PA-DSS requirements 2.4, 2.5 and 2.6

2.4: Protect keys used to secure cardholder data against disclosure and misuse.

In Maitre’D 7.08 or later, a new cryptographic key is dynamically generated for every new transaction and remains valid only for that single. This key is generated by a proprietary algorithm that was developed in-house by cryptographic experts following the guidelines provided in the following NIST publications:

• NIST Special Publication 800-90C – Recommendation for Random Bit Generator (RBG) Constructions.

• NIST Special Publication 800-90A – Recommendation for Random Number Generation Using Deterministic Random Bit Generators.

• NIST Special Publication 800-57 Part 1 – Recommendation for Key Management.

Using this special algorithm, the cryptographic key can be generated and re-generated as needed, and therefore the key never needs to be stored in order to encrypt of decrypt card data. This way of managing the crypto keys without storing them is more secure than storing encrypted crypto keys.

2.5 : Implement key management processes and procedures for cryptographic keys used for encryption of cardholder data.

Since the process of creating new encryption keys is entirely dynamic, there is no need to establish a formal key management process. With Maitre’D 7.08 or later, a new cryptographic key is automatically generated for every single transaction. The resulting key can only be used for a specific transaction and for that fiscal day and will automatically become obsolete at the beginning of the following fiscal day.

2.6 : Provide a mechanism to render irretrievable cryptographic key material or cryptograms stored by previous payment application versions.

In Maitre’D 7.08, cryptographic keys are dynamically generated and are never stored. Furthermore, Maitre’D does not keep any historical cardholder data, therefore there is no need for any cryptographic key to be retained for any period of time.