A Key Exchange Key (KEK) often know as Zone Control Master (ZCMK) will be shared by Fiserv to be able to Exchange Dynamic Pin Encryption Keys using API’s. KEK will be provided by Fiserv Infosec to aggregator in secure manner. After this onward the Pin Encryption Key (PEK) must be exchanged dynamically using the API that encrypts the PEK using the KEK. Any new aggregator must follow the Key Ceremony.

PIN Encryption

You need to have the dynamic key exchange with the Fiserv. Below is the process flow to exchange the Key:

• Aggregators send the Authentication / logon request.

• APIGEE will pass the logon request to CP API Module

• CP API Module determine the Aggregator using the Key ID

• CP API Module - send the request to API Module. Request body will have the Key ID, Purpose (PIN Key or Data Key) and LABEL/Caller information.

  • Master Key ID - Mater Key ID
  • Purpose - This field to determine whether key is requested for PIN or Data encryption purpose.
  • LABEL/Caller - This field will represent the Aggregator.

• API module sends the following in the response to aggregator:

  • Key ID
  • Key Value
  • Key Check Value
  • Expiry Date Time

  

  
  

Logon Expiry

Card Present Layer defines the time for which logon will be valid. If any transaction received with "Expired Key ID" then the transaction request will be declined.

Example – If logon expiry time is 4 hours, and First logon request is received at 2:00 PM then this login will be expiry at 6:00 PM. Aggregator will submit the new logon request before the expiry so session logon time will be extended for next 4 hour.