All Tools
Tools/Payment Crypto Network Glossary
🔐
ReferenceAvailable

Payment Crypto Network Glossary

Comprehensive reference of cryptographic terms in payment networks — key hierarchy, EMV cryptograms, DUKPT, HSM infrastructure — plus an interactive big-picture network map.

60 of 60 terms
ZMKZone Master KeyNetworkKey Hierarchy

A 3DES or AES key shared between two HSMs (e.g. acquirer and network) used solely to encrypt other working keys during key exchange. Never used directly for data. Also called Inter-Zone Key (IZK).

ZPKZone PIN KeyNetworkKey Hierarchy

A working key shared between acquirer and issuer (under ZMK protection) used to encrypt PIN blocks as they transit the network. Each ZPK is unique per bilateral relationship.

ZAKZone Authentication KeyNetworkKey Hierarchy

A working key used to generate or verify MACs on ISO 8583 messages between network participants. Ensures message integrity across zone boundaries.

ZEKZone Encryption KeyNetworkKey Hierarchy

A working key used for encrypting sensitive data fields (other than PIN) as they travel between network zones. Analogous to ZPK but for general data.

TMKTerminal Master KeyTerminalKey Hierarchy

A 3DES key loaded into a POS terminal or ATM (often via TR-31 or out-of-band ceremony) that is used to protect the exchange of working keys between the terminal and its acquirer host.

TPKTerminal PIN KeyTerminalKey Hierarchy

A working key loaded under TMK protection into a PIN entry device. Used to encrypt the cardholder PIN into a PIN block format (ISO 9564 Format 0, 1, 3, or 4) before transmission.

TAKTerminal Authentication KeyTerminalKey Hierarchy

A working key loaded under TMK protection into a terminal and used to compute MACs on ISO 8583 messages sent to the acquirer host. Ensures request/response integrity.

KEKKey Encryption KeyHSMKey Hierarchy

A generic term for any key whose sole purpose is to encrypt (wrap) another key. ZMK and TMK are both KEKs in context. TR-31 uses the Key Block Protection Key (KBPK) as its KEK.

KBPKKey Block Protection KeyHSMKey Hierarchy

The specific key used in TR-31 to derive the Key Block Encryption Key (KBEK) and Key Block Authentication Key (KBAK) via a key derivation function. Replaces the raw KEK concept in modern deployments.

IMKIssuer Master KeyIssuerEMV Keys

A 3DES or AES master key held by the issuer HSM used to derive card-specific Unique Derived Keys (UDK). The IMK never leaves the HSM. Each transaction application (AC, SM, DN) uses a separate IMK.

UDKUnique Derived KeyCardEMV Keys

A per-card key derived from the Issuer Master Key (IMK) using the PAN and PAN Sequence Number via EMV Option A or Option B diversification. Stored on the chip and in the issuer HSM.

ARQCApplication Request CryptogramCardEMV Keys

A cryptogram generated by the card chip during a transaction using the UDK and transaction data (amount, unpredictable number, ATC, etc.). The issuer verifies it during online authorization to prove the card is genuine.

ARPCApplication Response CryptogramIssuerEMV Keys

A cryptogram generated by the issuer HSM in response to an ARQC. The card verifies ARPC to confirm the issuer is genuine (mutual authentication). Calculated per CVN10 or CVN18 depending on card config.

TCTransaction CertificateCardEMV Keys

A cryptogram generated by the card chip after the issuer approves, completing the two-way authentication. Stored for offline dispute evidence. Uses the same key derivation as ARQC.

AACApplication Authentication CryptogramCardEMV Keys

Cryptogram generated by the card when it declines the transaction offline. Proves the card chip made the decline decision, not a rogue terminal.

CVKCard Verification KeyIssuerEMV Keys

A 3DES key pair (CVK-A and CVK-B) used to generate and verify CVV/CVC values on the card magnetic stripe and in chip static data. Stored in the issuer HSM.

PVKPIN Verification KeyIssuerEMV Keys

A 3DES key used to compute and verify the PIN Verification Value (PVV). The issuer stores the PVV on the card or in a database; at authorization the HSM recomputes it from the PVK and PAN to verify the PIN.

BDKBase Derivation KeyHSMDUKPT

The root 3DES or AES key in the DUKPT (ANSI X9.24) scheme. Stored only in the acquirer HSM. Used to derive IPEKs which are injected into terminals — the BDK itself never leaves the HSM.

IPEKInitial PIN Encryption KeyTerminalDUKPT

A terminal-specific key derived from the BDK and the base portion of the KSN. Injected into a PED at manufacture or key injection. The terminal derives all future transaction keys from this IPEK without ever seeing the BDK.

