DUKPT

Derived Unique Key Per Transaction (DUKPT) is a symmetric key management scheme used to protect sensitive data in payment environments by generating a unique encryption key for each transaction. It is designed to reduce the impact of key exposure and simplify key management across large networks of point-of-sale devices.

DUKPT centers on three elements: a Base Derivation Key (BDK), an Initial PIN Encryption Key (IPEK) derived

Security and management properties include limiting data exposure to a single transaction and enabling centralized key

Algorithms used in DUKPT have traditionally been 3DES for derivation and encryption, with AES-based variants increasingly