How cryptographic key management is handled in NCR Secure Pay

Home » Categories » SecurePay

How cryptographic key management is handled in NCR Secure Pay


How is cryptographic key management handled in NCR Counterpoint with Secure Pay and who has access to the encryption keys?


  • Previously NCR Counterpoint used Blowfish encryption keys to encrypt credit card information when using CPGateway.  This is no longer used with NCR Secure Pay since credit card information is tokenized and only the token is stored in the database.
  • NCR Secure Pay uses a private key encryption system. Only the private keys can decrypt credit card information and they only exist on the P2PE device and a Hardware Security Module (HSM) at the NCR Secure Pay host.   This is fundamentally more secure than CP Gateway encryption since the information needed to decrypt data does not exist in the NCR Counterpoint application or database.P2PE keys are unique per device. This means that, in the extremely unlikely event that a private key was compromised, it would only impact a single device.
    • Only Monetra and our key administrator can access these keys. 
    • No reseller, merchant, or other personnel at NCR has access to this information.
  • At the transaction level, DUKPT key management is in use, which generates a unique key for each transaction; it is the same key management that is used to manage PIN debit keys.



Attachments Attachments
There are no attachments for this article.