Blog

DUKPT Within a Point of Sale Environment: How Does It Work?

Written by David Close, Chief Solutions Architect | Sep 15, 2014 5:00:00 AM
Point-of-sale devices are used every day, yet few people know just how their cardholder information is kept secure during each transaction. POS devices typically safeguard data using an encryption key management generation method called DUKPT, or Derived Unique Key Per Transaction. For every transaction, a new, non-reusable key is made that cannot lead back to the original base key, keeping all the POS devices in the organization safe in the event of one device being compromised.

The process may only take a few seconds when you’re standing in line at the grocery store, but within the POS device, a lot is happening. Essentially, one Base Derivation Key (BDK) is used to initiate the DUKPT process. The BDK itself is never exposed, but instead is used to create another key, called an initial key. This initial key is injected into the new POS device along with a Key Serial Number containing identifying information for the host application. The initial key is used to create a pool of encryption keys, and during each transaction, one of the keys is selected from the pool to encrypt information. After the data is sent, the current key is used to create additional future keys, and then it is erased, removing any information about a previous transaction.

Derived keys keep information safe. The process cannot be reversed to lead back to the BDK, and if one of the keys were compromised in a POS device, it would immediately be replaced by a new key in the next transaction. Through derivation, DUKPT forms a self-recycling system that promotes security, efficiency, and ease of implementation.