Glossary

[ BDK ] PAYMENT CRYPTOGRAPHY

BDK — Base Derivation Key

The master symmetric key held only on an acquirer HSM, from which every terminal-specific IPEK is derived using the terminal's Key Serial Number under DUKPT.

Standard:
ANSI X9.24-1 / X9.24-3
Origin:
Visa / ANSI

What is a Base Derivation Key?

A Base Derivation Key (BDK) is the symmetric root key of an entire DUKPT terminal estate. It lives exclusively inside the acquirer's HSM cluster and never appears anywhere else — not on a terminal, not in source control, not in a backup file in clear form. Every Initial PIN Encryption Key (IPEK) loaded into every terminal in the estate is derived from this single BDK plus that terminal's unique Key Serial Number (KSN).

The BDK is the most sensitive key an acquirer holds: anyone with the clear BDK can derive every IPEK ever loaded under it, and from any IPEK can derive any transaction key ever produced by that terminal. PCI PIN Security and FIPS 140-3 mandate that the BDK be loaded only via split-knowledge / dual-control component ceremonies, exists only encrypted under the LMK at rest, and is rotated when a terminal containing IPEKs derived from it is decommissioned in any compromising way.

BDK vs IPEK vs Transaction Key

BDK (root, in HSM only) → IPEK (per-terminal, loaded into the terminal once at injection) → Transaction Key (per-transaction, derived inside the terminal on each use). This three-tier hierarchy is what gives DUKPT its forward-secrecy property: knowing a transaction key compromises only that single transaction; knowing an IPEK compromises only past transactions on one specific terminal; only the BDK compromises the entire estate.

Concretely: a 3DES BDK is 16 bytes (128 bits). Combined with a 10-byte KSN, it produces an IPEK that is injected once and then used to derive up to 1,048,575 transaction keys before the terminal must be re-keyed. AES DUKPT widens these to 16-byte BDKs (AES-128) or 32-byte BDKs (AES-256), with 12-byte KSNs supporting ~16 million transactions per IPEK.

Frequently Asked Questions

How many BDKs does an acquirer have?
Most acquirers have one BDK per terminal model family per major customer (or per fleet operator). Large national acquirers may have dozens of BDKs to provide blast-radius isolation between fleet operators. Each BDK is also versioned — when one is rotated, the old one is kept available for verifying old transactions during reconciliation.
Can a terminal hold the BDK?
Never. By design, a terminal only ever holds its own IPEK (loaded once at injection) and the current transaction-key state derived from it. Terminals cannot reverse-derive the BDK from their IPEK because the derivation function is one-way.
What happens if the BDK is compromised?
Every terminal injected with an IPEK derived from that BDK must be physically retrieved and re-injected with an IPEK derived from a fresh BDK. All transaction logs encrypted under the compromised BDK's tree are considered exposed. This is the operational nightmare DUKPT is designed to make exceedingly rare — by keeping the BDK in HSMs under strict PCI controls.

Related Terms

DUKPTIPEKKSNKEK