Card Network Configuration Guide
Last Updated: December 2024
Applies To: All Petroleum POS Systems
Audience: Field Service Technicians (5+ years experience)
Quick Reference
| Resource | Contact | |----------|---------| | Gilbarco TAC | 800-743-7501 | | Wayne/Dover | 800-289-2963 | | Verifone VASC | 888-777-3536 | | WEX Fleet Support | 866-544-0575 | | Voyager/US Bank | 800-987-6591 |
1. DUKPT Encryption Fundamentals
DUKPT (Derived Unique Key Per Transaction) replaced legacy Master/Session key architecture to eliminate storing identical keys across terminals. Governed by ANSI X9.24-3-2017 (AES) and ANSI X9.24-1:2009 (Triple DES).
Key Hierarchy
┌─────────────────────────────────────────────────────────────────────────┐
│ DUKPT KEY HIERARCHY │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ BASE DERIVATION KEY (BDK) │ │
│ │ Stored in acquirer's HSM only (never in terminal) │ │
│ │ 3DES: 128-bit | AES: 128/192/256-bit │ │
│ └──────────────────────────────┬──────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ INITIAL PIN ENCRYPTION KEY (IPEK) │ │
│ │ Derived per terminal using BDK + Key Serial Number │ │
│ │ Injected into device, then IMMEDIATELY DISCARDED │ │
│ └──────────────────────────────┬──────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ FUTURE KEYS │ │
│ │ Generated from IPEK, stored in secure memory │ │
│ └──────────────────────────────┬──────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ WORKING KEYS │ │
│ │ Derived per transaction, used once, then ERASED │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Key Serial Number (KSN) Structure
| DUKPT Version | KSN Size | Components | Transaction Capacity | |---------------|----------|------------|---------------------| | TDEA (3DES) | 80 bits / 10 bytes | Key Set ID (24) + Device ID (19) + Counter (21) | ~2 million transactions | | AES | 96 bits / 12 bytes | BDK ID (32) + Derivation ID (32) + Counter (32) | ~4 billion transactions |
CRITICAL: When the 21-bit counter exhausts (after ~2 million transactions), the terminal requires re-injection at a certified Key Injection Facility. High-volume petroleum sites can exhaust counters in 3-5 years.
Key Injection Facilities
Key Injection Facilities must maintain PCI PIN 3.1 certification:
- Secure rooms with CCTV monitoring
- Dual-control access
- FIPS 140-2/140-3 Level 3 validated HSMs
Certified Equipment Providers:
| Provider | Product | Features | |----------|---------|----------| | Futurex | SKI Series 3 | Injects up to 18 devices, full TR-31 support | | Thales | payShield HSM | PCI PTS 5.x certified components | | Cryptera | EPP 1200 Series | Approved for fuel pump applications |
Remote Key Injection (RKI)
RKI uses TR-34 standard (ANSI X9.24-2) for secure key distribution over IP:
- Factory-installed PKI certificates in terminal
- Authenticated TLS connection to RKI platform
- Symmetric keys injected via asymmetric encryption
Certified RKI Providers: PAX Technology (paxRhino), Ingenico, NEXGO, ID TECH
2. Regional Debit Networks
| Network | Owner | Market Share | Key Notes | |---------|-------|--------------|-----------| | STAR | Fiserv (First Data) | ~60% | Dominant network; EMV debit since 2014 | | Pulse | Discover Financial | ~20% | Gateway to Cirrus, STAR, Shazam, Plus, Maestro | | NYCE | FIS | ~15% | Strong Northeast presence | | Shazam | Independent | ~5% | Credit union focus | | Interlink | Visa | Card brand | Visa's PIN debit rail | | Maestro | Mastercard | Card brand | Phasing out in Europe (July 2023) |
AID Priority Configuration
CRITICAL: Terminal AID priority determines routing. If Global AIDs are prioritized over Common Debit AIDs, the terminal defaults to card brand rails (Visa/Mastercard), losing lower-cost regional network routing.
Required: Place US Common Debit AID (A000000098) appropriately in the AID priority list.
