TransArmor: Verifone Edition (TAVE)
TransArmor: Verifone Edition (TAVE) is a two-layer card security solution that combines strong encryption and tokenization.
Revision History
5/22/2023
Initial Documentation Release.
10/02/2023
Added DCR Configuration section and updated Buypass Configuration.
11/20/2023
Added note to Device and Platform Requirements regarding Base 54.01 and higher software.
2/9/2024
Added a note regarding BIN exclusion at the beginning of Chapter 2.
2/12/2024
Updated to the new branding.
3/20/2024
Updated the entire document.
7/31/2025
Updated with Fiserv Cloud BIN Service
Overview
TransArmor: Verifone Edition (TAVE) is a two-layer card security solution that combines strong encryption and tokenization. This solution prevents sensitive card holder data from entering or being stored in the POS by replacing the PAN (Primary Account Number) with a random-number token that has no direct relationship with the replaced data.
This solution requires the installation of a TAVE key (VCL VRK) and associated configuration files in addition to the usual 3DES DUKPT debit keys to support the tokenization. TAVE keys can be downloaded from the Premier Portal and loaded via USB for new installations or installed via VHQ for existing installations that are online with the VHQ server. Each injected TAVE key can be rotated up to 99 times if needed to change up the device encryption scheme and make intrusions even more difficult.
Customers using TAVE will use the same debit keys used prior to TAVE installation. This key part number format should look familiar: A-KEYPCS-BUY-XX.
The VCL (TAVE Key) is requested, downloaded, and installed the same way as a debit key, using the VRK request tool on the Premier Portal under Manage > VRK request has a single part number for all customers and POS types: A-KEYVSP-FDVRK-01. Like the debit key, multiple device serial numbers can be included in one request for mass processing.
After the device is TAVE ready, it will no longer run in a non-TAVE Verifone Commander environment.
Fiserv Cloud BIN Service
From Verifone Commander Release 56.02, Verifone has implemented the Fiserv Cloud BIN Service (CBS). Cloud BIN Service also known BIN Exclusion does not encrypt certain BIN ranges that need not be processed by Firserv. Fiserv has introduced a new cloud BIN management service in their commerce hub that can manage BIN exclusions without updating any configuration files.
Cloud BIN Service objective is to Implement a P2PE (Point-to-Point Encryption) methodology where the BIN exclusion is centralized in the cloud, reducing the need for implementation on individual devices at each site. This approach enhances efficiency and ensures consistent, scalable management of BIN exclusions across the entire network.
The Cloud BIN Service configuration will work alongside the existing Bin Exclusion file on the device. This means that the card ranges that are in the BIN exclusion file will continue to work as before and no TAVE update commands are needed.
Sites need to contact their Fiserv Account or Relationship manager. The manager will submit a project request to get the correct resources on board for boarding and testing. The TransArmor Integrator once assigned will provide a Cloud Bin Service Implementation overview and address any questions with the site.
The sites should do the following before configuring the cloud BIN service on Verifone Configuration Client:
get from Fiserv the API Keys and Secret keys.
provide to Verifone the backend merchant ID, also known as PROC MID that they received from Fiserv.
provide to Fiserv the upper and lower range of the cards they want to be processed.
Device and Platform Requirements
A site can have a mix of both Verifone MX 900 Series PIN pads andM400 PIN pads. Currently, the Gilbarco FlexPay 4 is ONLY outdoor device allowed. TAVE is supported on Verifone Commander 54.01 and higher software. There were many updates made in the configurations starting with the Verifone Commander55.01.00 software release.Unbranded Buypass is supported. Individual brands will have unique files that will include special cards.
Commander (Minimum TPPID RVE077)
N/A
Base 54.01.00+ Buypass 3.13.02+ For Cloud Bin Service: Release 56.02.00+
N/A
N/A
TBD
MX 900 Series
3025100 0
ViperPAY 4.07.04+ For Cloud Bin Service: 4.07.11+
VHQ (VCL VRK)
VHQ (VCL - Configuration and BIN)
TBD
Engage
TBD
2.03.04+ Kernel 702 For Cloud Bin Service: 2.06.00 Kernel 703
VHQ (VCL VRK)
VHQ (VCL - Configuration and BIN)
TBD
Gilbarco FlexPay II
TBD
TBD
TBD
TBD
TBD
Gilbarco FlexPay IV
N/A
52.12.45 For Cloud Bin Service: 52.13.24
Uses the Gilbarco Estate Management System
Uses the Gilbarco Estate Management System
TBD
Wayne iX Pay 1
TBD
TBD
TBD
TBD
TBD
Wayne iX Pay 2
TBD
TBD
TBD
TBD
TBD
TAVE CONFIGURATION
After the device is TAVE ready, it will no longer run in a non-TAVE Verifone Commander environment.See the host when adding any BIN range exclusions.
Loading PIN Pad Files
A new installation using TAVE would follow the same steps as a standard PIN Pad installation. Installation files are placed in the root directory of a USB flash drive and loaded directly to the device.
