PayEx IFSF H2H Security specification
Key schemes
Currently PayEx only support H2H Shared keys for MAC, PIN and Data Encryption.
This solution defines three different keys which are shared with the 3rd party that integrates the PayEx H2H IFSF protocol.
3rd partys will be assigned a uniq key version that needs to be specified in requests towards PayEx Host.
Security Related Control Information
This information is transported in P-53 towards PayEx Host. For scheme H2H Shared keys only 53-6 needs to be populated with the version of keys.
This field (53-6) needs to be present in all request that have MAC, PIN or encrypted data. (P-127)
Element | Name | Format | Attribute | Description |
---|---|---|---|---|
53 | n | 2 | LLVAR length field | |
53-1 | Master key generation number | n | 1 | Identifies the master key generation. Currently NOT supported |
53-2 | Key version of master key | n | 1 | Identifies the key version. Currently NOT supported |
53-3 | MAC random value | b | 16 | ZKA MAC random value. Currently NOT supported |
53-4 | PAC random value | b | 16 | ZKA PAC random value. Zero filled if no PIN block in the message. Currently NOT supported |
53-5 | Data encryption random value | b | 16 | ZKA Data encryption random value. Currently NOT supported |
53-6 | H2H Key version | n | 2 | Version of keys shared by PayEx with 3rd party. Eks "02" |
PIN Encryption Methodology
This information is transported in P-48.14 field towards PayEx Host.
Element | Name | Format | Attribute | Description |
---|---|---|---|---|
48 | n | 3 | LLLVAR length field | |
48-14 | PIN Encryption Methodology | ans | 2 | Identifies the key version used for pin block encryption. Supported values listed below. |
‘13’: PayEx H2H shared keys
‘33’: ZKA MS/SK PAC H2H (Currently not supported)
When P-52 is present in request, this field must also be present. When field P-52 is NOT present, field 48-14 should also NOT be present.
The value currently supported by PayEx is ‘13’ and refers to PayEx H2H shared keys. Other values are currently not supported.
PayEx H2H shared key scheme defines a pin encryption key that is used to encrypt the pin block. See PIN section for details.
Message Authentication Code (MAC)
We use ANS X9.9 Option 1 (binary data) procedure using ISO 16609 CBC-mode Triple-DES (TDES) encryption of the data.
Uses a double-length key.