3. PCI PTS Device Certification
Current PTS Version Status
| PTS Version | Approval Status | Key Dates | Field Implications | |-------------|-----------------|-----------|-------------------| | PTS POI v3.x | Expired | New deployments ended April 2021 | Existing may operate; no sunset | | PTS POI v4.x | Expired | New deployments ended April 2024 | Pre-expiry inventory may deploy | | PTS POI v5.x | Active | Current standard | Recommended for new deployments | | PTS POI v6.x | Active | Released Summer 2024 | Latest standard; preferred |
EPP vs PED Classification
| Classification | Application | Environmental | |----------------|-------------|---------------| | EPP (Encrypting PIN Pad) | OEM modules in ATMs, fuel dispensers | IP65 outdoor rating | | PED (PIN Entry Device) | Attended POS environments | Indoor only | | UPT (Unattended Payment Terminal) | Fuel dispensers | Outdoor environmental ratings |
3DES to AES Migration
- NIST deprecated 3DES in 2019 (SP 800-67 Rev. 2)
- New 3DES uses disallowed after December 2023
- Vulnerability: CVE-2016-2183 Sweet32 (64-bit block cipher attack)
- PCI SSC has NOT mandated 3DES retirement
- Migration occurring through equipment refresh cycles
TR-31 Key Block Compliance
ANSI X9.143 mandates cryptographically binding key usage attributes.
| Phase | Requirement | Effective Date | |-------|-------------|----------------| | Phase 3 | Complete key block implementation | January 1, 2025 | | Version D | AES-encrypted key blocks | Recommended | | Version B/C | 3DES-encrypted key blocks | Acceptable |
4. EMV Certification Levels
Level 1: Physical Hardware
L1 testing focuses on electromechanical interface:
- ISO/IEC 7816 for contact
- ISO 14443 Types A/B for contactless
- Electrical signal levels, ATR handling, power management
- Antenna field strength and operating range
NFC Antenna Specs for EMV 3.0:
| Specification | Requirement | |---------------|-------------| | Test PICCs | 3 reference antennas required | | Optimal diameter | ~11.32cm for 4cm operating distance | | Minimum diameter | ~5.76cm (below this, EMV 3.0 challenging) | | Communication speed | 106Kbps default | | Multi-card | Transaction MUST terminate if multiple cards detected |
L1 Test Laboratories: TÜV SÜD, Applus+ Laboratories, Q-Card Company, UL Solutions, FIME
Level 2: Payment Application Kernels
Contact EMV: Single common kernel specification from EMVCo Contactless EMV: Separate kernel certifications per payment brand
| Payment Network | Contact Kernel | Contactless Kernel | Specification | |-----------------|---------------|-------------------|---------------| | Visa | EMVCo Common | Kernel 3 | payWave | | Mastercard | EMVCo Common | Kernel 2 | PayPass M/Chip | | American Express | EMVCo Common | Kernel 4 | ExpressPay | | Discover | EMVCo Common | Kernel 5 | D-PAS | | JCB | EMVCo Common | Kernel 6 | J/Speedy | | UnionPay | EMVCo Common | Kernel 7 | QuickPass | | Common (new) | — | Kernel 8 | Unified contactless |
Primary EMV AIDs
| Network | AID | Application | |---------|-----|-------------| | Visa Credit/Debit | A0000000031010 | Standard Visa | | Visa Interlink | A0000000033010 | Visa PIN debit | | Mastercard Credit | A0000000041010 | Standard Mastercard | | Maestro | A0000000043060 | Mastercard debit | | American Express | A00000002501 | Contact transactions | | ExpressPay | A000000025010701 | Contactless AmEx | | Discover | A0000001523010 | Discover/Pulse | | US Common Debit | A000000098 | Regional debit routing | | Interac (Canada) | A0000002771010 | Canadian debit |
Level 3: End-to-End Processor Integration
| Network | Test Tools | Petroleum Notes | |---------|-----------|-----------------| | Visa | ADVT, CDET, payWave tool | Field 55 ICC data, VSDC required | | Mastercard | M-TIP, MAS Simulator | Brand compliance, M/Chip validation | | American Express | ATS | AEIPS compliance | | Discover | D-PAS Test Tool | AFD-specific certification manual |
Certification Timelines:
- Initial L3: 3-6 months
- Full multi-brand: 6-12+ months
- Petroleum L3: Longer due to pre-auth/completion flows
- RRA (Redundancy Reduction Approach): Subsequent terminals self-test against certified EPS
CVM Limits by Network
| Network | CVM Limit (Attended) | Transaction Limit | Notes | |---------|---------------------|-------------------|-------| | American Express | $200.01 | No max | CVM required at/above limit | | Discover | $100 | No max | Above-limit disputes require PIN/CDCVM | | Mastercard | $100 | No max | No CVM under limit | | Visa | No mandate (rec. $200) | No max | CVM bypassed under limit |
CDCVM (Consumer Device CVM): Mobile wallet biometric/device PIN satisfies CVM regardless of amount.
