Verifone’s VeriShield Remote Key (VRK) is a secure, automated system designed to manage the injection of cryptographic keys into payment terminals remotely. The RKI (Remote Key Injection) scheme within this framework allows for the secure delivery of keys (such as PIN/Debit and P2PE keys) to devices in the field.
PREREQUISITES...
1. Device Readiness & Security State
- Tamper Status: The terminal must be in a "Clean" state. If the device has triggered a physical or logical tamper, the Secure Data Interface (SDI) will block any key injection attempts.
- Certificate Presence: The terminal must have its unique factory-installed VRK Certificate (often referred to as the "Device Certificate" or "Application Certificate"). Without this, the TR-34 asymmetric exchange cannot initiate.
- Verification: You can usually verify this in the terminal’s System Mode under Security > VeriShield Tree > application.
- Battery Calibration (Engage/Portable): For mobile units like the V240m or Carbon, Verifone recommends a full discharge/charge cycle if the device was recently updated to a new ADK before the key load.
2. Software & Firmware Requirements
- ADK Version: For Engage (V/OS) devices, a minimum of ADK 4.4.5 is generally required. Newer features or specific P2PE keys may require ADK 4.10.x or higher.
- SDI Version: Ensure the Secure Data Interface (SDI) package is compatible with the key type (e.g., SDI 1.1.x+ for standard PIN/Debit).
- VHQ Agent: The VHQ Agent on the device must be compatible with your VHQ Server version (e.g., Agent 5.1.5.x for VHQ 3.27).
3. Bundle Packaging Format: The file extension must match the OS architecture:
- V/OS (Engage/Carbon/UX): Requires a .tgz bundle.
- VX eVo: Requires a .zip bundle.
- Signing: The bundle must be correctly signed and targeted to the specific serial numbers within the payload.
