Direct injection
of POI devices
Direct injection
of POI devices
by geobridge

The KeyBRIDGE platform extends a simple and intuitive interface for managing and distributing cryptographic keys and keying materials across a broad spectrum of use cases.  In today’s threat landscape, encryption is a business critical requirement.  Encryption can be simple when there is no requirement to share information.  However, when encrypted information has to be shared, as is always the case in the Payment Industry, the generation and distribution of cryptographic keys and keying materials can be a daunting task.  The KeyBRIDGE platform eliminates the burden and worry associated with cryptographic key management by supporting this vendor agnostic approach.


KeyBRIDGE Appliance

The KeyBRIDGE Point of Interaction (POI) platform is a vendor agnostic solution that performs both DUKPT and MK/SK key injection for payment terminals and peripheral devices since 1997. This use case supports compliant key injection for devices that must be managed in a secure facility where physical access controls are relied upon for the establishment of a new key that has no other basis for trust, other than the dual control, split knowledge, and chain of custody achieved through external process and procedures. KeyBRIDGE supports key injection for any type of key

Full support for all key types, including but not limited to DUKPT (PIN, MAC, or Data), standard E2E keys, KEKs, Master Session methods as well as alternative derivation techniques. The platform streamlines key injection operational efficiency while automatically capturing all relevant audit log details that can be exported and validated with ease, further reducing overhead associated with audit cycles. KeyBRIDGE is now deployed to support key injection for both TDES DUKPT as well as AES DUKPT.

Product Features:

  • Centralized and secure key storage.
  • Detailed key inventory.
  • Manages unlimited Key Encryption Keys (KEKs).
  • Supported keys include:
    • Double & triple-length TDES keys
    • 128, 192 & 256-bit AES keys
    • DUKPT for PIN
    • DUKPT for PAN/Data
    • DUKPT for MAC
    • Single & double length Master/Session keys
  • Ability to update the SMK for periodic key rotation.
  • POS key erasure functionality to clear production keys from POS devices prior to transporting.

Dual Control and Split Knowledge

With POI, keys are delivered from KeyBRIDGE over a connected interface such as USB, Serial, or Ethernet to a target device. In some instances, a clear key may traverse this interface because of the additional policies and procedures that govern the operation of the secure room where this activity is performed. The KeyBRIDGE appliance  augments these policies and procedures by enforcing the concepts of dual control and split knowledge, with extensive audit logging to capture each action that is performed. All activities can be reliably traced to at least two unique personnel, while system managers have greater granular flexibility to assign unique role based access controls.

Unique Protocols Custom Developed

The KeyBRIDGE appliance supports the majority of PED manufacturers in the marketplace with over 300 certified POI devices today. These devices with unique protocols are custom developed to ensure that every key delivered can be traced to a manufacturer, unique model, device serial number, and additionally configurable meta-data elements. The KeyBRIDGE appliance allows for the concurrent connection of sixteen unique devices. Injection profiles are configurable that allow a user to inject upwards of thirty keys to a single device in as few as four mouse-clicks.

Additional features that can be licensed include:

  • Remote Audit Management – (ARCKTM API) enables the remote access by management to perform audit and statistic reporting.
  • SCD Component Entry – Allows users to securely enter TDES or AES components through a separate, removable Secure Cryptographic Device (SCD) and send them encrypted to the KeyBRIDGE appliance for storage.
  • Network Support – Allows users to save data such as audit logs, key inventory and system backups from the KeyBRIDGE appliance to a network drive.
  • Custom PED Key Export – Allows users to define a specific format for the export file(s) containing POS keys, as well as allows users to change the names associated with POS models.
  • Custom Key Usage – Allows users to define additional Key Usages and determine the permissible characteristics of those Custom Key Usages.
  • Custom Key Attributes – Allows users to create up to 12 custom attributes at the key level.
  • Real-Time DID Back-Up – Perform real time backups of your DID counters ensuring that no future keys end up as duplicates for previous deployments.

For additional information or to schedule a demonstration, CLICK TO MESSAGE US.

Keybridge 3100 Key Management



For additional information or to schedule a demonstration:

call:  (571) 799-0145