Security; Account Data Protection; Algorithms Supported; Key Management - Magtek DynaFlex II Go Manual

5 - Security

5 Security
5.1

Account Data Protection

The device always encrypts account data from all three reader types using 112-bit TDEA, 128-bit AES, or
256-bit AES algorithms with X9.24 DUKPT key management. This device does not support any
mechanisms such as whitelists or SRED disable that would allow the data to be sent out unencrypted.
5.2

Algorithms Supported

The device includes the following cryptographic algorithms:
•
AES
•
TDEA
•
RSA
•
ECDSA (P256 and P521 curves)
•
SHA-256
5.3

Key Management

The device implements the original AES/TDEA DUKPT as its only key management method. Use of any
other method will invalidate PCI approval. DUKPT derives a new unique key for every transaction. For
more details, see ANS X9.24 Part 3:2017.
Table 5-1 - DynaFlex II Go Product Keys
Key Name
Transport Keys
Account Data Key
Firmware Protection Key
EMV CA Public keys
5.4

Key Loading

The device does not support manual or plaintext cryptographic key entry. Only specialized tools,
compliant with key management requirements and cryptographic methods, specifically ANSI X9.143, can
be used for key loading. Use of any other methods will invalidate PCI approval.
5.5

Key Replacement

Keys should be replaced with new keys whenever the original key is known or suspected to have been
compromised, and whenever the time deemed feasible to determine the key by exhaustive attack has
elapsed, as defined in NIST SP 800-57-1.
DynaFlex II Go| Secure Card Reader | PCI PTS POI v6.2 Security Policy
Size
32 bytes
16 bytes for TDEA and
AES-128
32 bytes for AES-256
64 bytes for
ECDSA Curve P-256
Varies per issuer
Page 16 of 18 (D998200596-100)
Algorithm
AES X9.143 KBPKs
AES and TDEA DUKPT
(ANS X9.24-3)
ECDSA and SHA-256
RSA
Purpose
Key Injection
Encrypt and MAC
Account Data
Checks integrity
and authenticity of
firmware
Authenticate card
data and keys