What do the different Security Levels mean in SecureMag/SecureHead, SecureKey, SREDKey/SREDKey2?

Security Levels:

The reader features configurable security settings. Before encryption can be enabled, the Key Serial Number (KSN) and Base Derivation Key (BDK) must be loaded before encrypted transactions can take place. The keys are to be injected by a certified key injection facility.

There are five security levels available on the reader as specified in the following:

Level 0:

Security Level 0 is a special case where all DUKPT keys have been used and is set automatically when it runs out of DUKPT keys. The lifetime of DUKPT keys is 1 million. Once the key’s end-of-lifetime is reached, the user should inject DUKPT keys again before doing any more transactions.

Level 1:

By default, readers from the factory are configured to have this security level. There is no encryption process, and no key serial number transmitted with decoded data. The reader functions as a non-encrypting reader and the decoded clear track data is sent out in default mode.

Level 2:

Key Serial Number and Base Derivation Key have been injected but the encryption process is not yet activated. The reader will send out decoded clear track data in the default format. Setting the encryption type to TDES and AES will change the reader to security level 3.

Level 3:

Both Key Serial Number and Base Derivation Keys are injected and encryption mode is turned on. For payment cards, both encrypted data and masked clear text data are sent out. Users can select the data masking of the PAN area; the encrypted data format cannot be modified. Users can choose whether to send hashed data and whether to reveal the card expiration date.

Level 4:

When the reader is at Security Level 4, a correctly executed Authentication Sequence is required before the reader sends out data for a card swipe. Commands that require security must be sent with a four-byte Message Authentication Code (MAC) at the end. Note that data supplied to the MAC algorithm should NOT be converted to ASCII-Hex, rather it should be supplied in its raw binary form. Calculating MAC requires knowledge of the current DUKPT KSN, this could be retrieved using the Get DUKPT KSN and Counter commands.

See also: