Summary on “Card Not Present” transactions

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

Card not present transactions are no different from users entering sensitive data into any web-application– whether it is social security numbers, bank account numbers, passport numbers, etc., calling the foundation services of the SAKA requires the same design considerations as discussed in the preceding section.

The flexibility of the SAKA allows for many different use-cases:

Making tokens smaller or larger than 16-digits. Tokens may be as small as 7-digits or as large as 64, allowing for a wide variety of use-cases for tokenizing vast quantities of data;
Encrypting objects larger than credit-card numbers. The SAKA allows for encrypting up to 10,000 characters of text. This has allowed customers to encrypt objects such as Base64-encoded asymmetric key-pairs with digital certificates, bar-codes, images, XML objects, JSON objects, etc.
StrongAuth's free and open-source CryptoEngine library is capable of escrowing symmetric cryptographic keys – such as the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES) keys – on the SAKA, while the symmetric key itself is used to encrypt files of any-type and any-size. This allows for the encryption of objects significantly larger than the 10,000 characters of text that the SAKA allows, while still using the SAKA as a vault for storing keys centrally and securely;
Similarly, StrongAuth's free and open-source CryptoDriver software is capable of escrowing symmetric cryptographic keys on the SAKA, while the symmetric key itself is used to encrypt disk drives and volumes to protect data-at-rest. This has the benefit of mitigating losses for a stolen machine/disk since the decryption keys are not resident on the device.

StrongAuth is constantly adding value to the SAKA based on customer feedback and requirements. If there is a use-case you believe has not been addressed by StrongAuth, do let us know; we'll review it for potential inclusion into the SAKA “ecosystem”.

Application Design for “Card Present” transactions

In the credit-card industry, card present transactions represent transactions where the customer is buying products and services at a physical location where the merchant has the credit-card physically “present” in front of the merchant. The merchant, typically, swipes the credit-card in a reader – also called Magnetic Stripe Readers (MSR) because of the device's ability to read a magnetic stripe on the back of the credit-card containing sensitive CHD – attached to a “ point-of-sale” (POS) device as part of the transaction.

NOTE: In today's retail environment, POS devices may be a smartphone or tablet computer with a physically connected card-reader. Alternatively, they may be “ wireless” readers using one of many wireless protocols such as Near Field Communications (NFC), Bluetooth, etc. However, the principal concept is the same: the card is present in front of the merchant, adding a level of verification not found in “card not present” transactions.

Newer card-readers have the ability to encrypt the PAN and other sensitive data from the magnetic stripe as the card is swiped through the reader. Such encrypting readers use an encryption standard called the Derived Unique Key Per Transaction (DUKPT) algorithm conforming to the American National Standards Institute (ANSI) X9.24-1 – 2009 standard.

When StrongAuth's Card Crypto Service (CCS) module is deployed on the SAKA, it has the ability to decrypt the encrypted swipe, parse the content, re-encrypt the decrypted PAN using the SAKA's Foundation cryptographic services thus creating a token for the PAN, and returning the transaction to the calling application as a Javascript Object Notation (JSON) string. The JSON has all the information the merchant application needs to fulfill the purchase transaction while only getting the token instead of the original PAN. This has the benefit of providing end-to-end encryption between the MSR and the SAKA, shielding sensitive CHD from the POS application, networks, back-end merchant applications and anyone attempting to snoop for CHD.

NOTE: While the DUKPT algorithm is standardized for encrypting PAN, each MSR manufacturer has their own, proprietary, data-structure for creating the hex-encoded object containing the transaction content with the encrypted CHD. As such, not every MSR currently works with the SAKA CCS module. At the time of writing, StrongAuth has integrated specific devices from ID TECH (www.idtechproducts.com/) and Uniform Industrial Corporation (www.uicusa.com). If you have a need to work with other readers, we are open to integrating them into the SAKA; please contact us for details.

Design Consideration #5

When using the SAKA to process DUKPT-encrypted transactions, additional time may be needed for StrongAuth to integrate your choice of MSRs (if the current list of supported MSRs will not work for you). The MSR vendor-documentation and a sample reader with configurable Initial PIN Encryption Key (IPEK) or Initial Key (IK) tools will be necessary to add supported MSRs to the CCS module.

Design Consideration #5

The CCS module only returns JSON (www.json.org) strings embedded with transaction details with the token for the credit card used in the transaction. Your application must be capable of parsing this JSON string in the SOAP response of the webservice call, to get the transaction data.

Summary on “Card Present” transactions

Card present transactions are very specific in the format of the data-structure returned by the card-reader. StrongAuth's list of supported card-readers is currently limited; consequently, this may require planning for a little extra time to have your preferred card-reader integrated into the CCS module. Additionally, the application must be prepared to parse a JSON object in the response from the SAKA. Finally, since the CCS module uses the Foundation cryptographic services of the SAKA, all design considerations listed in the “Card Not Present” section still apply.

If you have any questions, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.. Thank you.