Security Platform

MKLD, PKLD and ARF Set Up

 

All Castles POS and mPOS endpoints are secure as defined by PCI PTS. Within each device resides a key or keys which are used for two purposes:

  • Securing the POS/mPOS device during transport: Manufacturing key

  • Encrypting messages which are exchanged between the POS/mPOS device and a third party system (such as a Host Security Module – HSM, at a getaway or acquirer): Personalisation key

These keys need to be securely injected (via USB) into the POS/mPOS device using a specific piece of hardware supplied by Castles. The hardware is based on a SPc50 and coloured in yellow for clear identification.

 

 

Remote Key Loading Manager MKLD

 

Castles Technology Remote Key Loading Manager (RKLM) allows keys to be remotely injected into all ‘CT’ endpoints (SPp10 not applicable) once they are deployed in the field. This encompasses all payment environments: countertop, portable, mobile, mPOS, PIN pads, and unattended. 

This powerful capability avoids the need to return the product to an approved key injection facility (or instigate site visits) when key updates are required. Such actions are typically triggered by compliance or general maintenance activities. Such manual intervention can not only be costly, but extremely time-consuming and has the potential for disrupting the customer base. 

As such, the RKLM minimises business costs and improves levels of service by streamlining this highly important key management and key injection operation. Designed to meet the industry’s most stringent security requirements the RKLM can boast the following:

  • Fully compliant with the latest industry standards and guidelines including ANS X9.24 Part 1 and Part 2.

  • Enables compliance with PCI PIN Security standards and P2PE as regards remote key management.

  • Facilitates all key management schemes including Master-session, fixed, and DUKPT keys.

  • Supported by Microsoft and Linux servers.

  • Industry-leading security based on Hardware Security Modules (HSM) for all key management operations.

All the major key management schemes are supported as standard: Master/Session key, Fixed, and Derived Unique Key Per Transaction (DUKPT).

Finally, the RKLM can communicate through all possible channels to ensure 100% terminal estate penetration: Ethernet, dial-up, GPRS, Bluetooth, and Wi-Fi.

 

SUIT

 

The Castles Technology Unattended Installation Tool (SUIT) is a secure cryptographic device (SCD) that must be used for secure
re-installation of Castles Technology unattended products in the field to ensure compliance with PCI Security requirements. 

The main objective of the SUIT is to implement the dual control and one-time password requirements for protecting unattended payment terminals against unauthorised removal. 

Due to the sensitive nature of the information contained on the SUIT, it must only be used in a secure software signing facility, in accordance with Castles Technology security guidelines and applicable industry standards.

SUITs are terminals loaded with specific software and keys to perform software signing.

The features of SUIT include: 

  • Generation of cryptographically signed one time passwords (OTPs) for Castles Technology unattended payment endpoints

  • Controlled number and validity of OTP signing operations 

  • Users’ role settings to allow clear segregation of responsibilities and dual control for administrators 

  • Generation of asymmetric private/public keys

  • Generation of certificate request in PKCS#10 format

  • Import of signed certificates in PKCS#7 format

  • Secure SUIT key store based on industry-standard SQL databases for easy access and portability.

  • Secure storage in the SUIT key store.

  • Creation of multiple administrators and operators

  • Detailed physical and logical logging capabilities

  • Networked API