Page 1
USER MANUAL SecureMag Encrypted MagStripe Reader USB, RS232 and PS2 Interface 80096504-001 RevM 9/16/2015...
Page 2
SecureMag User Manual FCC WARNING STATEMENT This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Page 3
SecureMag User Manual LIMITED WARRANTY ID TECH warrants to the original purchaser for a period of 12 months from the date of invoice that this product is in good working order and free from defects in material and workmanship under normal use and service. ID TECH’s obligation under this warranty is...
Page 4
SecureMag User Manual Revision History Revision Date Description 05/05/2010 Initial Release Jenny W 06/14/2010 Added RS232 interface Jenny W 06/16/2010 General edits and modified Appendix A Jenny W 06/25/2010 Updated reader command summary Jenny W 06/28/2010 Updated reader command. Jenny W...
Page 5
SecureMag User Manual between Setting Commands and Get Settings Commands 02/04/2013 Added the new mask feature in SecureMag Candy H firmware v5.00 for serial interface and v 5.03 for USB interface 06/06/2013 Remove key loading command Candy H 03/26/2014 Update HIDSIZE definition...
SecureMag User Manual Table of Contents Introduction ...................... 8 Features and Benefits ..................8 Terms and Abbreviations ................... 9 Applicable Documents ..................10 Operation ....................... 11 Specification ....................12 Command Process ................... 15 Get Copyright Information ................17 Version Report Command ................17 Reader Reset Command ................
Page 7
SecureMag User Manual DUKPT Level 4 Data Output Original Format ........... 40 10.4 DUKPT Level 3 Data Output Enhanced Format ......... 41 10.5 Additional Description ................45 10.6 10.7 Decryption Example ................48 10.7.1. Security Level 3 Decryption - Original Encryption Format ....... 48 Security Level 4 Decryption - Original Encryption Format .......
The reader fully supports TDES and AES data encryption using DUKPT key management method. The SecureMag is offered in USB, RS232 as well as PS2 interfaces. 2. Features and Benefits ...
SecureMag User Manual 3. Terms and Abbreviations AAMVA American Association of Motor Vehicle Administration American Banking Association Advanced Encryption Standard ASIC Application Specific Integrated Circuit Bits per Inch CADL California Drivers License Format (obsolescent) European Safety and Emission approval authority...
SecureMag User Manual 5. Operation A card may be swiped through the reader slot when the LED is green. The magnetic stripe must face toward the magnetic read head and may be swiped in either direction. After a card is swiped, the LED will turn off temporarily until the decode process is completed.
SecureMag User Manual 6. Specification Power Consumption 5VDC +/- 10% Maximum operating current consumption less than 50mA RS232 interface – external power adaptor supplies power through RS232 cable USB interface – from host interface. No external power adaptor needed.
Page 13
SecureMag User Manual Interface cable and connector RS232 interface o IDT standard RS232 Interface Cable o DB-9 Female connector with 2mm power jack in the housing o Standard cable length is 6 feet o Pin Out Table Color Signal...
SecureMag User Manual 7. Command Process Command requests and responses are sent to and received from the device. For USB interface devices, the commands are sent to the device using HID class specific request Set_Report (21 09 …). The response to a command is retrieved from the device using HID class specific request Get_Report (A1 01 …).
Page 16
SecureMag User Manual <ETX> End of Text <ACK> Acknowledge <NAK> 15 for Negative Acknowledge RS232 and USB HID interface; FD for USB KB interface <UnknownID> Warning: Unsupported ID in setting <AlreadyInPOS> Warning: Reader already in OPOS mode <R> Review Setting <S>...
Response is as follows: ACK STX<Version String> ETX LRC Response Example mixed hex and ASCII: \06\02ID TECH TM3 SecureMag RS232 Reader V 3.19\03\LRC 7.3 Reader Reset Command 02 49 03 48 The reader supports a reset reader command. This allows the host to return the reader to its default state.
SecureMag User Manual Any previously read data will be erased and reader will wait for the next swipe. As the user swipes a card, the data will be saved, but will not be sent to the host. The reader holds the data until receiving the next “Arm to Read” or “MSR Reset”...
SecureMag User Manual Other possible response statuses: 'Q' command length must be 1 Reader not configured for buffered mode NAK Already armed NAK for keyboard interface is FD, non-KB mode NAK is 15 7.7 Read MSR Options Command 02 52 1F 03 LRC <Response>...
SecureMag User Manual This command does not have any <FuncData>. It returns all non-security settings for all groups to their default values. 7.8.3. MSR Reading Settings 02 53 1A 01<MSR Reading Settings> 03 LRC MSR Reading Settings: ‘0’ MSR Reading Disabled ‘1’...
