6 - SecuritySecurity
DynaFlex II| Smart Card Reader | PCI PTS POI v6.2 Security Policy
Page 15 of 17 (
D998200573-10
)
6
Security
6.1
Account Data Protection
DynaFlex II always encrypts account data from all three reader types, using the 112-bit TDEA-CBC
algorithm, or 128-bit AES-CBC with X9.24 DUKPT key management. This device does not support any
mechanisms such as whitelists or SRED disable that would allow the data to be sent out unencrypted.
6.2
Algorithms Supported
The device uses the following cryptographic algorithms:
•
AES
•
TDEA
•
RSA
•
ECC-DSA (P256 and P521 curves)
•
SHA-256
6.3
Key Management
The device implements AES/TDEA DUKPT as its only key management method. Use of any other
method will invalidate PCI approval. DUKPT derives a new unique key for every transaction. For more
details, see
ANS X9.24 Part 3.
Table 6-1 - DynaFlex II Product Keys
Key Name
Size
Algorithm
Purpose
Transport Keys
32 bytes
AES TR-31 KBPKs
Key Injection
Account Data Key
16 bytes for TDEA and
AES-128
32 bytes for AES-256
AES and TDEA DUKPT
(ANS X9.24-3)
Encrypt and MAC
Account Data
Firmware Protection Key
64 bytes for
ECDSA Curve P-256
ECC-DSA SHA-256
Checks integrity
and authenticity of
firmware
EMV CA Public keys
Varies per issuer
RSA
Authenticate card
data and keys
6.4
Key Loading
The device does not support manual cryptographic key entry. Only specialized tools, compliant with key
management requirements and cryptographic methods, specifically
ANSI X9.143
can be used for key
loading. Use of any other methods will invalidate PCI approval.
6.5
Key Replacement
Keys should be replaced with new keys whenever the original key is known or suspected to have been
compromised, and whenever the time deemed feasible to determine the key by exhaustive attack has
elapsed, as defined in
NIST SP 800-57-1
.