5. Fleet Card Prompting
WEX Fleet Cards
| Specification | Value | |---------------|-------| | BIN Ranges | 690046, 707138 | | Account Length | 19 digits with BIN | | Prompt Determination | Track 2 positions 25 (Field 5) and 37 (Field 9) | | Prompt Combinations | 43 possible combinations | | Prompt Code Format | Field 5 + Field 9 (e.g., "10") | | Pre-Auth | $1.00 | | DCR Cutoff | $150.00 |
WEX Prompt Fields:
| Prompt | Length | Type | Masked | Required | |--------|--------|------|--------|----------| | PD Seq # | 5/5 | Numeric | Yes | Always | | Driver # | 4/15 | Numeric | Yes | Per code | | Vehicle # | 1/15 | Numeric | No | Per code | | Odometer | 1/9 | Numeric | No | Per code | | Job # | 1/15 | Alpha | No | Per code | | Department # | 1/15 | Alpha | No | Per code |
Product Restriction Codes (Track 2 positions 26-27):
- 00 = Fuel only
- 01 = Unrestricted
- 02 = Fuel & Automotive
- 04 = Fuel & Oil
Voyager (US Bank)
| Specification | Value | |---------------|-------| | BIN Range | 7088 | | Account Length | 19 digits with BIN | | Pre-Auth/Cutoff | $75.00 both | | Stand-in | Allowed at $50.00 |
Restriction Codes (Track 2 positions 25-26):
- First digit (prompts): 0=None, 1=ID, 2=Odometer, 3=ID+Odometer
- Second digit (restrictions): 0=None, 1=Fuel only
Field Formatting:
- ID: 4-6 digits, right-justify, zero-fill to 6; masked; NOT printed
- Odometer: Max 7 digits, right-justify, zero-fill to 7; printed
Fuelman/FleetCor
| Card Type | BIN | Length | |-----------|-----|--------| | Fuelman | 707649 | 17 | | GasCard/FleetWide | 707685 | 17 | | FleetWide Identifier | Positions 7-8 = "98" after BIN | — |
Requirements:
- Always Required: Driver ID (5 digits, masked, NOT printed) + Odometer (max 6 digits)
- NO returns allowed — only pre-auth, sales, completions, voids
- Pre-Auth/Cutoff: $50.00 both
- NO stand-in allowed
- Expiration dates MUST be checked
Visa Fleet/Mastercard Fleet
Prompt Codes (last significant digit):
- 1 = ID + Odometer
- 2 = Vehicle + Odometer
- 3 = Driver + Odometer
- 4 = Odometer only
- 5/0/7/8/9 = None
Restriction Code (2nd to last significant digit):
- 1 = Fuel & Maintenance
- 2 = Fuel only
Field Limits:
- ID, Vehicle, Driver: Max 6 digits
- Odometer: Max 7 digits
- Pre-Auth: $1.00
- DCR Cutoff: $150.00
- Partial approvals supported
Fleet One (WEX-owned)
| Specification | Value | |---------------|-------| | BIN | 501486 | | Length | 19 digits | | Pre-Auth/Cutoff | $250.00 both | | No expiration date checking | Yes |
Prompt Codes (Track positions 7-8):
- Code 11: Odometer + Driver ID/Fleet PIN (4 digits each)
- Code 15: Adds PO/Reference Number (2-6 digits, min value 10)
Critical Requirements:
- Pre-Auth returns maximum authorized fueling amount — POS MUST use returned Total Amount
- Completions must be sent within 20 minutes
6. PIN Pad Part Numbers
Gilbarco FlexPay
| Part Number | Description | Application | |-------------|-------------|-------------| | M13888K901 | FlexPay IV UPM Kit | Encore 300/500/500S/700S | | M16183K001 | FlexPay IV Omnia Upgrade Kit | Current standard | | M15315K005 | FlexPay IV Previous Kit | Superseded—avoid |
FlexPay 6 Series (Invenco by GVR):
- A2-09: All-in-One 9" terminal
- M1-15/M2-15: Modular 15" terminals, PCI 5.x SRED
Wayne/Dover iX Pay
| Component | Part Number | Description | |-----------|-------------|-------------| | iX Pay T7 Display Kit | W2894021-001 | Replacement display assembly | | iX Pay T7 Terminal | Various | 7" WVGA touchscreen | | iX Pay T5 Terminal | Various | 5" display variant |