SecureMag User Manual NOTE: String length is one byte, maximum fifteen <0Fh>. 7.8.7. Postamble Setting The postamble serves the same purpose as the preamble, except it is added to the end of the data string, after any terminator characters. 02 53 D3 <Len><Postamble> 03 LRC...
7.8.12. Start/End Sentinel and Track 2 Account Number Only The SecureMag can be set to either send, or not send, the Start/End sentinel, and to send either the Track 2 account number only, or all the encoded data on Track 2.
SecureMag User Manual 8. Security Features The reader features configurable security settings. Before encryption can be enabled, Key Serial Number (KSN) and Base Derivation Key (BDK) must be loaded before encrypted transactions can take place. The keys are to be injected by certified key injection facility.
SecureMag User Manual Default reader properties are configured to have security level 1 (no encryption). In order to output encrypted data, the reader has to be key injected with encryption feature enabled. Once the reader has been configured to security level 2, 3 or 4, it cannot be reverted back to a lower security level.
Page 25
SecureMag User Manual The data format of each masked track is ASCII. The clear data include start and end sentinels, separators, first N, last M digits of the PAN, card holder name (for Track1). The rest of the characters should be masked using mask character.
SecureMag User Manual 9. Using the Demo Program ID TECH SecureMag Demo is provided to demonstrate features of the Encrypted MSR. It supports decrypting the encrypted data and sending command to MSR. Overview of SecureMag Demo Screenshot of RS232 Demo Software The demo software is similar for each interface with exception of interface- specific settings.
SecureMag User Manual 9.1 Manual Command The demo software allows users to manually input and send commands to the device. Type the <Command Data> in the field, and the command will be sent Command will be sent out in the following structure: <STX>...
SecureMag User Manual 9.2 Decryption The encrypted data will show in the Manual Command / Encrypted Data textbox after a card is swiped. By default, the cursor is in Manual Command / Encrypted Data textbox To get the decrypted data, press the “Decrypt” button and the decrypted card data will be displayed in the lower box.
SecureMag User Manual 9.3 Reader Operations The demo software can be used to display the card data and send reader commands. To view the card data on screen, place the cursor in the “manual command/ reader output” text box and swipe the card. To send a reader command, type the appropriate command in the text box and press the “Send Command”...
SecureMag User Manual 10. Data Format The USB version of the reader can be operated in two different modes: - HID ID TECH mode (herein referred to as “HID mode”), Product ID: 2010 - HID with Keyboard Emulation (herein referred to as “KB mode”), Product ID: 2030 When the reader is operated in the HID mode, it behaves like a vendor defined HID device.
SecureMag User Manual 10.1.1. USB HID Data Format Other Mode Reader Data Structure Offset Usage Name T1 decode status T2 decode status T3 decode status T1 data length T2 data length T3 data length Card encode type 7-116 T1 data...
SecureMag User Manual Total Output Length 9-HIDSIZE* Output Data In this approach, the reader will keep all of the ID TECH data editing and other features like preamble, postamble, etc. The output data is HIDSIZE* bytes; the "Total Output Length" field indicates the valid data length in the output data Note*: HIDSIZE (560 bytes as described in USB enumeration.
Page 34
SecureMag User Manual Interface Descriptor: Field Value Description Length Des type Interface No. Alternator Setting # EP Interface Class Sub Class Interface Protocol iInterface HID Descriptor: Field Value Description Length Des type bcdHID 11 01 Control Code numDescriptors Number of Class Descriptors to follow...
Page 37
SecureMag User Manual Left Shift Right Ctrl Left Ctrl Read Error 1 Read Error 2 Track x ID Track x Error Track x Length 1 Track x Length 2 Track Data (no extra Track ID for raw data) … 10 + Track len -1...
Page 38
SecureMag User Manual 000: ISO Card (7, 5) or (7, 5, 5) encoding 001: Old CADL Card (6, 5, 6) encoding (no longer included) 010: AAMVA Card (7, 5, 7) encoding 011: JIS I Card (8, 5, 8) encoding 100: JIS II card (8) or ISO+JIS II...
SecureMag User Manual 10.3 DUKPT Level 3 Data Output Original Format For ISO cards, both masked clear and encrypted data are sent, no clear data will be sent. For other cards, only clear data is sent. A card swipe returns the following data: Card data is sent out in format of <STX><LenL><LenH><Card Data><CheckLRC><CheckSum><ETX>...
SecureMag User Manual 10.4 DUKPT Level 4 Data Output Original Format For ISO card, both clear and encrypted data are sent. For other card, only clear data are sent. A card swipe returns the following data: Card data is sent out in format of <STX><LenL><LenH><Card Data><CheckLRC><CheckSum><ETX>...
