DUKPT — Derived Unique Key Per Transaction

DUKPT (Derived Unique Key Per Transaction) is a key-management technique standardized in ANSI X9.24 that produces a fresh, single-use encryption key for every transaction performed by a payment terminal. The scheme guarantees forward secrecy: even if an attacker extracts the current state of a compromised terminal, they cannot decrypt any past transactions. Conversely, knowledge of past transaction keys reveals nothing about future ones.

DUKPT was designed by Visa in the late 1990s for PIN encryption on point-of-sale terminals and has since become the de facto standard for both PIN and data encryption on POS, ATM, and mobile card-acceptance devices worldwide. The original specification used 3DES (X9.24-1) and is now being superseded by AES DUKPT (X9.24-3) under PCI PIN Security v3.1.

A DUKPT system has three key roles. The Base Derivation Key (BDK) lives only on the acquirer-side HSM and never appears on a terminal. From the BDK, the acquirer computes a per-terminal Initial PIN Encryption Key (IPEK) using the terminal's unique Key Serial Number (KSN). The IPEK is injected into the terminal during manufacturing or in a secure facility — only the IPEK ever reaches the terminal, not the BDK.

For each transaction, the terminal uses the IPEK plus its current KSN (which increments on every transaction) to derive a fresh Transaction Key. After the key is used, the IPEK and any intermediate state needed to recompute earlier keys are securely erased — this is the property that gives DUKPT its forward secrecy. The terminal sends the KSN alongside the encrypted PIN block, and the acquirer's HSM uses its BDK + the received KSN to derive the same Transaction Key and decrypt the block.

Every Verifone, Ingenico, PAX, and Castles terminal you encounter at a checkout counter or restaurant runs DUKPT. The encrypted PIN block field (field 52 in ISO 8583) is the output of DUKPT-derived 3DES or AES encryption. The KSN (typically 10 or 12 bytes for 3DES DUKPT, 16 bytes for AES DUKPT) accompanies it in field 53 or in a TR-31 key block.

For developers, the practical implication is this: when you receive an encrypted PIN block from a terminal, you cannot decrypt it without (a) the BDK that was used to inject that terminal's IPEK and (b) the exact KSN received. Both must match. This makes DUKPT-encrypted data far harder to misuse than statically-keyed encryption — a leaked transaction key only compromises one transaction.

The original 3DES DUKPT specification (X9.24-1) uses 112-bit double-length 3DES keys, 80-bit truncated KSNs, and a derivation tree that limits a single IPEK to 1,048,575 transactions before exhaustion. AES DUKPT (X9.24-3, published 2017) modernizes the scheme: it supports AES-128, AES-192, and AES-256 working keys, expands the KSN to 12 bytes (with derived 32-bit transaction counters), and supports up to 16 million transactions per IPEK.

PCI PIN Security v3.1 (December 2021) marks AES DUKPT as the preferred algorithm for new deployments and is gradually phasing out 3DES-based PIN encryption. The migration is technically straightforward — the protocol structure is identical, only the underlying cipher and KSN width change — but operationally significant because every terminal in the field must be re-injected with AES IPEKs.