KSNKey Serial NumberTerminalDUKPT

A 10-byte value in DUKPT comprising the Key Set Identifier (KSI, linking to a BDK) and a transaction counter. Sent in the clear with each transaction so the HSM can rederive the correct future key.

DUKPTDerived Unique Key Per TransactionTerminalDUKPT

A key management scheme (ANSI X9.24) where each transaction uses a unique encryption key derived from IPEK + KSN. Eliminates the risk of reusing a single terminal key; compromise of one key does not expose others.

3DESTriple DESPrimitiveAlgorithm

A symmetric cipher applying DES three times with 2 or 3 independent 56-bit keys (total effective security ~112 bits). The dominant encryption algorithm in legacy payment HSMs. Being replaced by AES in newer deployments.

AESAdvanced Encryption StandardPrimitiveAlgorithm

A symmetric block cipher operating on 128-bit blocks with 128, 192, or 256-bit keys. Successor to 3DES in modern HSMs and EMV. Used in DUKPT AES (ANSI X9.24 Part 3) and AES-CMAC for MACs.

RSARSAPrimitiveAlgorithm

An asymmetric cipher used in payment systems for key transport (TR-34), certificate signing (EMV CA keys), and secure communication. Key sizes of 2048 or 4096 bits are standard; 1024-bit is deprecated.

ECDSAElliptic Curve DSAPrimitiveAlgorithm

An asymmetric signature algorithm based on elliptic curve cryptography. Used in contactless EMV (SDA, DDA, CDA) and increasingly in HSM-to-HSM authentication as a compact alternative to RSA.

MACMessage Authentication CodePrimitiveAlgorithm

A short tag appended to a message proving both integrity (not tampered) and authenticity (from the keyed party). Payment MACs use ISO 9797 Algorithms 1, 2, or 3 (Retail MAC) with 3DES, or AES-CMAC.

CMACCipher-based MACPrimitiveAlgorithm

An AES-based MAC construction (NIST SP 800-38B). Used in DUKPT AES, EMV session key derivation, and ISO 9797 Algorithm 5. Provides stronger security properties than the legacy Retail MAC.

HMACHash-based MACPrimitiveAlgorithm

A MAC built on a hash function (SHA-256, SHA-512). Used in API authentication, webhook signatures, and 3DS 2.x message integrity. Not typically used for PIN or key protection (that domain uses cipher-based MACs).

SHASecure Hash AlgorithmPrimitiveAlgorithm

A family of one-way hash functions. SHA-1 (deprecated), SHA-256, and SHA-512 are used in payment: HMAC computation, certificate fingerprinting, and key derivation functions within EMV and TR-31.

TR-31TR-31 Key BlockHSMKey Transport

An ANSI standard for secure key exchange between HSMs. A key block wraps the key value with a clear-text header (algorithm, usage, mode, exportability) and an authentication MAC — preventing key misuse even if decrypted.

TR-34TR-34 Key DistributionHSMKey Transport

An ANSI standard for distributing symmetric keys between a Key Distribution Host (KDH) and a Key Receiving Device (KRD) using asymmetric RSA. Replaces manual key ceremonies. Uses CMS (PKCS#7) as the token format.

X.509X.509 CertificatePKIKey Transport

The standard format for public key certificates used to bind an identity to an RSA or ECC public key. Required in TR-34 (to authenticate KDH/KRD), EMV chip data verification (CA, Issuer, ICC certificates), and 3DS 2.x.

PKIPublic Key InfrastructurePKIKey Transport

The ecosystem of certificate authorities, registration authorities, certificate revocation lists, and policies governing issuance and trust of X.509 certificates. Visa, Mastercard, and Amex each run scheme-level CAs for EMV.

HSMHardware Security ModuleHSMInfrastructure

A tamper-evident, FIPS 140-2 Level 3 (or PCI HSM) certified hardware device that generates, stores, and processes cryptographic keys in a physically secure boundary. No key ever exits the HSM in the clear.

KCVKey Check ValueHSMInfrastructure

The first 3 bytes of encrypting an all-zero block with a symmetric key (using 3DES or AES). Used to verify a key was loaded correctly without revealing the key value. Two parties compare KCVs after a key exchange.

PIN BlockPIN BlockTerminalInfrastructure

A formatted binary block encoding the cardholder PIN and (for Format 0, 3) the PAN, before encryption. ISO 9564 defines formats 0–4. Format 0 (ANSI) is most common; Format 4 (AES) is the modern equivalent.

PEDPIN Entry DeviceTerminalInfrastructure

A tamper-resistant, PCI PTS-certified hardware device accepting PIN input. PED hardware zeroizes keys on tamper detection. Stores TPK or IPEK for PIN encryption.

