ZMK — Zone Master Key

A Zone Master Key (ZMK) is a Key Encryption Key (KEK) used to securely transport other keys between two payment-processing organizations — for example, between an acquirer and an issuer, or between an issuer and its card-personalization bureau. A ZMK never encrypts transactions directly; it exists solely to protect lower-level working keys during their journey across an organizational boundary.

ZMKs are exchanged using key-component ceremonies under split knowledge and dual control: typically two or three trusted officers from each organization each hold one component, and the components are XORed together inside each side's HSM to form the final ZMK. No single individual ever possesses the entire key.

Once both organizations have loaded the same ZMK into their HSMs, they can exchange working keys (Zone PIN Keys, Base Derivation Keys, MAC Keys, etc.) by simply encrypting the working key under the ZMK and transmitting the ciphertext. The receiving side decrypts under its copy of the ZMK and imports the working key under one of its own Local Master Keys (LMKs).

On a Thales payShield HSM, this exchange is performed with commands like A6 (Import Key Under ZMK) and A8 (Translate Key from ZMK to LMK). Atalla and Futurex HSMs have analogous commands. The ZMK can be a double-length 3DES key (128 bits effective) or, in modern AES-based deployments, an AES-256 key.

The Local Master Key (LMK) is the topmost key inside a single HSM — every other key on that HSM is encrypted under the LMK at rest. The LMK never leaves the HSM in clear form and is only ever known component-by-component.

A KEK (Key Encryption Key) is any key used to encrypt other keys. The ZMK is a specific kind of KEK — one designated for cross-organizational key transport. Within a single organization, you might also have an internal KEK used to transport keys between two HSMs you control; that is not a ZMK because it does not cross a trust boundary.