KeyBRIDGE Newsletter - GEOBRIDGE Corporation

February 5, 2015
KeyBRIDGE™ Newsletter
GEOBRIDGE Corporation
(703) 857-2100
• What’s New
What’s New
• payShield 9000
KeyBRIDGE Product Line:
• Ask the
KeyBRIDGE Key Management Solution (KMS) which includes integrated
functionality with Host Security Module (HSM) units is now available. For
pricing and license options please contact your GEOBRIDGE sales
representative @ [email protected]
• Did You Know?
• About
PCI released PCI PIN Security Requirements 2.0 in December 2014. In order
to help our customers understand what the new requirements mean to their
operations, we are scheduling webinars to review the updates and changes.
Contact [email protected] to schedule your webinar today!
The following PEDs are now available for customers with an active support
o IDTech SecureMag IDRE-33XXXX
o Ingenico iPP350
GEOBRIDGE will be attending TRANSACT 15 ETA Annual Conference in
San Francisco March 31st – April 4th. We will be scheduling meetings with our
customers and vendors during the conference. We look forward to seeing you
All PED Certification requests and
inquiries should be submitted to
[email protected]
All KeyBRIDGE 2100 appliances should
be running on firmware version 4.2 or
higher. Firmware version 3.0 and earlier
are no longer supported.
KeyBRIDGE Newsletter
Page 2 of 4
payShield 9000 Integration with KeyBRIDGE
Keep an eye out for
upcoming newsletters
and press releases as
additional third party
HSMs are integrated
with KeyBRIDGE.
For organizations that utilize HSMs to process and support financial payment
transactions, key generation and key export activities pose unique challenges
when it comes to day-to-day key management activities. These keying activities
often take significant planning, including scheduling of personnel, managing
access to secure, physically and/or geographically isolated data centers, and
oversight of related keying materials and equipment. The KeyBRIDGE product
line now offers Thales® payShield 9000 HSM integration that allows
organizations to support and manage keying generation and key export activities
through the KeyBRIDGE user interface, giving users better control and better
access to complete key generation and key management functions.
By integrating with the Thales® payShield 9000, KeyBRIDGE is able to reduce
the number of required steps, allowing organizations to save time and
resources. With its easy to navigate user interface, users are able to quickly
perform key management tasks. Additionally, KeyBRIDGE allows users to
securely store keys on the appliance and export them under LMK encryption. In
addition to simplifying key generation activities, KeyBRIDGE also features
automated audit logging and full key lifecycle management. KeyBRIDGE tracks
the full history of a key generated or imported to the appliance, including all
instances of key export and specific key details.
Setup of the payShield HSMs is a quick and easy process. Up to twenty
payShield devices may be connected to the KeyBRIDGE appliance at one time
and up to two LMKs may be managed per HSM. Once the serial connection has
been established, the HSM and KeyBRIDGE share a unique, triple length DES
key, which is then used to encrypt keys passed between KeyBRIDGE and the
HSM for LMK encryption. Furthermore, KeyBRIDGE uses FIPS 140-2, Level 3
certified cryptographic processing to encrypt sensitive keys and data.
Once a key has been generated in KeyBRIDGE, it can be exported as a
cryptogram, encrypted under the selected HSM’s LMK, encrypted under a
different KEK / ZMK, or even as a TR-31 key block. What used to take
organizations hours to complete, can now be accomplished in a fraction of the
time, requiring fewer resources and potentially improving many of the security
procedures and processes, while automating logging and access controls. For
more information, please reach out to your GEOBRIDGE Account Manager or
send us an email at [email protected]
Page 3 of 4
KeyBRIDGE Newsletter
Ask the Assessor
Dear GEOBRIDGE Assessor,
I see that the PCI Security Standards Council has published a
new version of the PCI PIN standard. Is there anything new that
I should be aware of?