MX 915 and MX 925
Download the zipped files and extract them.
Copy the TGZ file(s) to be loaded onto the PIN pad from a PC to the root directory on the USB memory stick.
Files must be in root directory to be recognized and loaded.
Put the terminal into System Mode if an application is already loaded and running.
Press keys 1, 5, 9 at the same time on the keypad. If there is no application loaded, the terminal will boot up to the System Mode Login Screen.
Press the "X" button on the keypad and then option 3.
The terminal displays the System Mode login screen.
Log into the PIN pad.
At the "Home" screen, select the "Transfer" tab.
At the "Transfer" screen, select the "USB / SD Memory" tab.
The terminal searches for memory devices. This could take up to two minutes.
Under the "Available Memory Devices." select "USB Storage 1 (/mnt/usbstor1)."
Under "Select File(s):(Source: /mnt/usbstor1)," select the file to be loaded.
For example:
OS (May require update)
ViperPAY Software
Custom Files
Debit Key
BIN/Configuration File
VCL (TAVE Key)
Touch "Apply."
Wait for the installation to complete.
The Status screen displays "Install Successful!" when complete.
Touch "OK."
Go back to the Home screen of System Mode and press "Run App."
Perform an EMV initialization.
M400 and P400
See the EVPAY release notes for more detailed steps with file names for the version being loaded onto the PIN pad.
Use these steps in order to do a full installation of the Verifone EVPAY and components on Verifone M400 PIN pad.
Download the zipped files for the correct kernel and extract them.
Copy the TGZ file(s) to be loaded onto the PIN pad from a PC to the root directory on the USB memory stick.
Files must be in root directory to be recognized and loaded.
Load the OS file.
If the PIN pad prompts to reboot, select "Yes."
Installing a current operating system over OS version 30620500 or lower without an intermediate step-up version may cause the device to fail, requiring it to be sent in for repair. See VASC Field Service Bulletin 0322_002 posted at the Premier Portal under Manage > Petro Downloads > General VASC Info > VASC Bulletins for more details.
Load the Adkcert Package file.
If the PIN pad prompts to reboot, select "Yes."
Load the Payment Kernel version.
If the PIN pad prompts to Reboot, select "Yes."
Load the file for the EVPAY application and VIPA kernel bundle.
If the PIN pad prompts to "Run Apps", press Cancel and then press the Red X button until you return to the Information menu. At the Information Menu, select Exit and then at the prompt, reboot the PIN pad. Otherwise, if the PIN pad prompts to Reboot, select "Yes."
Load the Debit key file.
Load the BIN/Configuration file.
Load the VCL (TAVE key) file.
Perform an EMV initialization.
TAVE in Verifone Commander Configuration Client
Firmware Configurations
Each distribution will have different Inside/Outside Domain values. The letter "X" will be used in place of the latest version in the configuration files below.
5X Firmware Configuration for MX 900 Series devices:
VIPER-5XGEN_ConfigXXX.config (5X with generic BINs including condensed VISA Fleet and 8-digit BIN entries
Domain -- VIPER
Inside Brand/Key ID -- 5XGEN
Example File -- dl-VCL_Settings_VIPER-5XGEN_ConfigXXX.config-XXXXXX.tgz
9X Firmware Configuration for Engage devices:
VIPER-9XGEN_ConfigXXX.config (5X with generic BINs including condensed VISA Fleet and 8-digit BIN entries
Domain -- VIPER
Inside Brand/Key ID -- 9XGEN
Example File -- dl-VCL_Settings_VIPER-5XGEN_ConfigXXX.config-XXXXX.tgz
Buypass Configuration
Log into Verifone Commander Configuration Client and then navigate to Payment Controller
Scroll down to TAVE Configuration.
The Domain and Inside Brand must be compatible with BIN and the Configuration File. If not, the registration will not be successful.
Key in the Domain.
Key in the Inside Brand.
5XGEN (MX 900 Series PINpad)
9XGEN (Engage Series PINpad)
Key in the Outside Brand.
GBQA7 (Gilbarco)
Wayne (Currently, not supported.)
Key in the Token Type.
Click Save.
EPS Global Configuration
Log into Verifone Commander Configuration Client and then navigate to Payment Controller > EPS Configuration > EPS Global Configuration.
The Advance DDK should not be used, unless Fiserv, major oil, or merchant has indicated the site should advance the DDK. If a new BIN Exclusion file was received, then use Update Settings only.
Select the PTPE tab.
Check the Enabled box.
It will allow access to the POP Operations section.
If using TAVE inside or outside, the Enabled box must be checked.
Select the appropriate PIN Pad from the POP ID drop-down menu.
Key in the correct Brand for the POP ID.
Click Save in the upper right-hand corner.
Navigate to the Tools menu and click Refresh Configuration.
Navigate back to the PTPE tab in EPS Global Configuration.
Click on Register.
