blocks Requirements, PCI Security Standards Council (July 2022)
While Phase 1 and Phase 2 Key Blocks deadlines have passed, Phase 3 Key Blocks which apply to merchant hosts, POS devices and ATMs has extended until 2025 due to delays from COVID-19.
If you have developed your own applications to process PINs, you will need to re-architect your applications to support Key Blocks. For most custom-developed application owners, this can be a long, burdensome, and resource-intensive process, but it doesn’t have to be.
Why are Key Blocks important?
Key Blocks are an integral part of safeguarding cryptographic keys essential for payment security. Key Blocks prevent the misuse of keys and make it difficult for hackers to exploit weaknesses through unauthorized modification, substitutions, or disclosure of payment data. Essentially, Key Blocks serve as a purpose to execute cryptography correctly.
BCSS enables you to migrate to Key Blocks easily, eliminating the need for complex application re-development on your end. Simply update to the latest BCSS version and enable support for Key Blocks. This means no experts are needed to re-work your application, saving you hours and costs on re-architecture. Prime Factors also always ensures BCSS is up to date with the latest PCI PIN changes, ensuring that your applications are prepared for any new requirements down the road.
There are a variety of different Key Blocks that BCSS helps your payment applications stay up to date on, including TR-31 Key Blocks, Thales Key Blocks, AES Key Blocks, and more.
- TR-31 Key Blocks: Defined by the ANSI Standards Committee, TR-31 Key Blocks facilitate the secure exchange of symmetric keys, ensuring that key attributes are included within the exchanged data.
- TR-34 Key Blocks: TR-34 provides a unified approach to crafting and storing the Terminal Master Key within ATMs and POS systems. This addresses a prior challenge of disparate methods employed by various vendors in the industry.
- Thales Key Blocks: The Thales Key Blocks are data structures designed and implemented by the Thales Group and provide two types of key encryption—Tirple DES and AES Key Block LMK. Unlike other Key Block types, Thales Key Blocks may only be used with Thales payShield HSMs.
As PCI SSC continues to amend its PIN requirements, Prime Factors continues to enhance BCSS to accommodate Key Block requirements, so users of the platform can easily adapt to industry updates with minimal effort on their end.
2. Changes to payment hardware platforms, such as the release of the payShield 10K
In addition to PCI PIN updates, BCSS makes transitions from end-of-life systems painless. Whenever there is a shift in a hardware vendor, BCSS ensures a smooth transition while providing turnkey compatibility. This protects the end user during these transitions to ensure the process is seamless with no rework of their payment applications.
For example, when Thales announced the end of life for its payShield 9000 family of hardware security modules (HSMs), those with BCSS purchased payShield 10K HSMs and selected the 10K hardware option within BCSS. There was no additional work needed, no developer hours, and no application re-architecture, saving any costs that might have otherwise been incurred to update custom payment applications to accommodate these changes. With BCSS, it’s easy and painless to implement new hardware, load balance across various hardware types during transition, and manage hardware infrastructure over time, with better visibility and control.
Don’t delay future-proofing your payment card security
For organizations with BCSS already implemented, migrating to Key Blocks has been a straightforward process: simply update your BCSS software to the latest version, migrate existing keys to Key Blocks, enable exchanging keys using Key Blocks, and then you’re done. No further re-work or application architecture changes are needed. As the payment card industry continues to evolve, technology will continue to shift and requirements will inevitably change, and those with custom payment applications utilizing BCSS will never fall behind. BCSS helps facilitate better security, visibility, efficiency, and compliance for payment applications, even as industry standards change. If your enterprise is managing a custom payment application yourself, without leveraging BCSS, now is the perfect time to future-proof your payment application with BCSS.
To learn how BCSS helps modernize your custom payment applications, get in touch with a payment security expert.