The KeyBRIDGE Point of Interaction (POI) platform is a vendor agnostic solution that performs both DUKPT and MK/SK key injection for payment terminals and peripheral devices. This use case supports compliant key injection for devices that must be managed in a secure facility where physical access controls are relied upon for the establishment of a new key that has no other basis for trust, other than the dual control, split knowledge, and chain of custody achieved through external process and procedure.
Full support for all key types, including but not limited to DUKPT (PIN, MAC, or Data), standard E2E keys, KEKs, Master Session methods as well as alternative derivation techniques. The platform streamlines key injection operational efficiency while automatically capturing all relevant audit log details that can be exported and validated with ease, further reducing overhead associated with audit cycles. KeyBRIDGE is now deployed to support key injection for both TDES DUKPT as well as AES DUKPT.
Product Features
- Centralized and secure key storage
- Detailed key inventory
- Manages unlimited Key Encryption Keys (KEKs)
- Single & double length Master/Session keys
- Ability to update the SMK for periodic key rotation
- POS key erasure functionality to clear production keys from POS devices prior to transporting
- Supported keys include:
- Double & triple-length TDES keys
- 128, 192 & 256-bit AES keys
- DUKPT for PIN
- DUKPT for PAN/Data
- DUKPT for MAC
Dual Control and Split Knowledge
With POI, keys are delivered from KeyBRIDGE over a connected interface such as USB, Serial, or Ethernet to a target device. In some instances, a clear key may traverse this interface because of the additional policies and procedures that govern the operation of the secure room where this activity is performed. The KeyBRIDGE appliance augments these policies and procedures by enforcing the concepts of dual control and split knowledge, with extensive audit logging to capture each action that is performed. All activities can be reliably traced to at least two unique personnel, while system managers have greater granular flexibility to assign unique role based access controls.
Unique Protocols Custom Developed
The KeyBRIDGE appliance supports the majority of PED manufacturers in the marketplace with over 300 certified POI devices today. These devices with unique protocols are custom developed to ensure that every key delivered can be traced to a manufacturer, unique model, device serial number, and additionally configurable meta-data elements. The KeyBRIDGE appliance allows for the concurrent connection of sixteen unique devices. Injection profiles are configurable that allow a user to inject upwards of thirty keys to a single device in as few as four mouse-clicks.
Additional features that can be licensed include:
- Remote Audit Management – (ARCK™ API) enables the remote access by management to perform audit and statistic reporting.
- SCD Component Entry – Allows users to securely enter TDES or AES components through a separate, removable Secure Cryptographic Device (SCD) and send them encrypted to the KeyBRIDGE appliance for storage.
- Network Support – Allows users to save data such as audit logs, key inventory and system backups from the KeyBRIDGE appliance to a network drive.
- Custom PED Key Export – Allows users to define a specific format for the export file(s) containing POS keys, as well as allows users to change the names associated with POS models.
- Custom Key Usage – Allows users to define additional Key Usages and determine the permissible characteristics of those Custom Key Usages.
- Custom Key Attributes – Allows users to create up to 12 custom attributes at the key level.
- Real-Time DID Back-Up – Perform real time backups of your DID counters ensuring that no future keys end up as duplicates for previous deployments.