SecureMag User Manual track 2 data track 3 data 10.5 DUKPT Level 3 Data Output Enhanced Format This mode is used when all tracks must be encrypted, or encrypted OPOS support is required, or when the tracks must be encrypted separately or when cards other than type 0 (ABA bank cards) must be encrypted or when track 3 must be encrypted.
Page 42
SecureMag User Manual mask. Non-bank card: Will be sent in clear text. 2) 07 Force encryption. All three tracks will be encrypted without mask, regardless of card type. 3) 10 Bank card: T1 and T2 will be encrypted. If the T3 is with ISO-4909 format, it’ll be encrypted and its mask data will be sent out.
Page 43
SecureMag User Manual The OPOS driver/application may also send following command when change (Decode/Raw format) (Set raw or decode data format) 53 1D 01 30 // RAW data format 53 1D 01 31 // Decoded format Card data is sent out in the following format <STX><LenL><LenH><Card Data><CheckLRC><CheckSum><ETX>...
Page 44
SecureMag User Manual Data Length low byte Data Length high byte Card Encode Type* Track 1-3 Status T1 unencrypted data length T2 unencrypted data length T3 unencrypted data length Clear/mask data sent status * Encrypted/Hash data sent status * T1 clear data...
SecureMag User Manual Field 8 (Clear/mask data sent status) and field 9 (Encrypted/Hash data sent status) will only be sent out in enhanced encryption format. Field 8: Clear/masked data sent status byte: Bit 0: 1 —track 1 clear/mask data present Bit 1: 1—...
Page 46
SecureMag User Manual This one-byte value is the length of the original Track data. It indicates the number of bytes in the Track masked data field. It should be used to separate Track 1 and Track 2 data after decrypting Track encrypted data field.
Page 47
SecureMag User Manual Track 1, 2 and 3 hashed SecureMag reader uses SHA-1 to generate hashed data for both track 1, track 2 and track 3 unencrypted data. It is 20 bytes long for each track. This is provided with two purposes in mind: One is for the host to ensure data integrity by comparing this field with a SHA-1 hash of the decrypted Track data, prevent unexpected noise in data transmission.
Security Level 3 Decryption - Original Encryption Format Decryption of a three track ABA card with the original encryption format. SecureMag Reader with default settings Original encryption format can be recognized because the high bit of the fourth byte underlined (00) is 0.
Page 52
SecureMag User Manual SecureMag Reader with default settings except enhanced encryption structure format. Enhanced encryption Format (this can be recognized because the high bit of the fourth byte underlined (80) is 1. 029801803F48236B03BF252A343236362A2A2A2A2A2A2A2A393939395E42555348 204A522F47454F52474520572E4D525E2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2 A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A3F2A3B343236362A2A2A2A2A2A2A2 A393939393D2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A3F2ADA7F2A52BD3F6DD 8B96C50FC39C7E6AF22F06ED1F033BE0FB23D6BD33DC5A1F808512F7AE18D47 A60CC3F4559B1B093563BE7E07459072ABF8FAAB5338C6CC8815FF87797AE3A7 BEAB3B10A3FBC230FBFB941FAC9E82649981AE79F2632156E775A06AEDAFAF6 F0A184318C5209E55AD44A9CCF6A78AC240F791B63284E15B4019102BA6C50581...
Page 53
SecureMag User Manual 252A343236362A2A2A2A2A2A2A2A393939395E42555348204A522F47454F5247452 0572E4D525E2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2 A2A2A2A2A2A2A3F2A Track 1 masked data in ASCII %*4266********9999^BUSH JR/GEORGE W.MR^*******************************?* Track 2 data in hex masked (length 0x23) 3B343236362A2A2A2A2A2A2A2A393939393D2A2A2A2A2A2A2A2A2A2A2A2A2 A2A2A3F2A Track2 masked data in ASCII ;4266********9999=***************?* In this example there is no Track 3 data either clear or masked (encrypted and hashed...
SecureMag User Manual LCR, check sum and ETX 06E203 Clear/Masked Data in ASCII: Track 1: %*4266********9999^BUSH JR/GEORGE W.MR^*******************************?* Track 2: ;4266********9999=***************?* Key Value: 1A 99 4C 3E 09 D9 AC EF 3E A9 BD 43 81 EF A3 34 KSN: 62 99 49 01 19 00 00 00 00 02...
Page 56
SecureMag User Manual When sending the authentication request, the user also needs to specify a time limit for the reader to wait for the activation challenge reply command. The minimum timeout duration required is 120 seconds. If the specified time is less than the minimum, 120 seconds would be used for timeout duration.
