Archives for : processing

    DUKPT Overview and Transaction notes


    I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


    I will come back at some stage and expand on this when I get time.

    Transaction Process narrative:

    The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

    A good explanation of DUKPT can also be found at Wikipedia.


    Diagram of the flow


    DUKPT transaction flow - terminal to bank

    DUKPT transaction flow - terminal to bank


    Background notes:

    • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
    • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
    • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
    • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
    • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
    • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
    • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
    • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
    • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
    • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
    • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

    The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

    When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

    When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

    HSM-8000-User Guide V2.2

    EFT Syetms and Device Considerations

    EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
    Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

    Looking at the products and relationships us usually a good start.

    Things to consider:

    • Card skimming methods
    • Some EFT POS devices restrict the connection of a skimmer
    • Review levels of associated fraud
    • Review devices and EFT methods
    • Review terminal identification (merchant and customer)
    • Manual processing. (internal and external)
    • eCommerce products
    • PC based software
    • Dedicated server services (Nobil, etc.)
    • Web based engine (Custom objects, Web pop-ups, etc)
    • Authorisation / identification methods (Merchant and customer)
    • TCPIP session hijacking / session spoofing
    • Direct Debit as well as Credit Cards.
    • Swift (methods and controls)
    • Telegraphic transfer (methods and controls)
    • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
    • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
    • Implementation of Smart Card and / or alternative customer recognition devices.
    • Outsourcing and associated risks / service level agreements
    • Payment processing
    • Payment clearance
    • Payment switching
    • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
    • Fraud detection and reporting
    • 3rd party acquiring risks
    • Single merchant ID many businesses
    • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
    • Encryption used
    • Internet / trusted partner / inter-bank / extranet
    • Private and / or public certificates
    • Single use certificates
    • Client side certificates
    • Remittance advice processes and controls.
    • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
    • Trusted partner relationships, SLA’s, liabilities and risks.
    • EFT regulatory / legal requirements (inter-bank and government)
    • Refund processing / authorisation. (policies, procedures, controls, etc.)
    • CVV, CVV-2 / CVC-2 processing and management. (
    • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
    • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
    • Review EFT floor limits (corporate and SME merchants)
    • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
    • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
    • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
    • Review processing with and without expiry dates. (exception controls and policies)
    • Review exception / fraud reports.
    • Review payment store and forward policies and procedures.
    • Review Pre-Auth and Completion controls.
    • Token based payment (eCash, etc)
    • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
    • Real time gross settlement policies, procedures and controls. (IT and amounts)
    • Card issuing policies and procedures. (customer ID checks, etc)
    • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
    • Use of Internet technologies for inter-bank transfers and remote equipment.
    • Physical security and controls of devices, ATM,s, line encryptors, etc.

    Financial Transaction Processing

    I have been recently working inside one of the larger Banks in Australia.
    Through this work, I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.

    I get to perform many security architecture and payment systems assessments.
    Over the years I have always considered the protection of the card data as one of the key considerations.

    Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
    The site

    Many of the other tools on this site are also very unique and worth a look.
    Big thanks to ziggurat29 for providing such awesome tools.

    As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
    It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

    One of the more extraordinary files is the Atalla Hardware Security Module (HSM)  and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. 😉

    ——– ziggurat29 Text ———

    These are all Windows command-line utilities (except where noted); execute with the -help option
    to determine usage.

    DUKPT Decrypt (<- the actual file to download)

    This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method.  I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.

    VISA PVV Calculator (<- the actual
    file to download)

    This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique.  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.

    VISA CVV Calculator (<- the actual file to download)

    This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique.  MasterCard CVC uses the CVV algorithm, so it will work for that as well.  It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
    format of the expiration date.  Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.

    Atalla AKB Calculator (<- the actual file to download)

    This is a utility that will both generate and decrypt Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

    BogoAtalla (<- the actual file to

    This is an Atalla emulator (or simulator).  This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
    CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
    portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

    This runs as a listening socket server and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
    responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

    BogoAtalla for Linksys (<- the actual file to download)

    This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) development/test device.


    Local Files


    Technology is always being challenged

    I read a very interesting paper created by the University of Massachusetts, RSA Laboratories and Innealta, Inc.<<

    This paper primarily relates to the compromise of contact less payment technologies (RFID) if the RFID and/or reader have not been implemented correctly or the solution provider has used an inappropriate type of RFID and discusses the challenges around Chip and Pin with respect to financial transactions e.g. EMV standards and compliance.

    Additionally, the paper describes a RFID relay method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the RFID skimmers/clonners to use for malicious means.

