Key Generation Guidelines

& Common HSM operations

 Confidentiality Statement
This document, and any attachments thereto, regardless of form or medium, is intended only for use by
the addressee and may contain legally privileged and/or confidential, copyrighted, trademarked,
patented or otherwise restricted information viewable by the intended recipient only. If you are not the
intended recipient of this document (or the person responsible for delivering this document to the
intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of
this document, and any attachment thereto, is strictly prohibited and violation of this condition may
infringe upon copyright, trademark, patent, or other laws protecting proprietary and, or, intellectual
property. In no event shall this document be delivered to anyone other than the intended recipient or
original sender and violation may be considered a breach of law fully punishable by the laws of the
Federal Republic of Nigeria. If you have received this document in error, please respond to the
originator of this message or email him/her at the address below and permanently delete and/or shred
the original and any copies and any electronic form this document, and any attachments thereto and do
not disseminate further.
Thank you for your consideration, InterSwitch Group.
Please respond to [email protected] with any questions or concerns.
Where no notice is given, all information contained herein is Copyright 2025 InterSwitch Group.
 Document Change History

Version Author Approval Summary of Change

2.0 Sept 2018 Tosin Ozoya Vincent Ogbunude - first Draft

2.1 Nov 2018 Efe Ayeni - Changed the procedure for generating
the card verification Value 1 & 2

2.2 June 2020 Adewale Oloyi Oluseye Ogunbodede - Included common HSM operations

& key types

- How to import keys (visa keys too)

- Enabling host/console commands on

Thales 10k model

- The outdated commands on the Thales

10k model

Purpose Of Document:
- Captures common HSM operations and how to operate/access the HSM
- Included differences between the Thales HSM 10k model and older models
- Captures the key generation activities to be performed at the Banks in preparation for card issuance.
 OPERATING AND ACCESSING THE THALES HSM
The Hardware security Module (HSM) also known as Host Security Module is a key encryption and storage device which
supports Postilion real-time by providing it with cryptographic functionality.

Access to the HSM console can be gained via putty or HyperTerminal.

Plug the USB-to-C cable to the HSM (USB goes to the laptop while type C end goes to the port in front of the HSM). Power the
HSM by plugging in your power cable. The HSM 10k model requires you to press a power button (black) which is at the back
of the HSM.

NB: 10k Model uses USB-to-C. Older models use VGA-to-VGA cables

1. Firstly, check the COM port via the laptop’s ‘computer management -> Device Manager’ console to know the COM number to
configure on the putty console.

Launch putty using the default console commands below:

Baud: 9600
Word format: 8 bits, no parity, 1 stop
Flow control: XON/XOFF
HOW TO CHANGE HSM Modes

There are 3 HSM modes: Online> or Offline> or secure>

See below on how to change HSM modes.

After authorizing the HSM, these modes become Online-AUTH> or Offline-AUTH > or secure-AUTH >

How to Load keys on a HSM

You need all 3 Key officers to carry out this operation. You must follow the order when key officers are asked to
insert keys. Whenever the HSM settings are reconfigured, you will need to reload the LMK keys. Follow the steps
below to do it.

Secure>LK

Enter LMK id [0-1]:

Enter comments:

Load LMK from components or shares

Insert card and press ENTER:

Enter PIN: ******

Check: 874261
Load more components? [Y/N]: Y

Enter PIN: ******

Check: 746392
Load more components? [Y/N]: Y

Enter PIN: ******

Check: 794092
Load more components? [Y/N]: N

LMK Check: 5403 7582 1339 1234

LMK id: 00
LMK key scheme: Variant
LMK algorithm: 3DES(2key)
LMK status: Live
Comments:

Confirm Details? [Y/N]: Y

Use the LO/LN command to load LMKs into key change storage.

HOW TO AUTHORIZE A HSM

You need the 1st & 2nd Key officers to carry out this operation. Whenever the HSM restarts, you will need to authorize the HSM.
Follow the steps below to do it.
Secure>A
Enter LMK id [0-1]:
First officer:
Insert card and press ENTER:
Enter PIN: ******
Second officer:
Insert card and press ENTER:
Enter PIN: ******
AUTHORIZED
Secure-AUTH>
Always remember to turn back the HSM into Online-Auth Mode. Else, the HSM won’t be operational for processing
transactions.
HOW TO KNOW THE EXISTING HSM CONFIGURATIONS AND CONFIGURE IT:
Launch the putty session and type any of the following commands.

