EMVCo recommends 1408 bit Payment Scheme keys to expire by 31 December 2024. This recommendation is still active. EMVCo recommendation concerns the keys of the card brands and not the banks themselves. However, this expiration has an impact on the banks.
The issuer bank, using the issuer key, signs the keys on the card. The card brand, using the brand key, sign the key of the issuer bank. The EMVCo recommendation says that the key of the card brand should expire latest on 31 December 2024.
During EMV transactions, the terminal verifies the authenticity of the card using the brand key. When the brand key expires, the terminal can’t verify the authenticity of the card.
For banks, this practically means that if they issue their card with three years of the expiration date, they should change to the longer key before 31 December 2021.
This change incorporates signing the issuer key with a longer brand key and then replacing the issuer key and public key certificate in the card personalization. EVM doesn’t require the issuers to generate longer keys than they are currently using. The issuer key length should be analyzed case by case, considering the currently used keys, card brand requirements, and card personalization.
The end of the process is card certification. After modifying the key, the card brand may require card recertification depending on how this change amends the card’s personalisation.