    The overarching point of this paper is to use an appropriate RFID & Chip solutions which supports the security/privacy of the user and purpose of the transaction (financial or non financial)<<

    The paper can be found at

    In modern payment RFID & Chip solutions, newer devices can be used which possess a high degree of processing power and are therefore able to execute strong cryptographic methods (such as digital signatures) to protect the identification and payment information whilst the transaction is occurring.

    These systems often utilise bidirectional authentication between the RFID/Chip scanner and the RFID tag/Chip prior to performing the transaction. These methods and cryptographic algorithms are accepted and proven to work within the traditional payment markets.

    As mentioned in the paper, some solution store static digitally signed and/or encrypted data which is provided to the RFID/Chip reader when queried, but this data never changes from one transaction to another. This may allow a malicious individual to capture and re-inject the data into the reader at a later stage. The alternative to storing static digitally signed and/or encrypted data is to negotiate a key exchange at the time of the transaction in which the card/value information is encrypted and subsequently transmitted. With this method the transmitted data
    changes on every transaction and therefore even if a malicious individual was to capture the encrypted transaction data from one transaction, this would not be accepted by the reader if re-injected at a later stage.

    Although this is the case today, older RFID/Chip solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the card holder, merchant or acquirer.

    I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the card schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional banking markets.

    It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

    Is there a risk of someone listening or stealing the information from a contactless card?

    One risk with contactless cards is the ability for the card to be activated when it enters a reader’s RF range without the owner being aware of it. To prevent a contactless card activation without the card owner being aware of it, the application can be configured to always ask for the owner’s authorisation (password, PIN or biometric) before providing any user information or processing on the user’s behalf.


    e level of security of communication required between the contactless card and the reader must be defined as part of the system design and security controls must put in place so that un-invited listeners cannot intercept the data in any meaningful way. For example, all of the contactless technologies can use data encryption to protect data on the card and during transmission; this helps to ensure that, if information is intercepted, the information cannot be used by the recipient. It is important that all of the application’s requirements be understood and defined prior to any technology selection and implementation so that the appropriate security features are designed into the system.
    Additionally, the contactless chip is designed to self destruct if anyone tries to hack into it.

    New e-Commerce and Payment Technologies Company

    Recently I came across a new e-Commerce company called EFT Networks, which seems to have an exciting future in the Global Payments Market.

    It looks like they have a good mix of consulting and solution design.


    Electronic Payment

    Designed to enable both credit card and direct debit, EFT Networks electronic payment solutions work effectively across multiple sales channels—including Web, Contact Call Centre, IVR and EFTPOS. Manage your payment processing system in-house or outsource, depending on your business needs.

    Global Payments

    International commerce requires fully integrated global payment and risk management solutions. Requirements span the gamut of payment acceptance considerations from accepting local payment types, pricing in local currencies and dynamically updating prices with changes in exchange rates (dynamic currency conversion), authorising and settling in multiple currencies, to managing fraud and compliance issues such as tax and export regulations. EFT Networks offers a single interface to the global payment network to handle all of these considerations as your business grows.

    ICE – Reporting & Management

    The EFT Networks Enterprise Business Center gives you a single, easy-to-use interface for managing and configuring payment processing services.

    ICE caters for each area of the payment transaction cycle from authentication, authorisation, settlement, dispute resolution and reconciliation – enabling our clients to reduce transaction costs, eliminate fraud, minimise risk, maximise cash flow and increase profitability.


    EFT Networks provides flexible and secure payment and risk management integrations in to host and legacy systems as well as industry-leading software.

    Using industry standards and protocols, our solutions can be customised to suit your exact business requirements


    ICE (Intelligent Communications Exchange)

    At the core is our Intelligent Communications Exchange (ICE) which enables all known transaction enablers from EFTPOS to eCommerce to be routed directly to a client’s bank without intervention for real time acceptance and authentication.

    The EFT Networks ICE operates under a philosophy of total System and Physical redundancy delivering the highest uptime rates possible, whilst the transaction network is protected using Solid State and Application Firewalls on all points of ingress and egress.

    Every transaction processed through EFT Networks is encrypted using 128 bit Secure Socket Layer (SSL) encryption and submitted for authorisation through EFT Networks “Secure Virtual Private Network” (SVPN).

    Our commitment to security is also reflected in our swift compliance with Card Schemes security initiatives such as VerifiedByVisa and MasterCard SecureCode.

    EFT Networks comprehensive suit of online reporting tools combined with daily transaction reports will ensure that our clients always have access to up-to-date management information allowing Business Managers to make quick and well-informed business decisions. The decision making process is simplified even further with the power of daily reports that are customised to be imported into most existing legacy systems.