1) QC (query console): This is to know the console (putty) settings used to login in to the HSM
2) CC: (Configure Console): This is to configure the console settings
3) QS (query settings): This is to know the HSM’s security settings.
4) CS (configure settings): This is to configure the HSM’s security settings.
5) QH (query host): This is to know the HSM IP settings
6) CH (configure host): This is to know the HSM IP settings
7) VR (Version release): This is to know the HSM’s software details
8) Errlog : to retrieve the logs on the HSM
9) Clearer: To clear error logs
10) QM (query management) : To know the HSM’s management IP details.
11) CM (Configure management) : To know the HSM’s management IP details.
 12) VT : to know the LMK ID details (check value etc)

Enabling host/console commands on Thales 10k model:

There are 2 types of commands in Thales HSM.
- console (C) commands
- host (H) commands
The payShield 10K provides over 80 console (C) commands and 225 host (H) commands.
For Thales 10k HSM, all Host commands, most console commands (excluding the "CONFIGCMDS" command)
and some PIN Blocks have been disabled by default from the factory for security reasons. You should only enable
the commands that are required. Disabled commands are not available until they are re-enabled.
Use the following steps to enable the host & console commands
1) Put the HSM in Secure mode
2) Type CONFIGCMDS
3) It will give you an advice ‘Enter command code (e.g. +CDE) or Q to Quit:’
4) Type +H* and the enter button to enable all host commands
5) Type +C* and the enter button to enable all console commands
6) When done, type Q and put the HSM in Online (auth) mode
KEY TYPES

In the latest firmware, Thales has introduced second, PCI-HSM standard compliant, key type table with the
changes around 002 key type - PVK, TMK, TPK. The changes move TMK and TPK to different LMK pair and
Variants leaving PVK the only key of 002 type:
KEY SCHEMES

Depending on their length and key format, keys are designated by a key scheme that helps to quickly identify the
nature of a key. Key schemes are the following:

GENERATING KEYS TO BE CONFIGURED ON POSTILION AND POSTCARD

1. Procedures for generating Clear and Encrypted Components for the Zone
Master Key (ZMK) [ISSUER_PREP_ZMK, ISSUER_PERSO_ZMK]
This doc was focuses on the Thales 9k model. For Thales HSM 10k model, do note the following bullet points.
 Z (superseded by EC)
 F (superseded by GC)
 D (superseded by FK)
It could be a ‘problem’ with the version of the base release on the Thales 10k Model but as at the time of this
documentation, the Z, F, D commands are not supported on the 10k Model with the below details

Perhaps a higher Base release (a.k.a firmware) version of the 10k Model will support these commands. To get a
list of available commands on the HSM, type GETCMDS. Check the HSM documentation to see how to do more
operations like to add more commands etc.

1.1 Generate clear ZMK components

There are 2 method of generating clear components of a ZMK: the GC method or the F-D method.

Using the GC method. specify the key type of the ZMK and the key scheme. The KE (key export) command is to
export a key that you have generated using the GC command. An export is necessary if you want to have the key
imported into another HSM

An example of the F-D method:

Type F at the HSM console prompt. (each ‘F’ step represents the number of components you want to generate.
Here F was done 3 times because there are 3 components to be generated. If you have 2 components, do step F
2ce. command D is to combine the components).

Online-AUTH>F

Clear ZMK component: 7F49 98BA 0DA4 91F4 AE20 ADEF DC98 6485
Encrypted ZMK component: D03C BFEC A8A2 8DE1 A6C4 3556 4432 CAAE
Key check value: E2B9 A800 0000 0000

Online-AUTH>F
Clear ZMK component: 9BA8 DADC CD1F FE26 7308 B010 97FD 0DE0
Encrypted ZMK component: B031 1D96 3416 3CC0 9E4C 4ED5 3CB1 FD1E
Key check value: 3D4F 5A00 0000 0000

Online-AUTH>F
Clear ZMK component: 9851 C8DF 4637 43B0 16F1 4A8A 5276 1020
Encrypted ZMK component: A516 F09F EA18 9F0C 4358 E324 0450 9902
Key check value: C249 C300 0000 0000

Then type D to combine all the 3 components

Copy out the clear component and encrypted component to a form and repeat this process for the other two
security officers. The three components should then be sent to the appointed counterparts at the data
preparation service providers. Note that these will be done separately for the ISSUER_PREP_ZMK
and the ISSUER_PERSO_ZMK. Check the key summary at the last page of this guide for more clarity.

