Also known as

Transport Key

Type

Shared Key

Used to

Encrypt other shared keys

Required for

New third party integration requiring use of keys (Card Manufacturer, 3DS providers or Networks)

Who generates

CLOWD9

Comments

This key is not BIN specific

CLOWD9 only need to exchange it once with each third party

The components need to be the standard 32 bits

Allows generation and encryption of TR-31 Key Blocks (or other encapsulation method)

Also known as

MDK1, MDKac or MDKauth

Type

Shared Key

Used to

Used to perform a chip authenticity check during the authorisation stage, this is known as ARPC/ARQC handshake. AC = Application Cryptogram.

Required for

New BIN with existing card manufacturer

New BIN with new card manufacturer

Existing BIN with new card manufacturer

Who generates

CLOWD9

Comments

BIN Specific

Also known as

MDK2, MDKsmi or MDKmac

Type

Shared Key

Used to

MDKsmi / MDKenc: pin unblock issuer script

Required for

New BIN with existing card manufacturer

New BIN with new card manufacturer

Existing BIN with new card manufacturer

Who generates

CLOWD9

Comments

BIN Specific

Also known as

MDK3, MDKsms or MDKenc

Type

Shared Key

Used to

MDKsmc / MDKmac: pin change issuer script

Required for

New BIN with existing card manufacturer

New BIN with new card manufacturer

Existing BIN with new card manufacturer

Who generates

CLOWD9

Comments

BIN Specific

Also known as

CVV Key, CVC Key, CVK1, CVK2, CVKA, CVKB

Type

Shared Key

Used to

Generate Value of CVV1 (magstripe), CVV2 (embossed), CVV3 (contactless), iCVV (Chip CVV)

Required for

New BIN with existing card manufacturer

New BIN with new card manufacturer

Existing BIN with new card manufacturer

Who generates

CLOWD9

Comments

BIN Specific

CVK generically refers to different keys, such as CVK1 and CVK2.

A CVK is combined with card data such as PAN and expiry date to compute the Verification Value. I.e CVK1 used to get CVV1, CVK2 used to get CVV2, etc.

Using during PAN creation to generate CVVs for authorisations

Also known as

CAKA, CAKB, AAV, CAVV

Type

Shared Key

Used to

Validate 3D Secure Authentication

Required for

3D Secure set up

Who generates

3D secure provider (CLOWD9 to generate it if agreed by Network and 3D secure provider )

Comments

BIN Specific

This key is used to validate that the 3D Secure authentication has been performed by the genuine 3D Secure provider

Also known as

Manufacturer PIN Encryption Key (MPEK), PINKey, ZPK

Type

Shared Key

Used to

Encrypt PIN in transit from CLOWD9 to Card Manufacturer (in the Card Data File)

Required for

New Card Manufacturer Integration

Who generates

CLOWD9

Comments

Card Manufacturer Specific

Only required once

Used for all files send to the same Card Manufacturer

Used during PAN creation to generate PIN Block for Card Manufacturer

Also known as

MPinKey, MCPinKey, Network Key (Nk), Issuer Working Key (IWK), IWK1 or IWK2

Type

Shared Key

Used to

Encrypt PIN in transit from the Network to CLOWD9 (in the authorisation request)

Required for

New network integration

Who generates

CLOWD9

Comments

Network specific

This is used during PAN creation to generate PIN Block for authorisations.

Also known as

Public key Infrastructure, Issuer Public Key

Type

Private-Public key pair

Used to

Authenticate that the chip is genuinely issued by an authorised Network member. Between terminal and Chip

Required for

EMV personalisation

Who generates

Issuer (or Card Manufacturer) to exchange with Network

Comments

Issuer specific

The key is not used in the transaction processing. The issuer has to sign a letter of delegation for the Card Manufacturer to exchange IPK/ certificate with Visa or Mastercard

Also known as

Card Master Key

Type

Derived Key

Used to

EMV authentication (ARQC/ARPC)

Required for

EMV personalisation

Who generates

Card Manufacturer

Comments

Card specific

Unique card keys for cryptogram generation and Issuer scripts

They are derived from the varios MDKs:

i.e UDKac = MKac +PAN + PAN sequence number

CLOWD9 must set correct algorithm to be used for these keys:

Mastercard

ARPC Key: Master Key or Session Key

Session Derivation Key Method: Mastercard SDK or EMV CSK

ARPCV Key: Master Key or Session Key ``

Visa

Not possible to set

Cryptogram Version Number (CVN) - CLOWD9 Support CVN 10 and 18

Also known as

Public key, Private key, Certificate

Type

Private-Public key pair software

Used to

Authenticate key exchanges

Who generates

Third party (card manufacturer, clients) or CLOWD9

The key generation is subject to the third party’s role. Who does what in the context
Always check the approach with the CLOWD9 Infrastructure team

Comments

PGP is a proprietary suite of software that can generate key pairs and encrypt/decrypt data

Also known as

Public key, Private key, Certificate

Type

Private-Public key pair

Used to

Authenticate sFTP client and server.

Required For

New third party integration requiring sFTP access

Who generates

Third party (card manufacturer, clients, issuer) or CLOWD9
The key generation is subject to the third party’s role. Who does what in the context
Always check the approach with the CLOWD9 Infrastructure team

Comments

2048 bit RSA key is needed to authenticate connection to CLOWD9 sFTP service