Key Management System
PCI-DSS & PCI-PIN Compliant
The vault that protects
every key in your payment chain.
bRUID Kms is a comprehensive Key Management System for payment HSMs. It manages the complete cryptographic lifecycle - master key ceremonies, issuer key management, PIN translation, MAC validation, certificate authority operations, and multi-HSM failover - all within a tamper-resistant environment with zero plaintext exposure.
Card Network CAs
Master Key Ceremony
Split-Knowledge
No Plaintext Exposure
From master key ceremonies to issuer key distribution - bRUID Kms manages every cryptographic key your payment infrastructure requires.
Three-part LMK generation with dual-control and split-knowledge. Import, generate, and activate via KMS screens or Trusted Path with full ceremony logging.
Import and generate ZMKs and transport keys in cleartext or via Trusted Path. Symmetric and asymmetric transport with security level enforcement.
Secure PIN translation and encryption within the tamper-resistant boundary. PEK lifecycle management with zero plaintext exposure at any point.
Message Authentication Code generation and validation for transaction integrity. Cryptographically signed clearing files for secure settlement.
Generate, import, and manage asymmetric keys. RSA key generation with modulus export (MULTOS), ECC keys across supported elliptic curve domains.
Local and remote key buffering for high-throughput scenarios. Configurable key cache with server parameters for key generation and buffer management.
bRUID Kms manages Certificate Authority public keys, issuer certificates, and X.509 certificate chains across all major card networks. Import, endorse, and manage the full PKI lifecycle.
Load root CA keys from Visa, MC, Amex, JCB, GCB, INTERAC, CUP, DFS, MULTOS, NSPK
X.509 CA public key endorsement via KMS screens or Trusted Path
Banking, Visa, MCI, GCB, JCB, Amex, INTERAC, CUP, DFS, MULTOS, NSPK certificate management
Import, chain, endorse X.509 issuer public key certificates with P10 format support
Configure certificate request profiles for automated certificate signing
Export key profiles for auditing, compliance documentation, and backup
Connect and manage multiple HSM devices simultaneously with unified key management
Distribute cryptographic operations across HSM pool for high availability and throughput
Automatic failover between HSM devices ensuring continuous cryptographic service availability
Configurable IP-based access control for KMS server connections and HSM administration
Secure alternative to KMS screens for key ceremonies - tamper-evident key entry with hardware tokens
Security Officer roles (SO1, SO2, SO3) with password-protected access and special identities
Full KMS database backup and restore with configurable backup locations and integrity checks
Key Administration and Server logs with function usage tracking, key usage activity, and remote log config
Core payment processing with HSM-backed key management for authorization, PIN translation, and MAC validation.
Card personalization uses bRUID Kms for key diversification, data preparation, and secure script generation.
POS terminal key injection managed through bRUID Kms - TMK, PIK, and encryption key lifecycle for deployed terminals.
Deploy bRUID Kms as your cryptographic foundation - PCI-DSS and PCI-PIN compliant key management with zero plaintext exposure.