Data protection with translation
First Claim
1. A method comprising:
- receiving, by an access device of a merchant system, a personal identification number (PIN) and sensitive data associated with a transaction, the access device having a security module programmed with an initial key derived from a base derivation key that is associated with a key serial number;
encrypting, by the access device of the merchant system, the PIN, wherein PIN encryption uses a first encryption key variant based on the initial key;
encrypting, by the access device of the merchant system, the sensitive data including a primary account number (PAN) identifying an account, wherein sensitive data encryption uses a second encryption key variant based on the same initial key, the second encryption key variant being unique from the first encryption key variant;
obtaining, by a host processor of the merchant system, the key serial number and an authorization request message including the encrypted PIN and the encrypted sensitive data;
retrieving, by the host processor of the merchant system, the base derivation key using the key serial number;
deriving, by the host processor of the merchant system, the initial key from the base derivation key, and decryption keys from the initial key according to a derived unique key per transaction (DUKPT) key management scheme, wherein the decryption keys include a first decryption key variant corresponding to the first encryption key variant and a second decryption key variant corresponding to the second encryption key variant;
decrypting, by the host processor of the merchant system, the encrypted PIN with the first decryption key variant and the encrypted sensitive data with the second decryption key variant;
selecting, by the host processor of the merchant system, a processing network from a plurality of processing networks to route the authorization request message based on the PAN from the decrypted sensitive data;
when the selected processing network is a first processing network, re-encrypting the PIN and the sensitive data using a first set of at least one zone encryption key associated with the first processing network, and when the selected processing network is a second processing network, re-encrypting the PIN and the sensitive data using a second set of at least one zone encryption key associated with the second processing network;
transmitting the re-encrypted PIN and the re-encrypted sensitive data to the selected processing network; and
receiving an authorization response message from the selected processing network, the authorization response message indicating whether the transaction is approved based in part on verification of the PIN associated with the account identified by the PAN.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed in which data associated with a transaction are protected with encryption. At an access device, a PIN associated with a payment account may be encrypted with a first key derived from an initial key of the access device and sensitive data associated with the payment account may be encrypted with a second key derived from the initial key. At a secure module associated with a host server encrypted sensitive data of an authorization request message may be decrypted. The secure module associated with the host server can re-encrypt the sensitive data using a zone encryption key associated with a payment processing network. A translated authorization request message including the re-encrypted sensitive data can be transmitted by the merchant server to the payment processing network.
603 Citations
26 Claims
-
1. A method comprising:
-
receiving, by an access device of a merchant system, a personal identification number (PIN) and sensitive data associated with a transaction, the access device having a security module programmed with an initial key derived from a base derivation key that is associated with a key serial number; encrypting, by the access device of the merchant system, the PIN, wherein PIN encryption uses a first encryption key variant based on the initial key; encrypting, by the access device of the merchant system, the sensitive data including a primary account number (PAN) identifying an account, wherein sensitive data encryption uses a second encryption key variant based on the same initial key, the second encryption key variant being unique from the first encryption key variant; obtaining, by a host processor of the merchant system, the key serial number and an authorization request message including the encrypted PIN and the encrypted sensitive data; retrieving, by the host processor of the merchant system, the base derivation key using the key serial number; deriving, by the host processor of the merchant system, the initial key from the base derivation key, and decryption keys from the initial key according to a derived unique key per transaction (DUKPT) key management scheme, wherein the decryption keys include a first decryption key variant corresponding to the first encryption key variant and a second decryption key variant corresponding to the second encryption key variant; decrypting, by the host processor of the merchant system, the encrypted PIN with the first decryption key variant and the encrypted sensitive data with the second decryption key variant; selecting, by the host processor of the merchant system, a processing network from a plurality of processing networks to route the authorization request message based on the PAN from the decrypted sensitive data; when the selected processing network is a first processing network, re-encrypting the PIN and the sensitive data using a first set of at least one zone encryption key associated with the first processing network, and when the selected processing network is a second processing network, re-encrypting the PIN and the sensitive data using a second set of at least one zone encryption key associated with the second processing network; transmitting the re-encrypted PIN and the re-encrypted sensitive data to the selected processing network; and receiving an authorization response message from the selected processing network, the authorization response message indicating whether the transaction is approved based in part on verification of the PIN associated with the account identified by the PAN. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a hardware access device programmed with an initial key derived from a base derivation key that is associated with a key serial number, and configured to perform a first set of operations including; encrypting a personal identification number (PIN), wherein the PIN encryption uses a first encryption key variant based on an initial key; and encrypting sensitive data including a primary account number (PAN) identifying an account, wherein the sensitive data encryption uses a second encryption key variant based on the same initial key, the second encryption key variant being unique from the first encryption key variant; and a host processor, the host processor configured to perform a second set of operations including; obtaining the key serial number and an authorization request message including the encrypted PIN and encrypted sensitive data; retrieving the base derivation key using the key serial number; deriving the initial key from the base derivation key, and decryption keys from the initial key according to a derived unique key per transaction (DUKPT) key management scheme, wherein the decryption keys include a first decryption key variant corresponding to the first encryption key variant and a second decryption key variant corresponding to the second encryption key variant; decrypting the encrypted PIN and the encrypted sensitive data using the decryption keys; selecting a processing network from a plurality of processing networks to route the authorization request message based on the PAN from the decrypted sensitive data; when the selected processing network is a first processing network, re-encrypting the PIN and the sensitive data using a first set of at least one zone encryption key associated with the first processing network, and when the selected processing network is a second processing network, re-encrypting the PIN and the sensitive data using a second set of at least one zone encryption key associated with the second processing network; transmitting the re-encrypted PIN and the re-encrypted sensitive data to the selected processing network; and receiving an authorization response message from the selected processing network, the authorization response message indicating whether the transaction is approved based in part on verification of the PIN associated with the account identified by the PAN. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification