Security Features; Encryption Management - ID Tech SecureMag User Manual

8. Security Features

The reader features configurable security settings. Before encryption can be enabled, Key Serial
Number (KSN) and Base Derivation Key (BDK) must be loaded before encrypted transactions can take
place. The keys are to be injected by certified key injection facility.
There are five Security Level available on the reader as specified in the followings:
Level 0
Security Level 0 is a special case where all DUKPT keys have been used and reset automatically
when it runs out of DUKPT keys. The lifetime of DUKPT keys is 1 million. Once the key's end life is
reached, the user should inject DUKPT keys again before doing any more transactions.
Level 1
By default, readers from the factory are configured to have this security level. There is no
encryption process and no key serial number is transmitted with decoded data. The reader
functions as a non-encrypting reader and the decoded track data is sent out in default mode.
Level 2
Key Serial Number and Base Derivation Key have been injected but the encryption process is not
yet activated. The reader will send out decoded track data in default format. Setting the encryption
type to TDES and AES will change the reader to Security Level 3.
Level 3
Both the Key Serial Number and Base Derivation Keys are injected and then Encryption Mode is
turned on. For payment cards, both encrypted data and masked clear text data are sent out. Users
can select the data masking of the PAN area; the encrypted data format cannot be modified. Users
can choose whether to send hashed data and whether to reveal the card expiration date.
Level 4
When the reader is at Security Level 4, a correctly executed Authentication Sequence is required
before the reader sends out data for a card swipe. Commands that require security must be sent
with a 4-byte Message Authentication Code (MAC) at the end.
Note: Data supplied to MAC algorithm should NOT be converted to ASCII-Hex, rather it should be
supplied in its raw binary form. Calculating MAC requires knowledge of current DUKPT KSN which
can be retrieved with the Get DUKPT KSN and Counter command.
Default reader properties are configured to have Security Level 1 (no encryption). In order to output
encrypted data, the key must be injected into the reader while the encryption feature enabled. The
reader will configure to Security Level 2, 3 or 4 and it cannot be reverted to a lower security level.

8.1. Encryption Management

The Encrypted swipe read supports TDES and AES encryption standards for data encryption.
Encryption can be turned on via a command. TDES is the default.
SecureMag Encrypted MagStrip Reader User Manual
Page | 19