1.2 Generate a final encrypted ZMK from components

To generate the ZMK for use, type D at the HSM console prompt and enter the three generated encrypted
components. Note that the HSM must be in Authorized mode for this process to work.

Online-AUTH>D

Input components from smartcards? [Y/N]: N

Enter number of components [2-9]: 3

Enter encrypted component 1: D03C BFEC A8A2 8DE1 A6C4 3556 4432 CAAE
Enter encrypted component 2: B031 1D96 3416 3CC0 9E4C 4ED5 3CB1 FD1E
Enter encrypted component 3: A516 F09F EA18 9F0C 4358 E324 0450 9902

Encrypted ZMK: 2850 73AC 7BDD DAE4 4C8B FDB0 5891 7516
Key check value: 2758 3200 0000 0000

Copy out the encrypted Key value and store either in a database (via the postilion console) or complete a key
form. This value would be used to secure the transmission of other keys

2. Procedures for generating the Encrypted and clear exchange keys (KEK) (Perso_KEK, PREP_KEK)

This key is generated in three components on the Thales HSM. Please note that this operation should be
performed in a secure manner and only one security officer must be present during the generation of a key
component. Also make sure that a new HyperTerminal session is created. Do not save this session when done.

2.1 Generate clear components of a key

To generate a clear component of a key, type GC at the HSM console prompt.

For example: This is to generate a KEK/ZEK
Online - AUTH> GC <Return>
Key length [1,2,3]: 2<Return>
Key Type: 00A <Return>
Key Scheme: U <Return>

Clear Component: XXXX XXXX XXXX XXXX

Encrypted Component: XXXX XXXX XXXX XXXX
Key check value: XXXX XX

Copy out the clear components and encrypted components to a form and repeat this process for the other two
security officers. The three encrypted components would be used in the following step.

2.2 Generate an encrypted KEK (ZEK)

To generate the encrypted KEK for use, type FK on the HSM console and supply the encrypted
components generated earlier. The HSM must be in Authorized mode for this process.

Online – AUTH> FK <Return>

Key length [1,2,3]: 2 <Return>
Key type: 00A <Return>
Key Scheme: U <Return>
Component type [X,H,E,S]: E <Return>
Enter number of components: (2-9): 3 <Return>
Enter component 1: XXXX XXXX XXXX XXXX
Enter component 2: XXXX XXXX XXXX XXXX
Enter component 3: XXXX XXXX XXXX XXXX
Encrypted key: U YYYY YYYY YYYY YYYY
Key check value: ZZZZ ZZ

Note that the perso_kek and the prep_kek are the same. Therefore this will be done only once.

3. Generating the Cryptogram Authentication master Key (CAK)

This key is generated automatically with the Thales HSM. Please note that this operation should be performed in
a secure manner and only one security officer must be present during the generation of this key. Also make sure
that a new HyperTerminal session is created. Do not save this session when done.

To generate an encrypted CAK (IMK/AC), type KG on the HSM console and enter the ISSUER_PREP_ZMK.
The HSM must be in Authorized mode for this to work.

Online – AUTH> KG
Enter key length [1,2,3]: 2
Enter key type: 109
Enter key scheme (LMK): U
Enter key scheme (ZMK): X
Enter ZMK: XXXX XXXX XXXX XXXX
Enter ZMK variant:
Key under LMK: U YYYY YYYY YYYY YYYY
Key under ZMK: X YYYY YYYY YYYY YYYY
Key check value: YYYYYY

Copy out the Key under ZMK and LMK then complete a key form that would be sent to the data preparation
service provider.

4. Generating the Integrity Master Key (EMK)

This key is generated automatically with the Thales HSM. Please note that this operation should be performed in a
secure manner and only one security officer must be present during the generation of this key. Also make sure that
a new HyperTerminal session is created. Do not save this session when done.

To generate an encrypted EMK (IMK/SMI), type KG on the HSM console and enter the ISSUER_PREP_ZMK. The HSM
must be in Authorized mode for this to work.

