[ KL / GLOSSARY ]
Plain-English definitions of the terms that actually matter when you work on payment HSMs, key management, and PIN security. No textbook fluff — just what you need to read the spec, debug the call, or pass the audit.
A key-management scheme that generates a unique encryption key for every transaction from a single Base Derivation Key, providing forward secrecy even if the device is compromised.
A double- or triple-length 3DES (or AES) key shared between two organizations to securely transport working keys (ZPK, BDK, etc.) across their boundary.
A working 3DES (or AES) key used to encrypt PIN Blocks for transmission between two organizations. Transported under a ZMK during key exchange.
Any cryptographic key whose sole purpose is to protect other keys (working keys, session keys, transport keys) during storage or transmission. Forms the foundation of hierarchical key management.
An ASC X9 standard for transporting symmetric keys between HSMs using asymmetric (RSA) cryptography and digital certificates, eliminating the need for clear-component key ceremonies.
The master symmetric key held only on an acquirer HSM, from which every terminal-specific IPEK is derived using the terminal's Key Serial Number under DUKPT.
The per-terminal symmetric key loaded into a POS device at injection time, derived from the BDK + KSN. The IPEK is the only DUKPT-related key that ever lives on a terminal.
A counter-plus-identifier value transmitted with every DUKPT-encrypted transaction. It tells the receiving HSM exactly which derivation path under the BDK reproduces the matching Transaction Key.
An ASC X9 / ANSI X9.143 standard that wraps a symmetric key together with cryptographically bound attributes (type, usage, algorithm, mode), preventing an attacker from misusing the wrapped key as a different key type.
A short hash-like fingerprint of a cryptographic key (typically 3 or 6 bytes) used to verify that two parties hold the same key without revealing it.