NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure.

1. Comparison between LEWG MDER Version 1.0 and VISA TDEG Version 2.0

2. No Factors LEWG VISA Transaction Data Encryption NetMATRIX Terminal Line Encryption Remarks
Minimum Data Encryption Guidelines Version 2.0 Solution
Requirements Version 1.0
1 Data elements subject to 1 (Minimum) : CVV Basic : ADVV + PAN + PIN Block (if Currently encrypting PAN, Expiry
encryption implemented) Date, Track 2, CVV2 and random
number.
2 (Recommended) CVV + PAN Advance : ADVV + PAN + PIN Block
(if implemented) + Transaction-unique Can be configured to encrypt PIN
Data Element (e.g. transaction Block (if implemented)
number, date/time stamp, random
number) Highest Supported
LEWG Ver.1.0 - Ranking 2
VISA Ver. 2.0 - Advance
2 Key storage in terminal 1 (Minimum) : Keys are stored Basic : Keys are stored in the Key storage is within the tamper-
outside a secure module protected memory of the terminal and responsive terminal hardware.
cannot be read through any User
Interfaces. For added security, NetMATRIX
employs a unique mechanism for key
2 (Recommended) : Keys are stored Recommended : Keys are stored storage that renders the keys useless
inside a secure module (e.g. SAM, inside a secure module (e.g. SAM, during a Terminal-to-Terminal copy.
secure PIN-pad or tamper-responsive secure PIN-pad or tamper-responsive
terminal hardware) terminal hardware) Highest Supported
LEWG Ver.1.0 - Ranking 2
VISA Ver. 2.0 - Recommended
3 Key usage methodologies 1 (Minimum) : Static Working Keys. NetMATRIX supports a more advance
level for both Static Working Keys and
2 : Derived Unique Working Keys per Basic : Derived Unique Working Keys Derived Unique Working Keys per
Session (session expires after each per Session (session expires after transaction methodologies, whereby
consecutive 1000th transaction or after each consecutive 1000th transaction each terminal has its own set of
Terminal log-on). Keys are derived or after Terminal log-on). Keys are Unique Keys (Working and Master).
from Master keys. derived from Master keys.
NetMATRIX is able to support up to 4
3 (Recommended) : Derived Unique Recommended : Derived Unique billion unique keys per terminal
Working Keys per transaction. Keys Working Keys per transaction. Keys application.
are derived from Master keys. are derived from Master keys.
Highest Supported
4 (future-proof) : Derived Unique Key Advance : Derived Unique Key Per LEWG Ver.1.0 - Ranking 3
Per Transaction (DUKPT) Transaction (DUKPT) VISA Ver. 2.0 - Recommended
4 Key differentiation 1 (Minimum) : Uses same key for data Basic : Uses same key for data NetMATRIX supports using the same
encryption and message encryption and message key as well as different keys for data
authentication. authentication. encryption and message
authentication.
2 (Recommended) : Uses different Recommended : Uses different keys
keys for data encryption and message for data encryption and message Highest Supported
authentication, i.e. Key 1 is used for authentication, i.e. Key 1 is used for LEWG Ver.1.0 - Ranking 2
encryption and Key 2 is used for encryption and Key 2 is used for VISA Ver. 2.0 - Recommended
message authentication. message authentication.
5 Encryption algorithms 1 (Minimum) : TEA in CBC mode (128 NetMATRIX supports all encryption Only one level of
bits key length) algorithms and respective key lengths encryption algorithm is
defined in LEWG Ver. 1.0 and VISA defined in VISA Ver. 2.0
2 : DES in CBC mode (56 bits key Ver. 2.0
length)
Highest Supported
3 (Recommended) : TDES (112 bits TDES (112 bits key length) or AES LEWG Ver.1.0 - Ranking 3
key length) or AES (128 bits key (128 bits key length) in CBC mode VISA Ver. 2.0 - Supported
length) in CBC mode
6 Trusted/Security domain 1 (Minimum) : Security domain should Basic : Trusted domain should only NetMATRIX provides Trusted domain
population only contain the minimum number of contain the minimum number of that contains only two devices. Each