However, all three depend on one thing you may not expect: encryption keys.
When we pay with a card, we like to trust the vendor’s payment terminal is safe. That trust is possible thanks to encryption keys. Whenever we grab a hotdog, pick up some paint, or pay for a haircut, encryption keys protect our payment data.
But how do the encryption keys get into the payment terminal? More importantly, how do we know they’re secure?
First, let’s talk about keys.
Encryption keys defined
Encryption keys are strings of random characters. Encryption algorithms use keys to encrypt and decrypt sensitive data. Without the key, data is unreadable. It is the same in reverse: the key makes data readable again.
There are many different kinds of encryption keys. For example, PIN encryption keys (PEK) encrypt and decrypt PINs. Master encryption keys (MEK) encrypt other keys. Random number generators (RNG) create the keys.
Organizations use Hardware Security Modules (HSMs) to create and store the encryption keys. HSMs are the most secure way to run encryption algorithms.
How do encryption keys get from the HSM into the payment terminal?
The answer is through secure key injection.
What is secure key injection?
Key injection (sometimes called key loading) transfers encryption keys to a payment device. Payment devices include point-of-sale (POS) or point-of-interaction (POI) terminals and ATMs. They capture cardholder data, like customer PINs, and use keys to encrypt it.
The encrypted data goes to a payment processor or gateway. It finally arrives at the customer’s bank, which decrypts and validates the data. The bank then sends an approval message back to the payment device.
When you see the “Approved” message on a payment terminal, that’s the final step. Secure key injection made it all possible.
Secure key injection deployment
Before your hotdog vendor or hardware store can use a POS terminal, the terminal’s distributor has to load it with keys. There are different ways for them to do so.
A common way is direct key injection. The operator connects a POS device to an HSM or key loading device (KLD). Then they transfer a top-level key that will encrypt all future keys. A top-level key might be an MEK or a key transfer key (KTK).
To make sure top-level keys remain secure, PCI PIN regulations requires the operator to inject them in a secure room or facility. An encrypted TLS connection is also necessary.
Key injection can involve complex logistics. But it doesn’t always need manual effort.
Remote key loading (RKL)
Remote key loading (RKL) is a cloud-based method of key injection. With RKL, a remote key management server distributes encryption keys to devices over a network. This reduces manual effort.
RKL uses asymmetric encryption and public key infrastructure (PKI). PKI secures the network over which keys are loaded. Digital certificates help establish PKI-authenticated connections between device endpoints and the network.
PKI allows RKL to service entire networks of payment devices deployed in the field.
RKL creates a flexible key injection process . For example, you might run a cloud key injection solution on a laptop and connect it to a KLD or payment device to inject keys.
Key loading devices (KLDs)
Not every HSM can interface directly with payment terminals. Likewise, not every HSM can injects keys. In these cases, a key loading device (KLD) may serve as a “middle-man” between the HSM and payment terminal. The KLD receives encrypted keys from an HSM. It then transfers those keys to the payment device.
Key injection in a nutshell
After encryption keys are injected into a payment device, the device uses the keys to encrypt cardholder data. The encrypted data is then sent through a network of payment processors and banks. These organizations verify the data and approve the transaction.
Without secure key injection, electronic payment systems wouldn’t be secure. With secure key injection, you know your payment data is protected.
That way, whether in the checkout aisle or at the café table, you can trust that your card data is secure.