LMK Rotation In Payment Environments

by geobridge

LMK Rotation In Payment Environments

by geobridge

by geobridge

Creating a new LMK is no more challenging than creating any other key type. However, rotating all of the keys in an organization’s payment environment from encryption under the old LMK to encryption under the new LMK while logging all activities and ensuring that the key is translated properly is a much more daunting task.

A Leading financial card services provider who has been a client of GEOBRIDGE for ten years, was audited in the Spring of 2017. One of the findings was to rotate the Thales payShield 9000 HSM’s LMK that had been in place for several years. The client utilized five different applications connecting to a farm of payShield 9000 HSMs. The client had over 1000 different keys representing ten distinct key types across the five applications. Like every project in the payment world, this one had to be completed within a very short timeframe.

The client contacted GEOBRIDGE’s Professional Service team to help provide a solution. As part of the rotation, the team recommended to rotate the LMK but also to translate the existing key inventory from variant to key block due to the PCI PIN Control Objective that will enforced in January of 2018. A

After two weeks of project planning, GEOBRIDGE’s team went onsite to oversee the translation activities. As part of the service, the team used a KeyBRIDGE™ 3100 appliance with the Third Party HSM integration module.

With the KeyBRIDGE 3100 appliance, the client:

  Created their own KeyBRIDGE master key, which they continue to retain.

  Logically separated the keys within the KeyBRIDGE appliance according to application name and relationship.

  Automatically logged and uniquely named all keys, while validating key check values.

  Translated all keys from encryption under old LMK to encryption under the KeyBRIDGE SMK.

  Translated the full key inventory for use under the new LMK.

Benefits of using the GEOBRIDGE KEES™ Service:

  All keys were successfully translated from the old Variant LMK to the new Key Block LMK.

  All activities were automatically logged with unique user IDs, and RBACs permissions.

  All HSMs are loaded with the new LMK.

  The client is now prepared to operate in both variant and key bundling modes.

  The client has now created a full inventory key escrow, encrypted by a 256-bit AES Key. The encrypted key inventory is now saved off to the network, and the master key components are stored securely in the client’s key custodian safes.

  All activities onsite were successfully completed within three (3) days.

A seemingly impossible task with unrealistic timelines was completed ahead of schedule while also preparing for future compliance mandates, all as a result of GEOBRIDGE KEES™ Professional Services team and the KeyBRIDGE platform.