payShield 10K Installation and User Guide
payShield 10K Installation and User Guide
© Thales Group
Page 198
All Rights Reserved
9.14 Migrating keys for PCI HSM compliance
When it is required to make a payShield 10K compliant with the requirements of the PCI PTS HSM security standard,
it may be necessary to move some keys from Variant key type 002 (LMK pair 14-15, Variant 0) to other key types.
Although this can be done as a separate operation, it can be achieved at the same time as migrating between LMKs
using the BW host command by entering 'F2' as the Key Type Code, and the desired destination key type in the Key
Type field.
9.15 Re-encrypting PINs
Where PINs have been stored encrypted under the old LMK (in LMK Live storage or LMK Key Change storage)
these will need to be re-encrypted using the new LMK (in LMK Key Change storage or LMK Live storage). This can
be done by using the BG host command.
A host application will take each PIN from the old PIN database, re-encrypt it using the BG host command, and store
the re-encrypted PIN into the new PIN database.
9.15.1 BG Host Command
The structure of the BG host command is as follows:
Field
Length &
Type
Notes
Message Header
m A
This field contains whatever the user wants. The length of the
field is defined using the
CH
console command or
Configuration / Host Settings
in payShield Manager. It is
subsequently returned unchanged in the response to the
host.
Command Code
2 A
Has the value 'BG'.
Account Number
12 N
The 12 right-most digits of the account number, excluding the
check digit.
PIN
L
1
N
Or
L
1
H
The PIN encrypted under the old LMK, where L
1
is the old
encrypted PIN length.
L
1
N applies where PIN encryption algorithm A (Visa method)
is specified in the security settings, and L
1
H applies where
PIN encryption algorithm B (Racal method) is specified.
Delimiter
1 A
Value '%'. Optional; if present, the following field must be
present.