Key Blocks

Frequently Asked Questions

31 August 2022
Notices
Following are policies pertaining to proprietary rights, trademarks, translations, and details
about the availability of additional information online.

Proprietary Rights
The information contained in this document is proprietary and confidential to Mastercard
International Incorporated, one or more of its affiliated entities (collectively “Mastercard”), or both.

This material may not be duplicated, published, or disclosed, in whole or in part, without the prior
written permission of Mastercard.

Trademarks
Trademark notices and symbols used in this document reflect the registration status of Mastercard
trademarks in the United States. Please consult with the Global Customer Service team or the
Mastercard Law Department for the registration status of particular product, program, or service
names outside the United States.

All third-party product and service names are trademarks or registered trademarks of their
respective owners.

Disclaimer
Mastercard makes no representations or warranties of any kind, express or implied, with respect to
the contents of this document. Without limitation, Mastercard specifically disclaims all
representations and warranties with respect to this document and any intellectual property rights
subsisting therein or any part thereof, including but not limited to any and all implied warranties of
title, non-infringement, or suitability for any purpose (whether or not Mastercard has been advised,
has reason to know, or is otherwise in fact aware of any information) or achievement of any
particular result. Without limitation, Mastercard specifically disclaims all representations and
warranties that any practice or implementation of this document will not infringe any third-party
patents, copyrights, trade secrets or other rights.

Translation
A translation of any Mastercard manual, bulletin, release, or other Mastercard document into a
language other than English is intended solely as a convenience to Mastercard customers.
Mastercard provides any translated document to its customers “AS IS” and makes no
representations or warranties of any kind with respect to the translated document, including, but not
limited to, its accuracy or reliability. In no event shall Mastercard be liable for any damages resulting
from reliance on any translated document. The English version of any Mastercard document will take
precedence over any translated version in any legal proceeding.

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 2
Contents

Key Blocks Frequently Asked Questions

Document Purpose
Reference Document
Announcements

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 3
Document Purpose
The purpose of this document is to answer commonly asked questions about Mastercard’s
changes to support the Payment Card Industry (PCI) PIN Security Requirements and Testing
Procedures involving key exchange information storage using key blocks.

Reference Documents
Refer to the following reference manuals available on Mastercard Connect™ in the Technical
Resource Center (TRC) for information about the current state of Mastercard processing:
• Customer Interface Specification
• Single Message System Specifications

Announcements
Refer to the following published announcements for more information on Key Blocks:
• AN 2944—Update to the Announced Cryptographic Key Block Changes Supporting
Phase 2 of PCI Mandates
• AN 2117—Introducing Cryptographic Key Block Changes to Support Phase 2 of PCI
Mandates
• X9 TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric
Algorithms, an industry standard, available from the American National Standards
Institute (ANSI) Webstore
• Cryptographic Key Blocks, June 2017, an industry standard, available from the PCI
Security Standards Council (PCI SSC)

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 4
Key Blocks
The following list of questions is designed to assist customers and their agents with Mastercard’s
compliance requirements for key block implementations.

Q. What are Key Blocks?

Key Blocks is a standard way of protecting the integrity of cryptographic keys and of associating
them with their intended use. They may be used to protect both Triple Data Encryption Algorithm
(TDEA), sometimes referred to as 3DES or TripleDES (TDES), and Advanced Encryption Standard
(AES) keys.

Q. How do Key Blocks improve the security of encrypted keys?

Key Blocks improve the security of symmetric keys that are shared among payment participants to
protect personal identification numbers (PINs) and other sensitive data. Key Blocks are immune to
specific types of attacks and also restricts further key usage to enhance security.

Q. Which PCI Security Standard requires the implementation of Key Blocks?

The PCI PIN Security Requirements and Testing Procedures (PCI PIN Standard) require the
implementation of Key Blocks:

• Requirement 18-3: Encrypted symmetric keys must be managed in structures called key blocks.
The key usage must be cryptographically bound to the key using accepted methods.

Q. When were Key Block requirements first introduced?

Key Blocks were first introduced in version 2.0 of the PCI PIN Standard, published in December 2014,
to increase security for encrypted keys.

Q. Does the PCI PIN Standard apply to both conveyance and storage of keys?

Yes. The PCI PIN Standard applies to both conveyance and storage of keys.

