Q & A related to the salt keys injected into the products such as NEO II, KIOSK IV and KIOSK V (SRED and Non-SRED version units)

Q1. Are the default salt keys injected into the production version of Kiosk V the same as those injected into the demo version?
A. No, the salt keys injected into the production unit and the Demo unit are different.  The salt key injected into all demo units is the same.

Q2. Will the default salt key injected into the production version be different for each customer? Or is it the same for all customers? Will IDTech manage the salt key injected by default in the product version?

A. It is the customer’s decision on what salt key to load for their production readers. ID TECH does have a production salt key for customers to use if they do not want to create a salt key of their own. 

If a customer chooses to load a salt key, they can load either an IDTECH-provided salt key or a salt key of their own choosing

Q3. If the customer chooses not to load the salt key, does that mean the production reader will be left with no salt key and will not be able to hash the PAN?

A. Yes, if no salt key is loaded, the reader will not output HMAC PAN.

Q4. Is the salt key a DUKPT key or a fixed key?

A. IDTECH products currently only support the fixed salt key.

Q5. Is the PAN hashed with the salt key stored in the "DFEC11" tag?

A. Yes, for the SRED version products, tag DFEC11 stores the salted hash token.  This tag will be output by default. To disable the output of the DFEC11 tag, use tag DFEC10 with the value 00. (01 is to enable the DFEC11 tag output)

For non-SRED version products, DFED68 is the tag holding the HMAC of the PAN

Related articles

• Page:
  Can I Use my ID TECH Bluetooth Reader with Windows?
• Page:
  How to disable Contactless Magstripe transactions on the reader?
• Page:
  How Do I Reset a PiP to Delete All Merchant IDs?
• Page:
  How Do I Disable Contactless MSD Transactions?
• Page:
  How do I determine if a mobile service was used to process a sale (with Apple Pay etc.)?