Page 57
SecureMag User Manual The Authenticated mode timeout duration specifies the maximum time in seconds which the reader would remain in Authenticated Mode. A value of zero forces the reader to stay in Authenticated Mode until a card swipe or power down occurs. The minimum timeout duration required is 120 seconds.
Page 58
SecureMag User Manual Authenticated Mode command, the KSN will increment when the increment flag is set to 0x01. Command Structure Host -> Device: <STX><S><83h><08h><Deactivation Data><ETX><LRC> Device -> Host: <ACK> (success) <NAK> (fail) <Deactivation data>: 8-bytes response to Challenge 2. It contains 7 bytes of...
Page 59
SecureMag User Manual 0x01: Authentication Mode was activated successfully. The reader processed a valid Activation Challenge Reply command. 0x02: The reader receives a good card swipe. 0x03: The reader receives a bad card swipe or the card is invalid. 0x04: Authentication Activation Failed.
SecureMag User Manual Appendix A Setting Configuration Parameters and Values Following is a table of default setting and available settings (value within parentheses) for each function ID. Function ID Description Default Description Setting HTypeID Terminal Type PC/AT, Scan Code Set 2, 1, (‘0’~’2’,'4'~'6')
Page 61
SecureMag User Manual Separator any character supported except 00 which means none. ‘1’ (‘0’~0x3F) SendOptionID Send Option Sentinel and Account number control Sentinel and Account number control 0x30 - Not send start/end sentinel and send all data on Track 2, not error notification.
Page 62
SecureMag User Manual send error notification. Control Key Output. 0x38 - Not send start/end sentinel and send all data on Track 2, not error notification. Alt Key Output. 0x39 - Send start/end sentinel and send all data on Track 2, not send error notification.
Page 63
SecureMag User Manual 0x32 – MSR Reading Buffered Mode Enabled 0x33 Auto MSR Buffered Mode Enabled ‘0’(‘0’,’1’,’3’) DTEnableSen DT Enable Data Editing Control 0x30 – Disable Data Edit. Send 0x31 – Data Edit Match mode. 0x33 – Data Edit Unmatch mode ‘1’...
Page 64
SecureMag User Manual Track1SuffixI Track 1 Suffix 0 (any string) No suffix for track 1, 6 char Track2SuffixI Track 2 Suffix 0 (any string) No suffix for track 2, 6 char Track3SuffixI Track 3 Suffix 0 (any string) No suffix for track 3, 6 char...
Page 65
SecureMag User Manual DesKeyID DES Key internal use only Value AesKeyID AES Key internal use only Value ‘1’(‘0’-‘1’) ‘0’ fixed key ‘1’ DUKPT KeyManageTy DUKPT peID '7' (‘0’-‘7’) HashOptID, Send tk1-2 hash bit 0:1 send tk1 hash; bit 1:1 send tk2 hash;...
Page 66
SecureMag User Manual don’t send track LRC Lrc option T28BStartID JIS T12 SS/ES 0x00 or 0x7F 0 unless keyboard version then 0x7F T38BStartID JIS T3 SS/ES 0x00 or 0x7F 0 unless keyboard version then 0x7F SPISettingID EquipFwID feature option Factory Reader firmware...
Page 67
SecureMag User Manual Note not all function ID are present in different hardware version of the SecureMag the last column above has some codes: ‘-‘ feature not currently supported; exists for compatibility ‘s’ feature available on in the RS232 serial version of the reader ‘u’...
SecureMag User Manual Appendix B Key Code Table in USB Keyboard Interface For most characters, "Shift On" and "Without Shift" will be reverse if Caps Lock is on. Firmware needs to check current Caps Lock status before sending out data.
Page 69
SecureMag User Manual Ctrl+\ 31 Ctrl On Ctrl+] 30 Ctrl On Ctrl+6 23 Ctrl On Ctrl+- 2D Ctrl On SPACE 1E Shift On " 34 Shift On 20 Shift On 21 Shift On 22 Shift On & 24 Shift On...
Page 70
SecureMag User Manual 09 Shift On 0A Shift On 0B Shift On 0C Shift On 0D Shift On 0E Shift On 0F Shift On 10 Shift On 11 Shift On 12 Shift On 13 Shift On 14 Shift On 15 Shift On...
Page 72
SecureMag User Manual Num_Enter \num_enter Delete \del Insert \ins Backspace SPACE Pause Ctrl+[ \ctr1 2F Ctrl On Ctrl+] \ctr2 30 Ctrl On Ctrl+\ \ctr3 31 Ctrl On Left_Ctrl_Break \l_ctrl_bk Clear Ctrl Flag Left_Ctrl_Make \l_ctrl_mk Set Ctrl Flag for following char(s)