Q. Does the PCI PIN Standard apply to only TDEA/TDES keys?

No. The PCI PIN Standard does not only apply to TDEA/TDES keys. Both AES and TDES keys are
required to be managed in key blocks as stipulated by ANSI X9.

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 5
Q. Who must comply with the PCI PIN Standard?

Customers and their agents (e.g., key-injection facilities and certificate processors) performing PIN
encipherment or any other aspect of PIN processing involving PIN entry must comply with the PCI PIN
Standard and all other applicable PCI PIN Security Standards.

Q: Is PCI PIN validation to Mastercard required?

No. PCI PIN validation to Mastercard is not required.

Q. Will Mastercard grant an extension for entities not compliant by the dates outlined in PCI PIN
security requirement 18-3?

No. As PCI PIN validation to Mastercard is not required, Mastercard will not grant an extension for
entities not compliant by the dates outlined in PCI PIN security requirement 18-3.

Q. When must customers and their agents be compliant with PCI PIN security requirement 18-3?

Customers and their agents are required to comply with the following phased Key Block
implementation dates:

• Phase 1: Implement Key Blocks for internal connections and key storage within service
provider environments. This includes all applications and databases connected to hardware
security modules (HSMs). Effective date: 1 June 2019. (Completed)
• Phase 2: Implement Key Blocks for external connections to associations and networks. New
effective date: 1 January 2023 (replaces previous effective date of 1 June 2021).
• Phase 3: Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices
and ATMs. New effective date: 1 January 2025 (replaces previous effective date of 1 June
2023).

Q. Is the date for phase 1 (implement key blocks for internal connections and key storage within
service provider environments) already effective?

Yes. The date for phase 1 was effective 1 June 2019. This date has remained unchanged.

Q. Can the Mastercard network currently support the use of the new key block format in the
production environment? Is Mastercard ready?

Yes. The Mastercard network can support the use of the new key block format in the production
environment. Mastercard has been ready since January 2020.

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 6
Q. Are current ANSI X9.17 key exchanges compliant with PCI PIN security requirement 18-3?

No. Current ANSI X9.17 key exchanges are not compliant with PCI PIN security requirement 18-3.
ANSI X9.17 key exchanges must be converted to key blocks under phase 2 of Key Block
implementations by 1 January 2023.

However, Mastercard will still allow customers to continue using ANSI X9.17 key exchanges after the
effective date, 1 January 2023.

Q. Where can customers and their agents find more information on key exchanges and testing
requirements to support PCI PIN security requirement 18-3 involving Key Blocks?
Customers and their agents can find more information on key exchanges and testing requirements to
support PCI PIN security requirement 18-3 involving Key Blocks by referring to Mastercard’s AN
2117—Introducing Cryptographic Key Block Changes to Support Phase 2 of PCI Mandates available on
Mastercard Connect™.

Q. Who should customers and their agents contact with questions on operational requirements for
key management use?

Customers and their agents should contact Customer_Support@mastercard.com with questions on

operational requirements for key management use.

Q. Can “equivalent methods” for Key Block compliance be used?

Yes. In July of 2019, the PCI SSC added FAQ Q39 to the PCI PIN Technical FAQs version 3 detailing
how an independent expert may validate the integrity of a processed solution and the qualifications
that the independent expert must possess (interoperable methods include those defined in ANSI TR-
31 and International Organization for Standardization [ISO] 20038).

Q. Does Mastercard allow for “equivalent methods” for Key Block compliance to be used?

Yes. Mastercard is supporting Accredited Standards Committee (ASC) X9 TR-31 version ID “B” for
online key exchanges. Customers and their agents may store the keys in any compliant manner. For
more information on Mastercard’s requirements for Key Blocks, customers and their agents should
contact Customer_Support@mastercard.com.

Q. What resources does PCI SSC offer to support the implementation of Key Blocks?

• Key Blocks Blog Series

• Information Supplements: Cryptographic Key Blocks; PIN Security Requirement 18-3 – Key
Blocks
• PCI PTS PIN Security Requirements Technical FAQs version 3

©2022 Mastercard. Proprietary. All rights reserved.

Key Blocks―Frequently Asked Questions ▪ 31 August 2022 7