Verifone Terminals
| Model | Display | Application | |-------|---------|-------------| | MX915 | 4.3" color | Multi-lane indoor | | MX925 | 7" color | Multi-lane, signature capture | | UX300 | — | Outdoor dispenser | | UX301 | — | Outdoor, enhanced security | | P200 | Compact | Indoor counter | | P400 | With display | Indoor counter |
Ingenico Lane Series
| Model | Display | Best Application | |-------|---------|------------------| | Lane 3000 | Basic | Budget, low volume | | Lane 5000 | 3.5" color | Mid-range retail | | Lane 7000 | 5" color | Multi-lane, high volume | | Lane 8000 | 7" HD | Premium, multimedia |
7. Troubleshooting
Authorization Response Codes
| Code | Description | Action | |------|-------------|--------| | 00 | Approved | Transaction successful | | 01 | Refer to Card Issuer | Call voice authorization | | 05 | Do Not Honor | Generic decline—customer contacts issuer | | 12 | Invalid Transaction | Retry or check configuration | | 14 | Invalid Card Number | Entry error or damaged card | | 51 | Insufficient Funds | Customer uses different payment | | 54 | Expired Card | Verify expiration date | | 55 | Incorrect PIN | Customer retries PIN entry | | 75 | PIN Tries Exceeded | Card blocked—customer contacts issuer | | 78 | Terminal Configuration Error | Check EMV configuration | | 91 | Issuer/Switch Inoperative | Temporary—retry after delay |
EMV Chip Read Failures
| Error | Cause | Resolution | |-------|-------|------------| | "Card Not Read" | Dirty/damaged contacts | Clean chip; try mag stripe fallback | | "Chip Error" | Card malfunction | Fallback to magnetic stripe | | "Card Blocked" | Excessive PIN attempts | Customer contacts issuer | | "Application Not Supported" | Missing AID | Update terminal payment application |
Fallback Protocol:
- Terminal attempts chip read 3 times before fallback
- Fallback generates liability shift to merchant
- Changes POS Entry Mode in authorization message
- Some issuers decline fallback for fraud protection
DUKPT Key Injection Failures
| Error | Cause | Resolution | |-------|-------|------------| | Invalid Key Serial Number | Counter exhausted | Terminal requires re-injection at certified KIF | | Encryption key mismatch | Wrong BDK at processor | Verify key injection matches processor records | | "TransArmor Request: 216" | UPP firmware issue (Ingenico) | Downgrade to UPP 7.80.01 or re-inject | | Key exchange failed | Network/connectivity | Verify connection, retry key exchange |
Communication Timeout Troubleshooting
Standard Timeout Values:
- Authorization request: 30-45 seconds (60 extended)
- Settlement/batch: 60-90 seconds (120 extended)
- Key exchange: 30 seconds (45 extended)
Resolution Sequence:
- Verify network connectivity (ping gateway)
- Check firewall rules for payment ports (443 outbound)
- Confirm DNS resolution
- Test alternate host (secondary IP)
- Verify TLS handshake completion
- Check for IP conflicts on payment network segment
8. Network Communication Requirements
TLS/SSL Compliance (PCI DSS)
| Protocol | PCI Status | |----------|------------| | SSL 2.0/3.0 | PROHIBITED | | TLS 1.0 | PROHIBITED | | TLS 1.1 | DEPRECATED—avoid | | TLS 1.2 | REQUIRED minimum | | TLS 1.3 | RECOMMENDED |
Certificate Requirements:
- RSA key length ≥2048-bit or ECC ≥224-bit
- SHA-256 or higher hash algorithm
- Certificates from trusted CAs only