Online – AUTH> KG
Enter key length [1,2,3]: 2
Enter key type: 209
Enter key scheme (LMK): U
Enter key scheme (ZMK): X
Enter ZMK: XXXX XXXX XXXX XXXX
Enter ZMK variant:
Key under LMK: U YYYY YYYY YYYY YYYY
Key under ZMK: X YYYY YYYY YYYY YYYY
Key check value: YYYYYY

Copy out the Key under ZMK and LMK then complete a key form that would be sent to the data preparation service pro

5. Generating the Confidentiality Master Key (ECK)

This key is generated automatically with the Thales HSM. Please note that this operation should be performed in a
secure manner and only one security officer must be present during the generation of this key. Also make sure
that a new HyperTerminal session is created. Do not save this session when done.

To generate an encrypted ECK (IMK/SMC), type KG on the HSM console and enter the ISSUER_PREP_ZMK. The HSM
must be in Authorized mode for this to work.
Online – AUTH> KG
Enter key length [1,2,3]: 2
Enter key type: 309
Enter key scheme (LMK): U
Enter key scheme (ZMK): X
Enter ZMK: XXXX XXXX XXXX XXXX
Enter ZMK variant:
Key under LMK: U YYYY YYYY YYYY YYYY
Key under ZMK: X YYYY YYYY YYYY YYYY
Key check value: YYYYYY

Copy out the Key under ZMK and LMK then complete a key form that would be sent to the data preparation
service provider

6. Generating the PIN Working Key (KWP)

This key is generated automatically with the Thales HSM. Please note that this operation should be performed in a
secure manner and only one security officer must be present during the generation of this key. Also make sure that a
new HyperTerminal session is created. Do not save this session when done.

To generate an encrypted KWP, type KG on the HSM console and enter the ISSUER_PREP_ZMK. The HSM must
be in Authorized mode for this to work.

Online – AUTH> KG
Enter key length [1,2,3]: 2
Enter key type: 001
Enter key scheme (LMK): U
Enter key scheme (ZMK): X
Enter ZMK: XXXX XXXX XXXX XXXX
Enter ZMK variant:
Key under LMK: U YYYY YYYY YYYY YYYY
Key under ZMK: X YYYY YYYY YYYY YYYY
Key check value: YYYYY

Copy out the Key under ZMK and LMK then complete a key form that would be sent to the data preparation service pro

Generating a Zone PIN Key (ZPK)

In this exercise, we create a Zone PIN Key (ZPK) using console commands.

When prompted for the ZMK, use the encrypted ZMK value from the section called “Creating a Zone Master Key (ZMK)”.

Online-AUTH> KG
Key length [1,2,3]: 2
Key Type: 001
Key Scheme (LMK): U
Key Scheme (ZMK) [ENTER FOR NONE]: X
Enter encrypted ZMK [ENTER FOR NONE]: U 104C 4216 A751 FEEE FF55 698B 26C5 7789
Enter ZMK check value [ENTER TO SKIP CV TEST]:
Key under LMK: U 8586 51EC 83AF CA66 8175 804F 5B7D CD6B
Key encrypted for transmission: X BAA5 18AA D10D 28A2 D32A 5688 317F 44EB
Key check value: 6543 F4

7. Generating the Card Verification Key (KVC 1 and 2)

This key is generated automatically with the Thales HSM. Please note that this operation should be performed
in a secure manner and only one security officer must be present during the generation of this key. Also make
sure that a new HyperTerminal session is created. Do not save this session when done so as not to expose the
keys to fraudulent individuals/staff.
To generate an encrypted KVC, type GC on the HSM console and enter the ISSUER_PREP_ZMK. The HSM must be in
Authorized mode for this to work.

Online-AUTH> GC
Enter key length [1,2,3]: 1
Enter key type: 402
Enter key scheme: 0

Clear component: XXXX XXXX XXXX XXXX

Encrypted component: XXXX XXXX XXXX XXXX
Key check value: XXXX XX

Online-AUTH> GC
Enter key length [1,2,3]: 1
Enter key type: 402
Enter key scheme: 0

Clear component: XXXX XXXX XXXX XXXX

Encrypted component: XXXX XXXX XXXX XXXX
Key check value: XXXX XX

Online-AUTH> bk
Enter key type [0=BDK, 1=CVK, 2=ZPK]: 1
Enter number of components [2-9]: 2

Enter component 1: XXXX XXXX XXXX XXXX [use the clear component from the first GC]
Enter component 2: XXXX XXXX XXXX XXXX [use the clear component from the second GC]

Encrypted key: XXXX XXXX XXXX XXXX

Key check value: XXXX XXXX XXXX XXXX

Copy out the encrypted key and configure the value on the FEP (postilion application) as ‘part 1’. Repeat the
above process to generate the KVC 2. Copy out the encrypted key and configure the value on the FEP
(postilion application) as ‘part 2’. Fill the key forms by copying out the clear and encrypted components.

