Documentation

Issuer Ecosystem Key Type Descriptions

Suggest Edits

ZCMK - Zone Control Master Key

NameDescription
Also known asTransport Key
TypeShared Key
Used toEncrypt other shared keys
Required forNew third party integration requiring use of keys (Card Manufacturer, 3DS providers or Networks)
Who generatesCLOWD9
CommentsThis key is not BIN specific

CLOWD9 only need to exchange it once with each third party

The components need to be the standard 32 bits

Allows generation and encryption of TR-31 Key Blocks (or other encapsulation method)

MDKac/MDKauth - Master Derivation Keys

NameDescription
Also known asMDK1, MDKac or MDKauth
TypeShared Key
Used toUsed to perform a chip authenticity check during the authorisation stage, this is known as ARPC/ARQC handshake. AC = Application Cryptogram.
Required forNew BIN with existing card manufacturer

New BIN with new card card manufacturer

Existing BIN with new card manufacturer
Who generatesCLOWD9
CommentsBIN Specific

MDKsmi/MDKenc - Master Derivation Keys

NameDescription
Also known asMDK2, MDKac or MDKauth
TypeShared Key
Used toMDKsmi / MDKenc: pin unblock issuer script
Required forNew BIN with existing card manufacturer New

BIN with new card card manufacturer

Existing BIN with new card manufacturer
Who generatesCLOWD9
CommentsBIN Specific

MDKsmc/MDKmac - Master Derivation Keys

NameDescription
Also known asMDK3, MDKac or MDKauth
TypeShared Key
Used toMDKsmc / MDKmac: pin change issuer script
Required forNew BIN with existing card manufacturer New

BIN with new card card manufacturer

Existing BIN with new card manufacturer
Who generatesCLOWD9
CommentsBIN Specific

CVK - Card Verification Value / Code keys

NameDescription
Also known asCVV Key, CVC Key, CVK1, CVK2, CVKA, CVKB
TypeShared Key
Used toGenerate Value of CVV1 (magstripe), CVV2 (embossed), CVV3 (contactless), iCVV (Chip CVV)
Required forNew BIN with existing card manufacturer New

BIN with new card card manufacturer

Existing BIN with new card manufacturer
Who generatesCLOWD9
CommentsBIN Specific

CVK generically refers to different keys, such as CVK1 and CVK2.

A CVK is combined with card data such as PAN and expiry date to compute the Verification Value. I.e CVK1 used to get CVV1, CVK2 used to get CVV2, etc.

Using during PAN creation to generate CVVs for authorisations

AAVK - Accountholder Authentic Value Key

NameDescription
Also known asCAKA, CAKB, AAV, CAVV
TypeShared Key
Used toValidate 3D Secure Authentication
Required for3D Secure set up
Who generates3D secure provider (CLOWD9 to generate it if agreed by Network and 3D secure provider )
CommentsBIN Specific

This key is used to validate that the 3D Secure authentication has been performed by the genuine 3D Secure provider

PVK - PIN Validation Key

NameDescription
Also known asPVKA, PVKB
TypeShared Key
Used toGenerate & Validate on-line PIN
Required forOn-behalf PIN validation by the Network - (Stand-In)
Who generatesCLOWD9
CommentsBIN Specific

PBK - PIN Block Key

NameDescription
Also known asManufacturer PIN Encryption Key (MPEK), PINKey, ZPK
TypeShared Key
Used toEncrypt PIN in transit from CLOWD9 to Card Manufacturer (in the Card Data File)
Required forNew Card Manufacturer Integration
Who generatesCLOWD9
CommentsCard Manufacturer Specific

Only required once

Used for all files send to the same Card Manufacturer

Used during PAN creation to generate PIN Block for Card Manufacturer

PEK - PIN Encryption Key

NameDescription
Also known asMPinKey, MCPinKey, Network Key (Nk), Issuer Working Key (IWK), IWK1 or IWK2
TypeShared Key
Used toEncrypt PIN in transit from the Network to CLOWD9 (in the authorisation request)
Required forNew network integration
Who generatesCLOWD9
CommentsNetwork specific

This is used during PAN creation to generate PIN Block for authorisations.

IPK - Issuer Processing Key

NameDescription
Also known asPublic key Infrastructure, Issuer Public Key
TypePrivate-Public key pair
Used toAuthenticate that the chip is genuinely issued by an authorised Network member. Between terminal and Chip
Required forEMV personalisation
Who generatesIssuer (or Card Manufacturer) to exchange with Network
CommentsIssuer specific

The key is not used in the transaction processing. The issuer has to sign a letter of delegation for the Card Manufacturer to exchange IPK/ certificate with Visa or Mastercard

UDK - Unique Derivation Key

NameDescription
Also known asCard Master Key
TypeDerived Key
Used toEMV authentication (ARQC/ARPC)
Required forEMV personalisation
Who generatesCard Manufacturer
CommentsCard specific

Unique card keys for cryptogram generation and Issuer scripts

They are derived from the varios MDKs:

i.e UDKac = MKac +PAN + PAN sequence number

CLOWD9 must set correct algorithm to be used for these keys:

Mastercard

ARPC Key: Master Key or Session Key

Session Derivation Key Method: Mastercard SDK or EMV CSK

ARPCV Key: Master Key or Session Key ``

Visa

Not possible to set

Cryptogram Version Number (CVN) - CLOWD9 Support CVN 10 and 18

PGP - Pretty Good Privacy

NameDescription
Also known asPublic key, Private key, Certificate
TypePrivate-Public key pair software
Used toAuthenticate key exchanges
Who generatesThird party (card manufacturer, clients) or CLOWD9

The key generation is subject to the third party’s role. Who does what in the context
Always check the approach with the CLOWD9 Infrastructure team
CommentsPGP is a proprietary suite of software that can generate key pairs and encrypt/decrypt data

RSA - Rivest-Shamir-Adleman cryptosystem

NameDescription
Also known asPublic key, Private key, Certificate
TypePrivate-Public key pair
Used toAuthenticate sFTP client and server.
Required ForNew third party integration requiring sFTP access
Who generatesThird party (card manufacturer, clients, issuer) or CLOWD9
The key generation is subject to the third party’s role. Who does what in the context
Always check the approach with the CLOWD9 Infrastructure team
Comments2048 bit RSA key is needed to authenticate connection to CLOWD9 sFTP service

Updated 9 months ago