The Green Sheet Online Edition
April 27, 2009 • Issue 09:04:02
Go remote: Boost security and profits
Our industry is being challenged by a barrage of increasingly sophisticated security attacks on all elements of the payments sphere. This is requiring us to invest in more complex and expensive data security solutions. And it's happening at a time when the economic environment poses its own challenges.
How can our industry invest more in securing the payment system without impacting our bottom line? The answer is remote key injection. A brief reminder on key injection: All debit-capable PIN pads or terminals with integrated PIN pads require a processor-specific encryption key to be loaded into the security module of the PIN pad or terminal. The industry refers to this key loading process as "key injection."
Given that encryption keys are used to protect (encrypt) cardholders' PIN numbers, it is extremely important that the keys are kept secret. If a fraudster can obtain these encryption keys, he or she can decipher the cardholder's PIN and compromise the system.
Encryption keys are most at risk of being exposed during the key loading (key injection) process. To reduce this risk, the payments industry, card companies and the American National Standards Institute have developed processes and standards for key injection that reduce the risk of fraudulent (or even accidental) key exposure.
These industry-standard processes require the device to be placed in a certified, physically secure, controlled and audited facility - generally referred to as an Encrypting Service Organization, or ESO - for the key injection process to take place. This is generally considered part of the cost of deploying a device, but the same cost is also incurred when switching a device in the field.
When you switch a device in the field, it is easy enough to download a new software application to the terminal; but for PIN debit, the PIN pad or complete terminal must be swapped out for one that has the correct encryption keys loaded - at significant cost. Wouldn't it be great if you could inject new debit keys as easily as you can download a new software update?
Adopting proven capabilities
For many years, payment standards in some countries - notably Australia and Germany - have included the capability to remotely inject encryption keys. Although these standards have been based on well understood cryptographic processes, the implementation of remote key injection has been specific to those countries and their payment standards, and thus it hasn't been readily adaptable to the standards we use in North America.
Fortunately, the situation is changing, and remote key injection facilities, based on card brand and ANSI standards, are now available for North America. Remote key injection requires that a new, secure process be established between the PIN pad or terminal having the key injected and a key injection server, which typically resides in an ESO deployment center, ISO or large merchant environment. Once the key injection server is in place, the terminal or PIN pad being injected must support certain cryptographic processes - sometimes referred to as public key infrastructure, or PKI.
The technicalities are not important for this discussion, beyond understanding the terminal or PIN pad must have specific capabilities. The good news is that manufacturers have been shipping terminals with these capabilities for some time.
Using remote control
The need to package, ship, repackage and reship terminals for key injections is going the way of so many other outdated operations. And it's only a matter of time before all secure room key injection moves to remote key injection. Payment terminal manufacturers are adding support for the PKI to make that happen.
The industry recognizes remote key injection is more secure; the risks posed by human involvement in today's secure room-based processes are completely removed. If implemented correctly, absolutely no doubt exists about the integrity of the encryption key being injected.
The payments industry's move to remote key injection is creating a more secure key injection solution to help ISOs and merchants save time and money. It is also delivering the peace of mind that comes
with a security design based on ANSI and payments industry standards for remote key management that have well-served the ATM industry for years.
So take a closer look at what you're spending on secure key injections. Then call your processor and ask how much you can save by going with remote key injections. I think you will be pleasantly surprised, and better yet, so will your customers.
Stuart Taylor is Vice President, Global Marketing at Hypercom Corp. He is responsible for all aspects of the company's marketing activities, Hypercom's Global Solutions business unit and global strategic relationships. Stuart has more than 20 years of international marketing and business development experience in the electronic payment and ATM industries. To contact him, please send an e-mail to firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.