The payment security landscape is witnessing major transitions, especially within ATM and POS systems. This shift is largely due to the introduction of the PCI-PIN V3, an amalgamation of requirements set forth by the PCI SCC and X9 committee.
Understanding TR-31: The Secure Key Transfer Protocol
TR-31 emerged in response to the need for a more fortified method of transmitting encryption keys from host processors. Set to become a PCI mandate by January 1, 2025, it promises to overhaul the security protocols of ATM and POS device key transfers.
Key Insights into TR-31:
The Key Block rollout will be done in three phases:
You can learn more about TR-31 in our previous article: An Introduction to TR-31 and Thales Key Blocks
Diving into TR-34: The Epitome of Key Block Formats
TR-34 stands out in the cryptographic world, offering a cohesive methodology for constructing and storing the Terminal Master Key in ATMs and POS systems, a task previously fragmented across vendors.
Here we show a comparison between a TR-34 key block and a standard TR-31 key block.
One of the most significant differences between TR-31 and TR-34 key block formats is thatTR-34 doesn’t require a symmetric key to be exchanged between the Key Distribution Host (KDH) and the Key Receiving Device (KRD). TR-34 is used to exchange a TR-31 Key block protection key using asymmetric (RSA) encryption. ATR-34 key block includes a TR-31 compatible key block header. This header contains the usage and exportability information about the key. It is not encrypted and can also contain optional key header blocks as allowed by TR-31.
Another very specific difference with other key block formats is that the header is included twice within the TR-34 key block. One is in the clear text at the start of the key block, and other is in the encrypted envelope in the key block data. This allows the Key Receiving Device to validate that the deciphered key block data contains a copy of the key block header. This serves as an additional security precaution.
Key Highlights of TR-34:
TR-34's complexity and robustness surpass other formats. It pre-emptively addresses potential security threats, integrating them into its design to bolster its defences.
As PCI SSC continues to amend its PIN requirements, EFTlab continues to enhance EFThub and EFTsim to accommodate these changes, so all users of these products can easily adapt to industry updates with minimal effort on their end.
Sources / Links to follow:
ASCX9 TR 31-2018 - Interoperable Secure Key Exchange Key Block Specification (2018), by American National Standards Institute (ANSI)
X9 TR34–2012 - Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques: Part 1 –Using Factoring-Based Public Key Cryptography Unilateral Key Transport (August2012), by the American National Standards Institute
PIN Security Requirement - KeyBlocks (2019), by the PCI Security Standards Council
ANSI X9.24-1-2017 - Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques (2017), by the Accredited Standards Committee X9 (Incorporated Financial Industry Standards), American National Standards Institute