Security; Account Data Protection; Algorithms Supported; Communications - Magtek DynaFlex II PED Manual

5 - Security

5 Security
5.1

Account Data Protection

The device always encrypts account data from all three reader types and manual account data entry using
the 112-bit TDEA-CBC algorithm or 128-bit AES-CBC with X9.24 DUKPT key management. This
device does not support any mechanisms such as whitelists or SRED disable that would allow the data to
be sent out unencrypted.
5.2

Algorithms Supported

The device uses the following cryptographic algorithms:
•
AES
•
TDEA
•
RSA
•
ECC-DSA (P256 and P521 curves)
•
SHA-256
5.3

Communications

Wireless LAN communications use TLS 1.2 for protection. Older versions of TLS and SSL are not
supported. Wireless connections to access points require WPA2. Both personal and enterprise modes
(user id and password) are supported.
5.4

Key Management

The device implements AES/TDEA DUKPT as its only key management method. Use of any other
method will invalidate PCI approval. DUKPT derives a new unique key for every transaction. For more
details, see ANS X9.24 Part 3:2017.
Table 5-1 - DynaFlex II Products Keys
Key Name
Transport Keys
Account Data Key
PIN Encryption Key
Firmware Protection Key
EMV CA Public keys
DynaFlex II PED| PIN Entry Device | PCI PTS POI v6.2 Security Policy
Size
32 bytes
16 bytes for TDEA and
AES-128
32 bytes for AES-256
16 bytes for TDEA and
AES-128
32 bytes for AES-256
64 bytes for
ECDSA Curve P-256
Varies per issuer
Page 21 of 24 (D998200520-15)
Algorithm
AES TR-31 KBPKs
AES and TDEA DUKPT
(ANS X9.24-3)
AES and TDEA DUKPT
(ANS X9.24-3)
ECC-DSA SHA-256
RSA
Purpose
Key Injection
Encrypt and MAC
Account Data
Encrypt PIN
Checks integrity
and authenticity of
firmware
Authenticate card
data and keys