CAPK Management

CAPK download requirements

To manage the EMV Public Keys, Elavon requires the vendor/merchant systems to validate the Effective Date of the Response Message. It is recommended that this date be checked on each transaction response message to determine if EMV Public Keys have changed. If the Effective Date changes from the previous value, then the vendor/merchant will need to pull the EMV Public Keys via the EMV Public Key Download message (example 0800/0810 in ISO 8583).

important

Requirement

Elavon requires merchant systems to digitally sign CA public keys after downloading them. However, digital signatures are not required to be generated and stored.
Elavon requires merchant systems to install a mechanism of validating the Checksum for the CA public keys.
Elavon requires merchant system to check expiration of CAPKs in the response message of every transaction.
In case new keys are issued by Elavon, the merchant system is required to update the keys within 6 months from the time the keys were made available by Elavon.

CAPK Checksum validation example process

Steps for CAPK Checksum validation:

Step-1: The first step uses RID, key value, PKI and exponent. Strip out all the non-hexadecimal characters (particularly spaces and end-of-line markers) and then concatenate pairs of hex digits into bytes.
Step-2: Concatenate the byte-strings in the following order: Value = RID + PKI + Key + Exponent;
Step-3: Compute a SHA-1 hash of the concatenated string.
Step-4: Convert the SHA-1 hash from raw bytes into pairs of hexadecimal digits. Strip out any non-hexadecimal characters and convert any letters to uppercase A-F for the checksum entered by the user.
Step-5: Compare the hexadecimal digits of the SHA-1 hash calculated to the hexadecimal digits that the user entered, with spaces removed and everything else converted to uppercase.
Step-6: Return the result.