I work on a payments system. So DUKPT keys are a must-have requirement. In most cases PIN and Card data are encrypted using DUKPT keys. However, every time we have checked with AWS, we have found that none of the HSMs available on their cloud are DUKPT capable. That is obviously a non-starter for us. Can some experts here shed some light on this? Have you run into this problem on AWS? How have you worked around this AWS limitation (short of moving away from AWS)?
Asked
Active
Viewed 618 times
1 Answers
1
DUKPT is required for payment processing because PIN pads are comparatively weak HSMs running on low horsepower devices that are at high risk of being stolen and attacked. DUKPT exists to meet several security requirements, including the protection of past keys, the efficient production of future keys, and to ensure datagrams are always different. AWS HSMs aren’t subject to the same limits or risks, and since their capabilities include cryptographically secure pseudo random number generation, DUKPT doesn’t make sense on that platform.
Instead of asking AWS to meet DUKPT requirements, ask your payment provider for alternatives that work in AWS.
John Deters
- 33,650
- 3
- 57
- 110
-
Acquirers use DUKPT keys due to reasons you have explained. We have projects on the roadmap that require those keys to be put in our gateway's HSM, instead of having them injected in the terminal. It will be an uphill task to get the acquirers to change their key management scheme for us. – Fayez Jul 26 '19 at 19:38