Luna EFT to payShield 10K Migration

FREQUENTLY ASKED QUESTIONS (FAQS)

MARCH 2021
Luna EFT to payShield 10K Migration FAQs

Contents
Introduction ............................................................................................................................................ 3
Comparing Luna EFT & payShield 10K .................................................................................................... 3
How long is the Luna EFT going to be sold & supported by Thales? .................................................. 3
Planning Overview .................................................................................................................................. 3
What documentation is available to support the migration process? ............................................... 3
Is a mapping guide available that helps migration from Luna EFT to payShield 10K? ....................... 3
What HSM devices and software are required before key migration can take place? ...................... 3
What scheduled downtime is required during the key migration process?....................................... 4
Besides key migration, what additional steps are necessary during the migration? ......................... 4
Migrating Keys ........................................................................................................................................ 4
How does the payShield 10K store keys compared to the Luna EFT? ................................................ 4
Do I need to use my production Luna EFT to perform the key migration? ........................................ 4
What base version of Luna EFT is required for the custom migration software? .............................. 4
Is the Luna EFT custom key migration software available for download? ......................................... 5
Will my keys be exposed in plaintext format during the key migration process? .............................. 5
Can the key migration process be undertaken remotely? ................................................................. 5
Does the key migration process require any manual intervention? .................................................. 5
How does Thales ensure that key migration is secure and with minimal risk? .................................. 5
How will Luna EFT's host stored keys be migrated to payShield 10K? ............................................... 6
Migrating Applications ............................................................................................................................ 6
What role will Thales Professional Services play in migrating my host application? ......................... 6
What happens if I am using custom commands & keys on my Luna EFT? ......................................... 6
Replacement of eTokens/Smartcards ..................................................................................................... 6
Can I use my existing Luna EFT smartcards/eTokens on payShield 10K? ........................................... 6
Where can I purchase smartcards for use with payShield 10K? ......................................................... 7
Training of Operations Staff .................................................................................................................... 7
How can I train up my staff in order to manage the payShield 10K? ................................................. 7

March 2021 2
Luna EFT to payShield 10K Migration FAQs

Introduction
This document containing a selection of frequently asked questions (FAQs) has been
created to assist Luna EFT customers migrate to the payShield 10K platform, and should be
read in conjunction with the following documents:

 Luna EFT to payShield 10K Migration Guide

 Luna EFT Payment HSM End of Life Announcement
The documents above are available on request from your Thales sales representative.

Comparing Luna EFT & payShield 10K

How long is the Luna EFT going to be sold & supported by Thales?
Please refer to the "Luna EFT Payment HSM End of Life Announcement" for full details.

Planning Overview
What documentation is available to support the migration process?
The “Luna EFT to payShield 10K Migration Guide” has been published and details all the
major aspects of migrating from Luna EFT to payShield 10K including pre-requisites for
customers.
A supporting presentation, "Migration from Luna EFT to payShield 10K", is also available to
summarise the steps described in the migration process.
Both documents are available via your Thales sales representative and also via the Thales
Support Portal, https://supportportal.thalesgroup.com/csm.

Is a mapping guide available that helps migration from Luna EFT to payShield 10K?
Yes. Please refer to the appendices in the “Luna EFT to payShield 10K Migration Guide” for
the following mapping tables:

 API Mapping
 Configuration Mapping
 Key Usage/Type Mapping

What HSM devices and software are required before key migration can take place?
The following items are required before key migration can begin:

 A Luna EFT2 HSM with software version 2.4.0. If this is not possible, please contact
Thales in order to arrange temporary use of a device for key migration purposes.
 A laptop/PC/server for host communication with both Luna EFT and payShield 10K. It
may also be used to automate the key import process.

March 2021 3
Luna EFT to payShield 10K Migration FAQs

 At least two key custodians to securely manage the Zone Master Key (ZMK) to be
shared between the Luna EFT and payShield 10K.
 A key custodian to take ownership of the keys exported from the Luna EFT. This
custodian can also manage the ZMK, above.
 A security officer to:
o oversee the migration activity;
o confirm decommissioning of the Luna EFT used for key migrations;
o confirm deletion of tools and data from the laptop after the migration process
is completed.

What scheduled downtime is required during the key migration process?

The key migration process will use a separate Luna EFT, and therefore no downtime is
required during this time for HSMs performing live production tasks.

Besides key migration, what additional steps are necessary during the migration?
The migration of keys is a major step in the overall migration process. Please refer to the
"Luna EFT to payShield 10K Migration Guide" for full details.
Once the migration process is complete, the host processing systems will need to undergo
their routine test cycles before going into production using payShield 10K HSMs.

Migrating Keys
How does the payShield 10K store keys compared to the Luna EFT?
Typically, the payShield 10K stores a Local Master Key (LMK) internally, and encrypts all
other customer keys under this LMK for external storage. By contrast, the Luna EFT typically
stores all customer keys inside the HSM.