EXPORTING KEYS TO BE SENT TO DATA PREPARATION CENTRE AND PERSONALISATION BUREAU

Two copies per clear component for each of the ZMKs will be made. For the ISSUER_PREP_ZMK One copy is for
the Issuer and the other is sent to the relevant counterparts at the data preparation centre.
A copy of the three clear components for the ISSUER_PERSO_ZMK is also retained by the issuer and the other
copies are sent to the relevant counterparts at the personalization bureau.
Note that the encrypted ZMK is what will be used to export the other keys.

Procedures for Exporting the Encrypted exchange keys (KEK) (Perso_KEK, PREP_KEK)

Online – AUTH> KE <Return>

Key type: 00A <Return>
Key scheme (ZMK): X <Return>
Enter encrypted ZMK: XXXX XXXX XXXX XXXX
Enter ZMK Variant (if enabled by CS command): <Return>
Enter encrypted key: U YYYY YYYY YYYY YYYY
 Key encrypted under ZMK: X YYYY YYYY YYYY YYYY
Key check value: XXXX XX

Note that for the data preparation service provider the encrypted ZMK is the issuer_prep_zmk and for the personali
bureau it is issuer_perso_zmk. This means that their values under ZMK should differ and
therefore extreme care should be taken to avoid a mix up.

Copy the key encrypted under ZMK and key check value into a key form and send the relevant key forms
to the data preparation service provider and personalisation bureau.

Importing Keys to the HSM

1) For a ZMK
There are 2 ways of importing a ZMK: the Z-D method or the FK method. (each Z step represent the number of components
you want to import. here Z was done 3 time because there are 3 components. If you have 2 components, do step Z 2ce.
command D is to combine the components)

The FK method of importing a ZMK:

The ZMK is exchanged using secured methods and Split knowledge policy. Where three components that created above are
sent to three nominated Security Officers of the other party. This is one of the most secure way to do it since no single person
gains knowledge of the clear ZMK.
If you are at receiving end then you need to import ZMK into your HSM to decrypt the lower level key like ZPK in future.

Online-AUTH> FK # User input

Key length [1,2,3]: 2 # User input
Key Type: 000 # User input
Key Scheme: U # User input
Component type [X,H,E,S]: X # User input
Enter number of components (2-9): 3 # User input – based on the number of components you have
Enter component #1: 79CD23809B4FC1C47F9EFB2ADF2A674A # User input from GC response: 79CD 2380 9B4F C1C4 7F9E FB2A DF2A 674A
Enter component #2: 0157B3DF61163402372C54FD62F21C91 # User input from GC response: 0157 B3DF 6116 3402 372C 54FD 62F2 1C91
Enter component #3: 7AEAB5A41A9E9B68EF80494C08194ADA # User input from GC response: 7AEA B5A4 1A9E 9B68 EF80 494C 0819 4ADA

Encrypted key: U 104C 4216 A751 FEEE FF55 698B 26C5 7789
Key check value: BA0F C3

THE Z-Z-D Method

Online-AUTH>Z
Enter ZMK component: ***************************************
Encrypted ZMK component: C886 B34F 6084 A624 BD65 B1CA 10F5 602E

Key check value: 5103 AE00 0000 0000

Online-AUTH>Z

Enter ZMK component: ***************************************

Encrypted ZMK component: 696A 2AB0 E737 4791 4818 6CF0 5086 69EE
Key check value: 28A4 EE00 0000 0000

Online-AUTH>Z

Enter ZMK component: ***************************************

Encrypted ZMK component: E0F6 386E 7F10 1F6B 12CC 30BA BCCC F44E
Key check value: 4FC3 9100 0000 0000

Online-AUTH>D

Input components from smartcards? [Y/N]: N

Enter number of components [2-9]: 3

Enter encrypted component 1: C886 B34F 6084 A624 BD65 B1CA 10F5 602E
Enter encrypted component 2: 696A 2AB0 E737 4791 4818 6CF0 5086 69EE
Enter encrypted component 3: E0F6 386E 7F10 1F6B 12CC 30BA BCCC F44E

Encrypted ZMK: 9A06 C3A3 2AAB F9C7 F591 E567 00CF AFC9
Key check value: FBC8 9200 0000 0000

The following shows how to import keys imported under the ZMK you just imported. Whenever you are prompted to ‘Enter ZMK’
you enter the ZMK you have.