This processes the TAVE Configuration File and notifies the host of TAVE settings. The Register Command Sent Successfully message displays.
Click on Update Settings.
This processes the BIN Exclusion File and notifies the host of the TAVE settings. The Update Command Sent Successfully message displays.
Use the Update Settings button only when a new BIN Exclusion file, separate from the Configuration file, is used.
Click Save in the upper right-hand corner.
DCR Configuration
Use these steps to enable Outdoor TAVE.
Log into Verifone Commander Configuration Client and then click on the Forecourt menu.
Click on the DCR menu.
Click on the Site Configuration tab.
Check the Enable Outdoor TAVE box.
Navigate back to the Forecourt menu and click on Outdoor TAVE.
The Advance DDK should not be used, unless Fiserv, major oil, or merchant has indicated the site should advance the DDK.
If a new BIN Exclusion file was received, then use Update Settings only.
At TAVE Operations, select the desired DCR from the DCR ID drop-down menu.
Key in the correct Brand for the DCR ID.
Click Save in the upper right-hand corner.
Navigate to the Tools menu and click Refresh Configuration.
Navigate back to the Forecourt menu and click on Outdoor TAVE.
Click on Register.
The Register Command Sent Successfully message displays.
Click on Status to verify the TAVE Status.
If Update DCR Settings is used without receiving a new BIN Exclusion file, the "BIN table update file missing or invalid" displays. This error does not have any overall effect on DCR TAVE processing, but it removes the registered message.
Click on Update Settings if a new BIN Exclusion file was received.
The Update Command Sent Successfully message displays.
Use the Update Settings button only when a new BIN Exclusion file, separate from the Configuration file, is used.
Cloud Bin Service Configuration
The sites should do the following before configuring the cloud BIN service:
Sites should get the API Keys and Secret keys from Fiserv.
Sites also need to provide Verifone the backend merchant ID, also known as PROC MID that they received from Fiserv.
Sites need to provide the upper and lower range of the cards they want to be processed to Fiserv.
Log into Verifone Commander Configuration Client and then navigate to Payment Controller > EPS Configuration > Buypass Configuration.
Scroll down to Cloud BIN Service.
Key in the API Key.
Key in the Secret key.
Key in Proc MID.
Click Save.
Download POS Decision Table
The POS decision table will be downloaded every time a day close happens. Additionally, It can also be downloaded from the cashier menu in POS.
Loyalty/Gift card Configuration
The newly encrypted cards will only be identified based on the first 6 digits upon encryption, any new card configuration should only have upper and lower ISO configured to 6 digits only.
The Card Track data gets encrypted by device only if the track 2 data s in PCI data format - ([Primary Account Number]=[Expiration Date][Service Code][Discretionary Data]).
The loyalty cards that do not follow this format does not have to be included in the Cloud BIN Service.
GLOSSARY OF TERMS
The following terms and definitions will assist the reader with understanding the content of the TAVE feature.
Advance DDK
When requested by a major oil company or Fiserv, this forces the TAVE encryption key to "rotate" or advance to the next of 10 available DDKs, effectively providing up to 10 unique device keys before needing to be replaced.
BIN Exclusion File
The BIN Exclusion File allows for split processing. For example, if a gift card BIN range routes to a gift card processor, and never routes to TAVE front end for processing, then those BINs would need to be excluded from encryption.
DDK
Device Derivation Key
E2EE
End-to-End Encryption
POP
Point of Payment (PIN pad)
MID
Merchant ID. This is the same 6 digit Rapid Connect Dealer ID used when setting up Payment Network.
TAVE Configuration File
This file is used by the VCL to create the device derivation keys
TID
Terminal ID. In a TAVE setup each card payment terminal will have its own TID. This is determined by the POP number and assigned by Fiserv upon registration
VCL
Verifone Crypto Library. This refers to the firmware (TAVE Key) used to encrypt the transaction.
FAQs
How do I re-register a device after relocating it? How do I "force" a registration?
It is the same as a new or newly upgraded device. Navigate to Payment Controller > EPS Configuration > EPS Global Configuration > PTPE tab. Select the correct POP under POP Operations and click Register.
How do I request an updated BIN Configuration file?
Occasionally, cards that do not require PTPE might be added to a card table. These might be loyalty programs, gift card programs, etc. This will require a new Bin Configuration file (AKA BIN Exclusion File) from the payment network. This updates the file to synchronize with the card table.
The merchant will request the BIN Configuration file from their company, who will in turn request it from Fiserv.
How do I force Advance DDK?
Advance DDK should not be used unless directed by Fiserv or the Major Oil/Merchant. Navigate to Payment Controller > EPS Configuration > EPS Global Configuration: PTPE. Select the correct POP under POP Operations and click
Where do I find documentation on how to load TAVE configuration to device in the forecourt?
Contact the device manufacturer. All devices are required to be updated in Verifone Commander Configuration Client via POP Operations as described in this document after the actual devices are loaded and configured correctly.
Last updated