GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Work that net:
The ABCs of online social networking

News

Industry Update

AmEx green with Web access

UIGEA, WTO rules at odds

Alternative currencies - better with plastic?

In the OTA we trust

Slaying the breach elephant

Selling Prepaid

Prepaid in brief

Complexities, solutions for prepaid fraud

Key players in Health Care 2.0

Unity and beyond

Views

Social networking's impact on payments

Patti Murphy
The Takoma Group

A bigger bite for Visa, MasterCard

Ken Musante
Humboldt Merchant Services

Go remote: Boost security and profits

Stuart Taylor
Hypercom Corp.

Education

Street SmartsSM:
Blog on, link in, tweet out

Jon Perry and Vanessa Lang
888QuikRate.com

Marketing with social networks

Vicki M. Daughdrill
Small Business Resources LLC

Much ado about Twitter

Nancy Drexler
SignaPay Ltd.

Summiting the social networks

Dale S. Laszig
DSL Direct LLC

Payments and social networking:
A legal perspective

Adam Atlas
Attorney at Law

Level 4: The small-merchant PCI challenge

Joan Herbig
ControlScan

Company Profile

Global eTelecom Inc.

New Products

A new skimming antidote

Anti-Skim ATM Security Solution
ADT Security Services Inc.

Gift card network at your service

SparkBase 3.0
SparkBase

Inspiration

Lifelong learning: A business strategy

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

April 27, 2009  •  Issue 09:04:02

previous next

Go remote: Boost security and profits

By Stuart Taylor

Our industry is being challenged by a barrage of increasingly sophisticated security attacks on all elements of the payments sphere. This is requiring us to invest in more complex and expensive data security solutions. And it's happening at a time when the economic environment poses its own challenges.

How can our industry invest more in securing the payment system without impacting our bottom line? The answer is remote key injection. A brief reminder on key injection: All debit-capable PIN pads or terminals with integrated PIN pads require a processor-specific encryption key to be loaded into the security module of the PIN pad or terminal. The industry refers to this key loading process as "key injection."

Guarding encryption

Given that encryption keys are used to protect (encrypt) cardholders' PIN numbers, it is extremely important that the keys are kept secret. If a fraudster can obtain these encryption keys, he or she can decipher the cardholder's PIN and compromise the system.

Encryption keys are most at risk of being exposed during the key loading (key injection) process. To reduce this risk, the payments industry, card companies and the American National Standards Institute have developed processes and standards for key injection that reduce the risk of fraudulent (or even accidental) key exposure.

These industry-standard processes require the device to be placed in a certified, physically secure, controlled and audited facility - generally referred to as an Encrypting Service Organization, or ESO - for the key injection process to take place. This is generally considered part of the cost of deploying a device, but the same cost is also incurred when switching a device in the field.

When you switch a device in the field, it is easy enough to download a new software application to the terminal; but for PIN debit, the PIN pad or complete terminal must be swapped out for one that has the correct encryption keys loaded - at significant cost. Wouldn't it be great if you could inject new debit keys as easily as you can download a new software update?

Adopting proven capabilities

For many years, payment standards in some countries - notably Australia and Germany - have included the capability to remotely inject encryption keys. Although these standards have been based on well understood cryptographic processes, the implementation of remote key injection has been specific to those countries and their payment standards, and thus it hasn't been readily adaptable to the standards we use in North America.

Fortunately, the situation is changing, and remote key injection facilities, based on card brand and ANSI standards, are now available for North America. Remote key injection requires that a new, secure process be established between the PIN pad or terminal having the key injected and a key injection server, which typically resides in an ESO deployment center, ISO or large merchant environment. Once the key injection server is in place, the terminal or PIN pad being injected must support certain cryptographic processes - sometimes referred to as public key infrastructure, or PKI.

The technicalities are not important for this discussion, beyond understanding the terminal or PIN pad must have specific capabilities. The good news is that manufacturers have been shipping terminals with these capabilities for some time.

Using remote control

The need to package, ship, repackage and reship terminals for key injections is going the way of so many other outdated operations. And it's only a matter of time before all secure room key injection moves to remote key injection. Payment terminal manufacturers are adding support for the PKI to make that happen.

The industry recognizes remote key injection is more secure; the risks posed by human involvement in today's secure room-based processes are completely removed. If implemented correctly, absolutely no doubt exists about the integrity of the encryption key being injected.

The payments industry's move to remote key injection is creating a more secure key injection solution to help ISOs and merchants save time and money. It is also delivering the peace of mind that comes with a security design based on ANSI and payments industry standards for remote key management that have well-served the ATM industry for years.

So take a closer look at what you're spending on secure key injections. Then call your processor and ask how much you can save by going with remote key injections. I think you will be pleasantly surprised, and better yet, so will your customers.

Stuart Taylor is Vice President, Global Marketing at Hypercom Corp. He is responsible for all aspects of the company's marketing activities, Hypercom's Global Solutions business unit and global strategic relationships. Stuart has more than 20 years of international marketing and business development experience in the electronic payment and ATM industries. To contact him, please send an e-mail to pschuddekopf@hypercom.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services