Do I need to use my production Luna EFT to perform the key migration?

No. A separate 'migration' Luna EFT must be used for this activity. This Luna EFT will use
special custom software which provides the key migration functionality. However, you will
need to create a backup of your keys from your production Luna EFT onto smart cards, and
restore them into the 'migration' Luna EFT to perform the key migration activity.

What base version of Luna EFT is required for the custom migration software?
Luna EFT with base version 2.4.0 is required in order to load the custom migration software.

March 2021 4
Luna EFT to payShield 10K Migration FAQs

Is the Luna EFT custom key migration software available for download?
No, the custom key migration release is not available for download. The key migration
process from Luna EFT to payShield 10K is a sensitive operation. The Thales Professional
Services team is well equipped with the custom software and a specific utility along with
required expertise to perform all key migration activities on your behalf.

Will my keys be exposed in plaintext format during the key migration process?
No. During the key migration process, no plaintext key material is exposed. All keys are
securely exported from the Luna EFT, encrypted under a new 3DES or AES key encryption
key using the TR-31 key block format.

Can the key migration process be undertaken remotely?

No. In order to ensure the appropriate level of security, it is essential that the key migration
process takes place at the physical HSM location, and in the presence of your security team
members.

Does the key migration process require any manual intervention?

Yes, the user is currently required to perform some manual tasks during the migration
process. Our Professional Services team is working on enhancements that will automate this
process. Please reach out to your Thales sales representatives to discuss the migration
process in more detail.

How does Thales ensure that key migration is secure and with minimal risk?
Thales understands the sensitive nature of migrating keys from Luna EFT to payShield 10K
and will always follow recognized payment industry best practice to ensure that your keys
are migrated securely.

 During the entire key migration process, no key will ever appear in plaintext. A
restricted custom Luna EFT software will be used to export both the HSM and Host
stored keys encrypted under a ZMK in TR-31 key block format.
 It is preferable to perform the key migration process on one of your existing Luna
EFT HSMs. If you are unable to provide a Luna EFT for key migration, Thales
Professional Services / Sales will be able to provide temporary use of an HSM, which
will be decommissioned after the key migration process is complete. All
decommissioning activity will be documented (including picture/video capture) and
shared with you, and Thales will maintain a record of this event.
 The exported keys are imported into the payShield 10K using the same ZMK keys.
 The ZMK will be created and shared between Luna EFT and payShield 10K ONLY
and must not be exposed to any other HSM.
 This migration activity is performed in the customer’s secure premises/lab ONLY.
 The key migration tools provided by Thales will only have access to encrypted key
material.

March 2021 5
Luna EFT to payShield 10K Migration FAQs

 After a successful key migration, the key migration tools and data will be deleted from
the customer’s laptop/PC/server.
 All key migration operations and the deletion of tools and data used during key
migration will be documented (including picture/video capture) and shared with you,
and Thales will maintain a record of this event.

How will Luna EFT's host stored keys be migrated to payShield 10K?
Any Luna EFT host stored keys will be exported using encryption under a ZMK in TR-31 key
block format. In order to ensure that all your keys are migrated, we recommend that you
have prepared in advance a consolidated list of host stored keys along with their key types
and algorithms. 3DES host stored keys will be migrated using the Luna EFT administration
console Key Export option under Key Management. RSA and AMB host stored keys will be
migrated using a custom host command supplied by Thales.

Migrating Applications
What role will Thales Professional Services play in migrating my host application?
Thales Professional Services will be available to provide assistance during the process of
migrating keys from Luna EFT to payShield 10K. Additionally, for product support, you can
contact Client Services by raising a ticket as per the normal process. If you require any
additional developer support during your application migration, then please contact your
Thales sales representative.

What happens if I am using custom commands & keys on my Luna EFT?

Thales Professional Services team will advise if new payShield 10K custom software (at
additional cost) is required in order to achieve the same functionality as your existing Luna
EFT. In many cases, we anticipate that you will be able to use standard payShield 10K base
software.

Replacement of eTokens/Smartcards
Can I use my existing Luna EFT smartcards/eTokens on payShield 10K?
No. Your existing (Gemalto-branded) smartcards/eTokens will not be usable on the
payShield 10K. When installing and commissioning your payShield 10K, a new set of
smartcards will be commissioned using Thales payShield branded smartcards. payShield
10K does not use eTokens.

March 2021 6
Luna EFT to payShield 10K Migration FAQs

Where can I purchase smartcards for use with payShield 10K?

For sales of payShield 10K smartcards and smartcard readers, please contact your Thales
sales representative.

Training of Operations Staff

How can I train up my staff in order to manage the payShield 10K?
Thales Professional Services are able to provide training for the installation, management,
monitoring and day-to-day running of the payShield 10K. If you require these or any other
training regarding payShield 10K, please contact your Thales sales representative.

March 2021 7