IPEK — Initial PIN Encryption Key

The Initial PIN Encryption Key (IPEK) is the seed key for DUKPT key derivation on a specific terminal. It is derived once on the acquirer's HSM from the BDK + the terminal's Key Serial Number, then loaded into the terminal via a secure injection process. From that moment forward, the terminal uses the IPEK + its current KSN counter to derive a new Transaction Key for every payment, then securely erases the keys it can no longer produce.

The "Initial" in IPEK is literal: it is the value loaded at terminal initialization, and the actual encryption work is done by Transaction Keys derived from it on-the-fly. PCI PIN Security mandates that the IPEK never leaves the secure cryptographic boundary of the terminal once injected — it cannot be exported, printed, or relayed back to the acquirer.

Loading the IPEK into a terminal is called key injection. Historically, this was done at a Secure Cryptographic Device (SCD) in a controlled facility — the terminal was physically connected to a Key Loading Device (KLD) that decrypted and inserted the IPEK. Modern terminals support Remote Key Injection (RKI) using TR-31 wrapping over a TLS tunnel authenticated with X.509 device certificates, or asymmetric protocols like TR-34, eliminating the need for physical key facilities.

Either way, the injection ceremony itself never sees the clear IPEK outside of an SCD. PCI PIN Security Annex A spells out the integrity and authenticity requirements for each step. The same protocols are used for re-injection when an IPEK is exhausted (after 1M transactions for 3DES) or when a BDK is rotated.