CSG Overview How it Works

What it Does



In addition to standard crypto operations, Crypto Service Gateway offers several advanced functions that address common business problems, including:


  • Code signing
  • EMV transaction authorisation
  • Tokenization
  • Data at rest encryption
  • Data signing
  • Non-repudiation
  • PIN translation
  • Data in transit encryption
  • Data masking
  • Data scrambling
  • Signature verification
  • Hybrid encryption
  • Integrity checking
  • Random data generation
  • CVV verification
  • Credential management
  • PIN re-advise
  • Format Preserving Encryption

CSG Safe cropped




Managed Data Encryption

CSG's managed encryption technology addresses a common crypto headache - ensuring encrypted data can be safely decrypted at a later date, even if the original key has been replaced. This technique is ideally suited for long-term storage of encrypted data within a business database, for example. Managed encryption is an optional feature that can be made available to any application using CSG.

Managed encryption provides confidentiality, authenticity and integrity (while normal encryption only offers the first of these). This means CSG can ensure the data hasn't been modified while it was stored. The encrypted data returned by CSG contains a pointer to the key used to perform the encryption. Even if the encryption key is updated, CSG retains access to the old key and can use it to decrypt historical data. Support is also provided for updating old encrypted data to use a newer key.


Tokenization is a common technique for protecting sensitive data, such as PANs, as they pass through business systems. The original data is replaced with a token of the same length, using a reversible process.

CSG offers tokenization as a basic crypto function available to any application. The tokenization process is customisable and can allow parts of the data to pass through un-changed (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.

For those concerned with PCI-DSS, tokenization may provide a way to bring systems out of scope for audits. For more information on PCI-DSS compliance with CSG, please refer to PCI-DSS topic paper

Secure PIN Translation

Secure PIN translation is the process of changing the key that encrypts a PIN, without exposing the PIN data in server memory. This operation is commonly needed in payment systems, where the PIN must travel through different systems which use different zone-related keys.

CSG supports PIN translation using our secure code execution (SCE) technology, which is a vendor-neutral approach to executing code within an HSM. The PIN translation function supports a variety of standard PIN block formats.



Request more information