The data on this instance will be migrated to iD Tech Confluence Cloud on Thursday April 20, 2023. The migration has been completed. This instance will be set to read only to be used for historical purposes only.
Page tree
Skip to end of metadata
Go to start of metadata

Security Levels:

The reader features configurable security settings. Before encryption can be enabled, Key Serial Number (KSN) and Base Derivation Key (BDK) must be loaded before encrypted transactions can take place. The keys are to be injected by certified key injection facility.

There are five security levels available on the reader as specified in the followings:

Level 0:

Security Level 0 is a special case where all DUKPT keys have been used and is set automatically when it runs out of DUKPT keys. The lifetime of DUKPT keys is 1 million. Once the key’s end of life time is reached, the user should inject DUKPT keys again before doing any more transactions.

Level 1:

By default, readers from the factory are configured to have this security level. There is no encryption process, no key serial number transmitted with decoded data. The reader functions as a non-encrypting reader and the decoded track data is sent out in default mode.

Level 2:

Key Serial Number and Base Derivation Key have been injected but the encryption process is not yet activated. The reader will send out decoded track data in the default format. Setting the encryption type to TDES and AES will change the reader to security level 3.

Level 3:

Both Key Serial Number and Base Derivation Keys are injected and encryption mode is turned on. For payment cards, both encrypted data and masked clear text data are sent out. Users can select the data masking of the PAN area; the encrypted data format cannot be modified. Users can choose whether to send hashed data and whether to reveal the card expiration date.

Level 4:

When the reader is at Security Level 4, a correctly executed Authentication Sequence is required before the reader sends out data for a card swipe. Commands that require security must be sent with a four byte Message Authentication Code (MAC) at the end. Note that data supplied to MAC algorithm should NOT be converted to ASCII-Hex, rather it should be supplied in its raw binary form. Calculating MAC requires knowledge of current DUKPT KSN, this could be retrieved using Get DUKPT KSN and Counter command.

See also:

1 Comment

  1. Hi IT Admin-G,

    I have a question that what the unit of DUKPT life time is. In this page only show "1 million".