There is a lot of talk in the payments industry right now regarding keys, especially with the recent expiration of the 1152-bit CA Public Key on December 31, 2017. Some of you may already be familiar with the process while others are not aware of what the CAPKs are and how they are impacted by this change.
What are CA Public Keys?
Let’s begin with an understanding of CA Public Keys, which are more commonly referred to as CAPKs. As described in a VISA Chip and New Technologies Overview, the EMV standard calls for the use of Public Key technology for offline authentication, for aspects of online transactions, and optionally for offline PIN encipherment. Each payment system is responsible for maintaining the public root key pairs of its own Public Key hierarchy, in support of the EMV Public Key infrastructure.
Each Card Brand uses an entity known as a Certificate Authority (CA) to manage and issue the Public Keys. Those CAPKs are required to be installed on EMV-enabled terminals which support Offline Data Authentication (ODA) and Offline Enciphered PIN Cardholder Verification Method (CVM).
What does the recent key expiration mean?
A total of four different keys of varying lengths have been issued by the respective certificate authority with the two shortest keys (1024 and 1152 bits) having now been expired. All keys are set with an expiration date to reduce the risk of fraud with the shortest keys expiring first with the most recent one of 1152 bits that expired December 31, 2017. This means that the expired key must be removed from all terminals. However, as defined in the EMV Acquirer and Terminal Security Guidelines1 from EMVCo, Acquirers remain responsible for ensuring that expired keys are removed from terminals within 6 months of their expiry date (nominally by June 30th) or as otherwise directed by the relevant payment system.
What is the impact if the keys are not removed?
The biggest impact to leaving the expired keys on the terminal is the exposure to potential fraud. Fraudsters can now generate cards that contain the expired keys and continue to conduct transactions at terminal where the expired keys still exist. In that case, there is no TVR Flag raised to alert about successful ODA which actually took place with expired keys.
On the other side where cards are used containing updated keys that have not been loaded to the terminal, the online transaction is marked with the TVR flag set to ‘Offline Auth failed’ leaving it up to the Issuer to approve or decline. It definitely can increase the likelihood of declining the transactions for ODA failure.
What should I do?
All entities that currently have EMV-enabled terminals in the market containing expired keys should replace them sooner rather than later. If you have not already done so, contact your processor’s or Card Brand’s respective relationship manager to obtain and update your new CAPKs before the grace period is over.
--Dave Blust, Director of Certification Services at Deltec Consulting
 EMV Acquirer and Terminal Security Guidelines, Version 1.2, April2014