Security

Account Data Protection

The device always encrypts account data from all three reader types using 112-bit TDEA, 128-bit AES, or 256-bit AES algorithms with X9.24 DUKPT key management. This device does not support any mechanisms such as whitelists or SRED disable that would allow the data to be sent out unencrypted.

Algorithms Supported

The device includes the following cryptographic algorithms:

AES
TDEA
RSA
ECDSA (P256 and P521 curves)
SHA-256

Key Management

The device implements the original AES/TDEA DUKPT as its only key management method. Use of any other method will invalidate PCI approval. DUKPT derives a new unique key for every transaction. For more details, see ANS X9.24 Part 3:2017.

Table - DynaFlex II Go Product Keys

Key Name

Size

Algorithm

Purpose

Transport Keys

32 bytes

AES X9.143 KBPKs

Key Injection

Account Data Key

16 bytes for TDEA and AES-128

32 bytes for AES-256

AES and TDEA DUKPT (ANS X9.24-3)

Encrypt and MAC Account Data

Firmware Protection Key

64 bytes for

ECDSA Curve P-256

ECDSA and SHA-256

Checks integrity and authenticity of firmware

EMV CA Public keys

Varies per issuer

RSA

Authenticate card data and keys

Key Loading

The device does not support manual or plaintext cryptographic key entry. Only specialized tools, compliant with key management requirements and cryptographic methods, specifically ANSI X9.143, can be used for key loading. Use of any other methods will invalidate PCI approval.

Key Replacement

Keys should be replaced with new keys whenever the original key is known or suspected to have been compromised, and whenever the time deemed feasible to determine the key by exhaustive attack has elapsed, as defined in NIST SP 800-57-1.

Last updated 1 month ago