Prohibited Configurations:
- RC4, DES, 3DES ciphers
- NULL encryption
- Export-grade ciphers
- Anonymous key exchange (ADH)
PCI DSS Network Segmentation
VLANs alone are NOT sufficient for PCI compliance. Required:
- Properly configured firewalls between VLANs
- Access Control Lists (ACLs) limiting inter-VLAN traffic
- Annual penetration testing of segmentation controls
- Network diagrams documenting CDE boundaries
- All payment devices on isolated network segments
9. Common Mistakes
Fleet Card Mistakes
| Mistake | Consequence | Prevention | |---------|-------------|------------| | Not checking expiration on Fuelman | Transaction failure | Always check expiration for FleetCor cards | | Wrong prompt field masking | Receipt compliance failure | Mask Driver ID, don't mask Odometer | | Attempting returns on FleetCor | Decline | FleetCor allows ONLY pre-auth, sales, completions, voids | | Missing completion within 20 min (Fleet One) | Authorization expires | Send completion immediately | | Wrong ID field length | Validation failure | Verify min/max per card type |
EMV Configuration Mistakes
| Mistake | Consequence | Prevention | |---------|-------------|------------| | Global AIDs prioritized over Common Debit | Loses low-cost routing | Place A000000098 appropriately | | Missing contactless kernel | NFC failures | Install all required brand kernels | | Wrong CVM limit | Unnecessary PIN prompts | Configure per network specs | | Fallback disabled | No backup for chip failures | Enable with fraud monitoring |
Encryption Mistakes
| Mistake | Consequence | Prevention | |---------|-------------|------------| | Using expired PTS devices for new deployments | PCI non-compliance | Verify PTS version before ordering | | Not monitoring KSN counter | Surprise key exhaustion | Track high-volume terminal counters | | TLS 1.0/1.1 enabled | PCI non-compliance | Enforce TLS 1.2 minimum | | Wrong BDK at processor | All transactions fail | Verify key injection with processor |
10. Documentation References
Publicly Available
| Document | Source | |----------|--------| | ANSI X9.24 (DUKPT) | ANSI standards | | PCI PTS Device Security | PCI SSC | | EMVCo Specifications | EMVCo website | | Worldpay Petroleum Card Spec V1.2 | Worldpay |
Requires Authorization
| Document | Access | |----------|--------| | Host IP addresses/ports | Processor NDA | | Dial backup phone numbers | Processor NDA | | SSL/TLS certificate files | Processor portal | | EMV kernel specifications | Brand licensing | | Complete BIN tables | Processor portal |
Manufacturer Portals
| Manufacturer | Portal | |--------------|--------| | Gilbarco | docs.gilbarco.com, Passport Resource Center | | Wayne/Dover | producttraining.doverfuelingsolutions.com | | Verifone | verifone.cloud | | Ingenico | ingenico.com developer portal | | Heartland | developer.heartlandpaymentsystems.com |
Support Contacts
| Resource | Contact | |----------|---------| | Gilbarco TAC | 800-743-7501 | | Wayne/Dover | 800-289-2963 | | Verifone VASC | 888-777-3536 | | WEX Fleet Support | 866-544-0575 | | Voyager/US Bank | 800-987-6591 | | Fuelman/FleetCor | 800-877-0800 |
Confidence Note: DUKPT/encryption standards and PCI PTS version dates from official ANSI and PCI SSC publications. Fleet card BIN ranges and prompt codes from Worldpay Petroleum Spec V1.2 but subject to change—verify with processor. Host IP addresses and encryption keys require processor authorization.