CCS Module GetCardCaptureData Mechanics

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Back
Appendices
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

The GetCardCaptureData GCD) operation receives a card swipe (along with other parameters to authenticate and authorize the transaction), decodes it according to the manufacturer-specific definition of their swipe format, decrypts the track data using the DUKPT algorithm for data-decryption, and either tokenizes or returns the PAN (based on SAKA configuration parameters; by default, only a token is returned). It uses a previously stored BDK identified by the manufacturer ID. The web service operation requires six parameters:

DID	The unique encryption domain identifier.
username	The username (service-credential) within the encryption domain with the authorization to call this web service. The credential requires the Encryption privilege at a minimum, but may also require Decryption privileges within the encryption-domain if a plaintext PAN is to be returned.
password	The password of the username to authenticate the credential of the requester.
ccd	The hex-encoded data containing the captured data. Note that all CCS web services operate on hex-encoded data.
mfr	The numerical identifier of the manufacturer of the device that captured the card data.
dsn	The device serial number (DSN) of the device that captured the card data. This value is required, but only currently used for logging purposes.

When SAKA receives the request, it verifies the credentials presented in the web service operation against its internal database, or an optional LDAP directory server, and then determines their authorization to request the GetCardCaptureData service by determining if they are a member of the EncryptionAuthorized group. Note that if using LDAP, this group and its members must be created in the LDAP directory as a distinct task of the installation process of SAKA; when using the SAKA internal database, this group is created automatically.

If the requester is authorized, SAKA starts by decoding the ccd parameter based on the manufacturer-specific format. The manufacturer can be provided with the mfr parameter, or optionally set automatically via the SAKA configuration property strongkeylite.cfg.property.defaultmanufacturer. If the swipe is properly formatted and can be successfully decoded, the encrypted track data is decrypted using the BDK loaded for this manufacturer. The track data is then parsed to extract details such as Expiration Date, IssuerID, Cardholder Name, etc.

By default, the PAN will be encrypted by the appliance and a token will be returned in the response. If tokenization is not desired, the SAKA configuration property strongkeylite.cfg.property.ccsautodelete must be set to true. Alternatively or in addition to returning a token, the PAN can be returned in a plaintext format if the SAKA configuration property strongkeylite.cfg.property.ccsplaintextpan is set to true. When strongkeylite.cfg.property.ccsplaintextpan is true, the service credential requesting the PAN must also be a member of the DecryptionAuthorized group in addition to being a member of the EncryptionAuthorized group.

On success, the following will be returned, either as a JSON or XML string; in the case of SOAP, the JSON or XML string is embedded in the objectContent attribute of the CCReturnObject object:

DID	Unique encryption domain identifier for the domain that serviced this request.
SRID	Unique request identifier for this transaction.
Token	(Optional) If `strongkeylite.cfg.property.ccsautodelete` is set to false (default: false), a token value is returned that references the PAN. This token can always be supplied to the decrypt web service by authorized applications for recovery of the PAN.
PAN	(Optional) If `strongkeylite.cfg.property.ccsplaintextpan` is set to true (default: false), the plaintext PAN from the swipe is returned.
ExpiryDate	Four digits to represent the expiration month and expiration year of the card.
ExpiryMonth	Two digits to represent the expiration month of the card.
ExpiryYear	Two digits to represent the expiration year of the card.
MaskedPAN	Masked PAN as received in any available masked data provided in the swipe.
Digest	Always null. Reserved for future use.
Valid	True if this PAN conforms to the Luhn Algorithm.
Exists	(Optional) If `strongkeylite.cfg.property.ccsautodelete` is set to false (default: false), Exists will be true if this PAN is already encrypted by the appliance.
AssociationID	The Card Association ID recovered from the track data.
IssuerID	The Card Issuer ID recovered from the track data.
CardholderName	The full name of the cardholder.
Firstname	The first name of the cardholder.
Lastname	The last name of the cardholder.
Track2	(Optional) If `strongkeylite.cfg.property.ccsprocesstrack2` is set to true (default: false), track2 data will be returned. If `strongkeylite.cfg.property.ccsautodelete` is false, the PAN portion of the track2 data will be replaced with a token. If `strongkeylite.cfg.property.ccsplaintextpan` is true, the track2 data will be returned raw, even if `strongkeylite.cfg.property.ccsautodelete` is false. If `strongkeylite.cfg.property.ccsautodelete` is true but `strongkeylite.cfg.property.ccsplaintextpan` is false, the Track2 element will be null as neither a token or the PAN is authorized for return.
Notes	Always null. Reserved for future use.