Protecting EMV-CAP data

EMV-CAP is the Chip Authentication Program (CAP) developed by credit card leaders Europay, Mastercard, and Visa (EMV). Implementing EMV-CAP involves sensitive data that requires confidentiality.

Protecting EMV-CAP data using software encryption

The primary account number (PAN) is considered confidential. PANs are never disclosed or displayed in clear text in the GUI, but are masked when displayed on the screen. Even OneSpan Authentication Server administrators cannot see this information, unless they have the View Clear PAN administrative privilege assigned. To protect PANs in the OneSpan Authentication Server data store, they are encrypted using the sensitive data keys (see Protecting sensitive data).

Protecting EMV-CAP data using a hardware security module (HSM)

According to PCI DSS certification, keys cannot be stored in clear text or be protected using software encryption only on a machine.

Issuer master keys (IMK) are used to derive the smart card master key (SCMK). They must be imported to a hardware security module (HSM).

The BLOB data with the smart card master key (SCMK) is generated by the HSM using the issuer master key (IMK) and the card data during the card import process. Unlike authenticator application BLOB data for a regular authenticator, which is imported from a host file, EMV-CAP BLOB data is generated by OneSpan Authentication Server when the new cards are imported into the card management system of the customer.