ATCApplication Transaction CounterCardInfrastructure

A monotonically increasing counter stored on the EMV chip, incremented with every transaction attempt. Included in ARQC computation — prevents replay attacks by making each cryptogram unique.

UNUnpredictable NumberTerminalInfrastructure

A 4-byte random number generated by the terminal and included in ARQC computation to provide freshness/liveness guarantee. Prevents pre-computed cryptogram attacks.

CA KeyCertification Authority Public KeyPKIEMV PKI

The root RSA public key for a payment scheme (Visa, Mastercard, Amex). Distributed to terminals via the scheme and used to verify the Issuer Public Key Certificate on each card. Identified by a 1-byte RID + Index.

SDAStatic Data AuthenticationCardEMV PKI

The simplest EMV authentication method. The card stores a scheme-signed static data record. The terminal verifies the signature using the CA and Issuer public keys. Vulnerable to cloning (card data can be copied unchanged).

DDADynamic Data AuthenticationCardEMV PKI

EMV authentication where the card uses its own ICC Private Key to sign dynamic transaction data (including the terminal's Unpredictable Number). Each signature is unique; prevents card cloning used against SDA.

CDACombined DDA/Application CryptogramCardEMV PKI

Combines DDA signature and ARQC generation into a single command (GENERATE AC). The signed data includes the cryptogram itself, proving both card authenticity and transaction binding in one step.

ODAOffline Data AuthenticationCardEMV Transaction

The umbrella term for SDA, DDA and CDA. Lets the terminal cryptographically verify the card without going online to the issuer.

CVMCardholder Verification MethodTerminalEMV Transaction

How the cardholder is verified during a transaction: offline PIN, online PIN, signature, on-device (CDCVM), or no CVM. The card's CVM List (tag 8E) ranks the methods to try.

ICCIntegrated Circuit CardCardEMV Transaction

The chip embedded in an EMV card. "ICC" is used throughout the EMV specs to mean the chip together with its data and keys.

AIPApplication Interchange ProfileCardEMV Transaction

Tag 82 — a 2-byte bitmap returned in the GPO response stating which functions the card supports: SDA, DDA, CDA, cardholder verification, terminal risk management and issuer authentication.

TVRTerminal Verification ResultsTerminalEMV Transaction

Tag 95 — a 5-byte bitfield in which the terminal records the outcome of every risk and verification check performed during the transaction.

TSITransaction Status InformationTerminalEMV Transaction

Tag 9B — a 2-byte bitfield indicating which functions the terminal actually performed (offline data authentication, cardholder verification, risk management, issuer authentication, script processing).

IADIssuer Application DataCardEMV Transaction

Tag 9F10 — issuer- and application-specific data the card returns with the cryptogram. Its layout depends on the CVN (e.g. Visa CVN10/18, Mastercard M/Chip).

GPOGet Processing OptionsTerminalEMV Transaction

The EMV command that begins transaction processing. The card returns the AIP and the AFL (the list of records the terminal must read).

TDOLTransaction Certificate Data Object ListCardEMV Transaction

Tag 97 — a card-supplied list naming the data the terminal must concatenate and hash to build the TC Hash used in the Transaction Certificate.

DDOLDynamic Data Object ListCardEMV Transaction

Tag 9F49 — a card-supplied list naming the data the terminal must pass to the card (typically the Unpredictable Number) for Dynamic Data Authentication.

MSDMagnetic-Stripe Data modeCardContactless

A legacy contactless mode that reproduces magnetic-stripe track data over the contactless interface instead of performing full EMV chip processing. Being phased out.

VSDCVisa Smart Debit/CreditCardContactless

Visa's full EMV chip application, used for contact transactions and full-EMV-mode contactless.

qVSDCQuick VSDCCardContactless

Visa's streamlined contactless profile (Tap to Pay). The card returns everything needed to authorise in a single tap, using fDDA for authentication.

fDDAFast Dynamic Data AuthenticationCardContactless

The contactless form of DDA used by Visa qVSDC. The card signs dynamic data (including the terminal's Unpredictable Number) in one step during the tap.

TTQTerminal Transaction QualifiersTerminalContactless

Tag 9F66 — a 4-byte bitmap the Visa contactless reader places in the PDOL to tell the card what it supports and requires (MSD/qVSDC, online PIN, CVM, and more).

CTQCard Transaction QualifiersCardContactless

Tag 9F6C — a 2-byte bitmap the card returns to instruct the terminal on its requirements, e.g. online PIN, signature, or the conditions under which to go online.

CDCVMConsumer Device Cardholder Verification MethodCardContactless

Cardholder verification performed on the consumer's own device (phone/watch biometrics or passcode) rather than at the terminal. Used by mobile wallets such as Apple Pay and Google Pay.