PCI PIN version 2.0 was published in December and introduces a new format with more detailed
requirements as well as a supporting version with comprehensive testing procedures. This means
that now both assessors and the parties being assessed have a much more clearly defined set of
criteria against which a PCI PIN assessment will be performed. In the past the requirements left
some room for interpretation, which can be a good thing and a bad thing. With version 2.0, the
requirements are much more specific and with the supplemental testing procedures, everyone
should be on the same page and have a clear understanding of what is expected prior to
undergoing a formal assessment.
While we strongly encourage all of our customers to perform a full review of the new PCI PIN
standard, we also wanted to point out a few of the changes that we think will have an impact on
our KeyBRIDGE users.
Device inventory and tracking requirements for Point of Interaction (POI) devices
include explicit, granular details on the information being captured at the individual
device level.
There are no longer allowances for “newly deployed” SCDs (EPP, PED, UPT or
HSM) to be PCI certified. All such devices in use must be PCI or FIPS approved.
Devices used for generating clear-text key components that are outputted in the clear
must be powered off when not in use. This means that KeyBRIDGE appliances must
be powered off when not in use/at the end of the day.
Printers used to print clear components may not be used for other purposes. The
printers must be dedicated for component printing.
There are specific items that need to be added to policy and procedure
documentation regarding key component handling. For example, procedures must
explicitly state that verbal disclosure of a component is prohibited. The complete list
of items that need to be included in your procedures are included in Requirement 6.
Bags used for transporting components must be tamper-evident, not just
Prohibits the use of TDES keys to encrypt AES keys. This is something that is
automatically enforced within KeyBRIDGE when importing and export encrypted
Requires the use of key blocks by January 2018. KeyBRIDGE currently stores all
keys in key block format and supports the import and export of both TDES and AES
keys using key blocks.
Requires that a PED that interfaces with more than one acquirer must support and
use unique keys for each acquiring relationship.
Requires that key activity logs be retained for a minimum of two years. KeyBRIDGE
automatically logs all key generation, import, export and termination activity. This
information is retained for all keys in the KeyBRIDGE inventory, even after the
system audit logs are archived.
In general, we believe that the changes are positive as they remove any ambiguity that may have
previously existed around the requirements. If you have additional questions about PCI PIN
version 2.0 and how the changes may impact your organization, please contact
[email protected] to arrange to speak to one of our consultants.
Have a question for our
Assessors? Send an email
to [email protected]
and include “Ask the
Assessor” in the email
subject. Your question
may be featured in our
next newsletter.
Page 4 of 4
KeyBRIDGE Newsletter
Did you know…?
18 years of business and
GEOBRIDGE has been in business for 18 years.
The GEOBRIDGE team consists of certified assessors for:
o TR-39 PIN Security and Key Management Assessments
o PCI PIN Assessments
o Payment Card Industry Data Security Standard (PCI DSS)
Additional Cryptographic Application Development Services offered by
o PED Application Development
o HSM Application Development
o Software Cryptographic Development
o Protocol Development
 Fixed Key
 Global Platform
The KeyBRIDGE solution is been in the marketplace for 10 years.
KeyBRIDGE 2100 supports over 25 point of sale manufacturers and over
150 point of sale devices.
There are additional license options with KeyBRIDGE 2100 including:
o Custom PED Key Export
o Custom Key Usage
o Custom Key Attributes
o SCD Component Entry
o Network Support
Established in 1997, GEOBRIDGE emerged as one of the first information security
solutions providers to support cryptography and payment applications for payment
processors, financial institutions and retail organizations. Today, GEOBRIDGE is a
leading information security solutions and compliance provider that offers Network
Security, Cryptography and Key Management, Payment Security and Compliance
solutions and services. Our client list includes Fortune 500 companies, financial
institutions, healthcare organizations and government clients across North America
and around the globe. GEOBRIDGE leverages our team's expertise in data
protection, program development, enforcement and governance to help architect
solutions to help mitigate risk for our clients.