What is a Zone PIN Key?
A Zone PIN Key (ZPK) is the working key that actually encrypts PIN Blocks crossing between two payment-processing zones. When a cardholder enters a PIN at an acquirer's ATM and that PIN must be sent to the issuer for verification, the PIN Block is encrypted under the acquirer-to-issuer ZPK before leaving the acquirer's HSM, then decrypted on the issuer's HSM using the same ZPK.
Each pair of organizations that exchange PINs has its own dedicated ZPK. A bank that acquires from 50 networks and issues to 200 might have hundreds of distinct ZPKs in active rotation. PCI PIN Security requires ZPK rotation at least annually (sooner if compromise is suspected).
How ZPKs Are Established
A new ZPK is generated on one side's HSM (typically the side that "owns" the connection — usually the larger institution), wrapped under the previously-established ZMK shared with the counterparty, and transmitted. The receiving side imports the ZPK under the ZMK and stores it locally encrypted under its LMK. From that point forward, both sides can use the ZPK to encrypt/decrypt PIN Blocks for that specific zone.
On a Thales payShield HSM, the typical lifecycle is: A0 (Generate Key) produces a fresh ZPK encrypted under the local LMK; A8 (Translate Key) re-encrypts it under the ZMK for transmission; on the receiving side, A6 (Import Key Under ZMK) brings it in. From that point, CA (Translate PIN) uses the ZPK to translate PIN blocks across zones.