2) For a CAK

Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 109
Enter key scheme: U
Enter ZMK variant:
Enter key: X61D5 B986 3493 5FC1 5AAA 1677 DA39 9336

Encrypted key: U04B4 16E6 C60B 5357 F9A8 D7A6 2D47 9E4A
Key check value: 560F DB

3) For an EMK
Online-AUTH>IK

Enter LMK id [0-4]:

Enter key type: 209
Enter key scheme: U
Enter ZMK: 9A06 C3A3 2AAB F9C7 F591 E567 00CF AFC9
Enter ZMK variant:
Enter key: X7A54 BEED 0FC3 1291 98C5 CC85 E722 AAF0

Encrypted key: UC822 9734 F0E5 175D 4BE1 243B 2B5E 95F0
Key check value: 1C80 8A
4) For an ECK

Online-AUTH>IK

Enter LMK id [0-4]:

Enter key type: 309
Enter key scheme: U
Enter ZMK: 9A06 C3A3 2AAB F9C7 F591 E567 00CF AFC9
Enter ZMK variant:
Enter key: X5356 E2E4 D7C1 233F 2975 B507 B105 9A93

Encrypted key: UE426 432C F519 85BA C83C 52A0 5968 AF46
Key check value: 75F0 F9

5) For a KVP

Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 002
Enter key scheme: 0
Enter ZMK: 9A06 C3A3 2AAB F9C7 F591 E567 00CF AFC9
Enter ZMK variant:
Enter key: 95E1 AD52 D0EB CF57

Encrypted key: DDAA EA59 E8B7 3DC8

Key check value: 3899 8C

6) For a CVKA:

clear
component1: 13D9863140ADCE5E
compoonent2: 70AB2CB357C82CD5

Key Checksum: 1D8983

CVKB

clear
component1: 611FE6FD199E1351
component2: A83BA7DCBC616B75

Key Checksum: 52A2AD

How to import VISA Keys:

DO NOTE THAT WHEN SETTING UP VISA CARD ISSUANCE, YOU DON'T NEED TO HAVE A PERSO STEP IN THE CARD PRODUCTION
JOB!!! PERSO Step is just for Mastercard & Verve Cards
PREP ZMK

Online-AUTH>z
Enter ZMK component: ********************************
Encrypted ZMK component: 087F 68F0 C3D0 0E3F A5AB 9655 96A0 98CB
Key check value: 82CD 6800 0000 0000

Online-AUTH>Z
Enter ZMK component: ********************************
Encrypted ZMK component: 590C 3B7A DB5F AC56 B817 7E54 D721 8B16

Key check value: B3AE 0C00 0000 0000

Online-AUTH>Z
Enter ZMK component: ********************************
Encrypted ZMK component: 48D5 C776 743A AE4F 07AF 9069 5940 02CE
Key check value: F3B0 AC00 0000 0000

Online-AUTH>D
Input components from smartcards? [Y/N]: N
Enter number of components [2-9]: 3

Enter encrypted component 1: 087F 68F0 C3D0 0E3F A5AB 9655 96A0 98CB
Enter encrypted component 2: 590C 3B7A DB5F AC56 B817 7E54 D721 8B16
Enter encrypted component 3: 48D5 C776 743A AE4F 07AF 9069 5940 02CE

Encrypted ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897
Key check value: 7A41 3000 0000 0000

------------------------------------------------------------------------------------------------
KVC

Online-AUTH>IV
Key type [Pvk/Cvk]: C
Enter ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897

Enter ZMK variant:

Enter key A: 022F D140 DE4D 8B97
Enter key B: 7A6B 17CD E117 2D0D

Key A under LMK: 4D76 4916 83D7 BCE6

Key check value: EB7A 8A00 0000 0000
Key B under LMK: 3D51 B1D1 4E09 0138
Key check value: 4087 BF00 0000 0000
---------------------------------------------------------------------------------------------------------------------------------------

use mdk as the value for your EMK, ECK & CAK. It is just the key type (109,209 & 309) that will vary
--------------------------------------------------------------------------------------------------------------------------------------
CAK

Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 109
Enter key scheme: U
Enter ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897
Enter ZMK variant:
Enter key: X4B2C 934A AD31 A06F 8342 BA96 356F 8111

Encrypted key: U4B5D 8E54 F7B9 ED57 A935 79E5 DA1E 584F
Key check value: 72DA 55

------------------------------------------------------------------------------
EMK

Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 209
Enter key scheme: U
Enter ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897
Enter ZMK variant:
Enter key: X4B2C 934A AD31 A06F 8342 BA96 356F 8111

Encrypted key: UADF7 4AEC D035 E540 AA1A 266C B8E9 BE68
Key check value: 72DA 55
-----------------------------------------------------------------------------

ECK
Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 309
Enter key scheme: U
Enter ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897
Enter ZMK variant:
Enter key: X4B2C 934A AD31 A06F 8342 BA96 356F 8111

Encrypted key: UFAB6 D9EE 473D 8330 4B6D C201 2476 31F6
Key check value: 72DA 55

------------------------------------------------------------------
IWK

Online-AUTH>IK
Enter LMK id [0-4]:
Enter key type: 001
Enter key scheme: U
Enter ZMK: B186 D773 EB9E C74F 2A7B 0FE0 C013 F897
Enter ZMK variant:
Enter key: X6AF7 3A48 F11B D922 A9DB F44E 545F CB02

Encrypted key: UFF98 963A 0218 CBF2 F53A 8455 AAAF 65C9
Key check value: 1095 76
Other Notes:

In addition to the clear issuer_prep_zmk components and exported prep_kek. The key under ZMK for the
Following keys should be sent to data preparation service provider:

1. Cryptogram Authentication master Key (CAK)

2. Integrity Master Key (EMK)
3. Confidentiality Master Key (ECK)
4. PIN Working Key (KWP)
5. Card Verification Key (KVC)

KEY SUMMARY

This table lists the keys that must be generated by the issuer for Verve® card issuance. It also states the keys that
must be exchanged with external parties such as the data preparation center and the personalization bureau.

S/No Keys Description

1
ISSUER_PREP_ZMK This key is generated by the issuer and exchanged with the Data preparation service
providers in three components. The key is used to secure the transmission of all
other keys between the two entities
2
ISSUER_PERSO_ZMK This key is generated by the issuer and exchanged with the personalization bureau in
Three components. The key is used to secure the transmission of all other keys
between the two entities.

3 ISSUER_PERSO_KEK This key is used to secure the data transmitted to the personalization bureau. This key
is generated by the issuer in three components and transmitted to the personalization
center encrypted by the ISSUER_PERSO_ZMK.

4 ISSUER_PREP_KEK
This key is used to secure the data transmitted to the personalization bureau. This key
is generated by the issuer in three components. It is the same key as
ISSUER_PERSO_KEK. However, the key is transmitted to the data preparation service
provider encrypted by the ISSUER_PREP_ZMK.

5
ISSUER_KWP This key is used to secure the transmission of the card PIN to the data preparation
service provider. The key does not need to be known and is transmitted to the data
preparation service provider encrypted by the ISSUER_PREP_ZMK
6 ISSUER_KVC
This key is generated by the issuer and is used to generate the CVV, CVV2 and iCVV for
the card. The key does not need to be known and is transmitted to the Data
 preparation service provider encrypted by the ISSUER_PREP_ZMK. At the Data preparation,
the key is used to generate iCVV which is mandatory for chip cards issued as from 2008
7 IMK_AC
Payment application cryptogram authentication master key. This key is transported to
the Data preparation service providers encrypted by the ISSUER_PREP_ZMK

8 IMK_SMI
Payment application integrity master key or MAC key. This key is transported to
the Data preparation service providers encrypted by the ISSUER_PREP_ZMK.
9 IMK_SMC
Payment application confidentiality master key. This key is transport to the Data
Preparation service providers encrypted by the ISSUER_PREP_ZMK

Please note that were the Issuer is acting as the Data preparation service, the personalization bureau or both, the
keys must still be generated and exchanged the same way. There should be a clear distinction between the autho
the data preparation service and the personalization services regardless of their physical locations.