A

acceptor same as “card acceptor”

acquirer the institution (or its agent) which acquires from the card acceptor the financial data relating to the transaction and initiates that data into an interchange system

algorithm a clearly specified mathematical process for computation; a set of rules which, if followed, will give a prescribed result

archived key an inactive key that is being saved in a secure manner for a non-operational purpose such as a legal requirement for future recovery

authentication the act of determining that a message has not been changed since leaving its point of origin. The identity of the originator is implicitly verified

authentication algorithm the application of a cryptographic process in which output text depends on all preceding input text

authentication element a contiguous group of bits or characters which are to be protected by being processed by the authentication algorithm

B

base derivation key a derivation key normally associated with Derived Unique Key Per Transaction (DUKPT)

C

card acceptor accepts cards to access the cardholders’ account(s) or as a means of payment for goods or services.

cardholder the customer or entity who uses their credit or debit card to initiate transactions

card issuer the institution or its agent that issues the card to the cardholders

check value a computed value which is the result of passing a data value through a non-reversible algorithm

ciphertext data in its enciphered form

cleartext data in its original, unencrypted form

communicating pair two entities (usually institutions) sending and receiving transactions. This is to include alternate processing sites either owned or contracted by either communicating entity

compromise in cryptography, the breaching of secrecy and/or security. A violation of the security of a system such that an unauthorized disclosure of sensitive information may have occurred

cryptographic key a parameter that determines the operation of a cryptographic function such as: a) the transformation from cleartext to ciphertext and vice versa b) synchronized generation of keying material c) digital signature computation or validation

cryptographic key synchronization the ability for two nodes, that cryptographically process a transaction, to determine the identical Transaction Key

D

Data Encryption Algorithm (DEA) the cryptographic algorithm adopted by ANSI (see Reference 1)

decryption a process of transforming ciphertext (unreadable) into cleartext (readable)

derivation key a key which is used to compute cryptographically another key. Normally a single derivation key is used in a transaction-receiving (e.g., acquirer) TRSM to derive or decrypt the Transaction Keys used by a large number of originating (e.g., terminal) TRSMs

double-length key a TDEA key having a length of 128 bits (see reference 2 ‘keying option 2’ and reference 3 ‘TDEA 2-key implementation’)

dual control a process of utilizing two or more separate entities (usually persons), operating in concert, to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. It SHALL be ensured that no one entity is able to access or to utilize the materials (e.g., cryptographic key). For manual key generation, conveyance, loading, storage and retrieval, dual control requires split knowledge of keys among the entities. Also see “split knowledge”

DUKPT Derived Unique Key per Transaction - a key management method which uses a unique key for each transaction, and prevents the disclosure of any past key used by the transaction-originating TRSM. The unique Transaction Keys are derived from a base derivation key using only non-secret data transmitted as part of each transaction

E

encryption a process of transforming cleartext (readable) into ciphertext (unreadable) for the purpose of security or privacy

exclusive-or a mathematical operation, symbol “XOR”, defined as: 0 XOR 0 = 0 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0 Equivalent to binary addition without carry (modulo-2 addition)

F

Function Code the first field in all response and request messages. This code is in the range 01 - FF and determines fields which are expected to follow.

I

institution an establishment responsible for facilitating customer initiated transactions or transmission of funds for the extension of credit, or the custody, loan, exchange, or issuance of money

interchange mutual acceptance and exchange of messages between financial institutions

issuer the institution holding the account identified by the primary account number (PAN)

independent software vendor (ISV) organization specializing in making and selling software, as opposed to hardware, designed for mass or niche markets.

K

key see cryptographic key

key component one of at least two parameters having the format of a cryptographic key that is exclusiveored/added modulo-2 with one or more like parameters to form a cryptographic key. A component is equal in length to the resulting key

key encrypting key a key used exclusively to encrypt and decrypt keys

keying material the data (e.g., keys and initialization vectors) necessary to establish and maintain cryptographic keying relationships

key separation a process for ensuring that a key is used for only its intended purpose

key set a group of keys all determined by a common cryptographic procedure and differentiated by nonsecret input to this procedure such that knowledge of one key does not disclose any other key in the group

key set identifier a non-secret value which uniquely identifies a key set

M

master key in a hierarchy of Key Encrypting Keys and Transaction Keys, the highest level of Key Encrypting Key is known as a Master Key

message a communication containing one or more transactions or related information

message authentication code (MAC) a cryptographic value which is the result of passing a financial message through the message authentication algorithm using a specific key

N

node any point in a network that does some form of processing of data, such as a terminal, acquirer or switch

non-reversible transformation encryption of cleartext in such a way that the ciphertext cannot be decrypted back to the original cleartext

O

Originator the person, institution or other entity that is responsible for and authorized to originate a message

P

parity a measure of the number of ‘1’ bits in a group of ‘0’ and ‘1’ bits; either odd or even

privacy the confidential nature of data which requires protection against unauthorized disclosure

pseudo random a value which is statistically random and essentially unpredictable although generated by an algorithm

R

random a value in a set that has equal probability of being selected from the total population of possibilities, hence unpredictable

recipient the person, institution or other entity that is responsible for and authorized to receive a message

remote key injection the process of loading keys onto a payment terminal remotely

replay the process of sending a previously sent message as a method of perpetrating a fraud

S

sender the person, institution, or other entity transmitting a message

Secure Key Block Structured block based on a collaborative industry standard (e.g. TR-31, GISKE) to securely transport keys to terminals and to hosts for storage. Self-describes the embedded encrypted key and contents are verified using embedded MAC.

single length key a cryptographic key having a length of 56 bits plus 8 parity bits

SMID Security Management Information Data element used to manage and control cryptographic operations

split knowledge a condition under which two or more parties separately and confidentially have information (e.g., key components) which, individually, convey no knowledge of the resulting combined information (e.g., cryptographic key)

symmetric key a cryptographic key that is used in a symmetric cryptographic algorithm (e.g., TDEA). The same symmetric key that is used for encryption is also used for decryption

switch a node that can route data from a node to other nodes

T

tampering the penetration or modification of internal operation and/or insertion of active or passive tapping mechanisms to determine or record secret data

terminal a device/system that initiates a transaction

transaction a series of messages to perform a predefined function

transaction key a key used to cryptographically process the transaction. If more than one key is used for different cryptographic functions, each may be a variant of the Transaction Key. A Transaction Key is sometimes referred to as a Data Key, communications key, session key, or working key

TRSM Tamper Resistant Security Module

U

UKPT Unique Key Per Transaction

V

variant of a key a new key formed by a process (which need not be secret) with the original key, such that one or more of the non-parity bits of the new key differ from the corresponding bits of the original key

verification the process of associating and/or checking a unique characteristic

Browser not supported