# Security

### Account Data Protection

The device always encrypts account data from the MSR using 112-bit TDEA, 128-bit AES, or 256-bit AES algorithms with X9.24 DUKPT key management. This device does not support any mechanisms such as whitelists or SRED disable that would allow the data to be sent out unencrypted. The programmers need to follow the guidance provided in \[3]. Use of the device with key-management systems not described in this policy will invalidate the PCI PTS POI v6.2 approval of the device.

### Algorithms Supported <a href="#id-5.2_algorithms_supported" id="id-5.2_algorithms_supported"></a>

The device includes the following cryptographic algorithms:

* AES-128/256
* TDEA-128
* ECDSA (P256 and P521)
* RSA2048
* SHA-256

### Key Management

The device implements the original AES/TDEA DUKPT as its only key management method. Use of any other method will invalidate PCI approval. DUKPT derives a new unique key for every transaction. For more details, see \[5] and \[6].

## Table 5-1 - iDynamo 5 Gen III Product Keys

<table data-header-hidden><thead><tr><th width="308.81817626953125" valign="top"></th><th width="186" valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top">Key Name</td><td valign="top">Size</td><td valign="top">Algorithm</td><td valign="top">Purpose</td></tr><tr><td valign="top"><p>Transport Keys:</p><p>·         Master Transport Key</p><p>·         Device Transport Key</p><p>·         Financial Transport Key</p><p>·         Production Transport Key</p><p>·         Manufacturing Transport Key</p><p>·         MagTek KIF Financial Transport Key</p></td><td valign="top"><p> </p><p> </p><p> </p><p> </p><p>32 bytes</p></td><td valign="top"><p> </p><p> </p><p> </p><p> </p><p>AES X9.143 KBPKs</p></td><td valign="top"><p> </p><p> </p><p> </p><p> </p><p>Key Injection</p></td></tr><tr><td valign="top"><p> </p><p>Account Data Key</p><p>·         DKPTM7-FK</p></td><td valign="top"><p>16 bytes for TDEA and AES- 128</p><p>32 bytes for AES-256</p></td><td valign="top"><p> </p><p>AES and TDEA DUKPT (ANS X9.24-3)</p></td><td valign="top"><p> </p><p>Encrypt and MAC Account Data</p></td></tr><tr><td valign="top"><p>Firmware Protection Key</p><p>·         Firmware Signing Key (FSK)</p></td><td valign="top"><p> </p><p>256 bytes</p></td><td valign="top"><p> </p><p>RSA2048 and SHA-256</p></td><td valign="top">Checks integrity and authenticity of firmware</td></tr></tbody></table>

### Key Loading

The device does not support manual or plaintext cryptographic key entry. Only specialized tools, compliant with key management requirements and cryptographic methods, specifically \[6] and \[7]. On the production line, the ANSI X9.143 format can be used for key loading by an HSM after mutual authentication. Use of any other methods will invalidate PCI approval.

### Key Replacement <a href="#id-5.5_key_replacement" id="id-5.5_key_replacement"></a>

Keys should be replaced with new keys whenever the original key is known or suspected to have been compromised, and whenever the time deemed feasible to determine the key by exhaustive attack has elapsed, as defined in \[4].


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.magtek.com/hardware/card-readers/magnetic-stripe-readers/idynamo-5-gen-iii/compliance-documentation/secure-card-reader-security-policy/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.