By Dale S. Laszig
Digital commerce is ever-changing, but its core principles of security, intelligence, agility and transparency have stood the test of time. In this two-part series, security leaders will go deep inside payment technology to explore its fundamental DNA code—algorithms and cryptography—that formed early POS systems and continue to shape next-generation products and services.
In his theory of the adjacent possible, scientist Steven Kaufman suggests people bring what they know to technology platforms. Consider Web 1.0's brochure sites that became more dynamic and interactive as webmasters mastered the internet and added video, chat and ecommerce, paving the way to Web 3.0. Payment systems have similarly evolved, but most experts agree that protecting them has always been a challenge.
Mark Curphey, co-founder and chief product officer at Open Raven, noted that early security practitioners brought a physical mindset to internet security. "Over thousands of years, humans have associated security with physical location," Curphey wrote in a 2009 article titled "Tomorrow's Security Cogs and Levers," in which he referenced the castle moats, hardware locks and bank vaults that inspired virtual security methods. "Internet security carried over this notion with firewalls and packet filters, inspecting traffic as it crossed a common gateway," he added.
As internet traffic expanded, organizations used Public Key Infrastructure (PKI) to securely exchange data. Introduced by British intelligence firm GCHQ in 1970, PKI was further developed into present-day secure sockets layer (SSL) and transport layer security (TLS) internet protocols.
Adam Perella, manager at Schellman, described PKI as a universal language for exchanging data and validating digital signatures. "We have to speak the same language to be able to encrypt and decrypt data, and the asymmetric cryptographic algorithm is essentially the language that we use," he said. "Every website you visit with an https address uses an asymmetric application that checks the integrity of a digital signature."
Perella went on to say that asymmetric cryptography is useful for organizations that don't want to exchange private keys. You can say, here's my public key. When you transmit data to me, use my public key to encrypt it and when I send data to you, I'll use your public key to encrypt it. You could even post your public key on a billboard, and it wouldn't impact the security of your private key, which is the thing you most want to protect, like the code to your vault, he added.
Adam Cason, vice president, global and strategic alliances at Futurex, sees cryptography in payments, healthcare and the Internet of Things. "Here at Futurex, we focus on the payments side of things; at least 50 percent of our business is in the payments space, where cryptography is used for things like PIN validation at the point of sale," he said.
POS devices use symmetric cryptography and private keys to encrypt a customer's PIN, card number and identifying information at point of capture, Cason stated. Encrypted data travels through a payment gateway and a variety of network and processor hops until it arrives at a card issuer, bank or payment branch, and each of those steps involves cryptography. "Symmetric cryptography could be Triple DES and AES algorithms that are used for PIN translation or PIN encryption," Cason said, adding the payments industry has historically used Triple DES.
Alternatively, Cason noted that asymmetric cryptography is what's used to establish public key infrastructure or PKI. Examples of asymmetric cryptography are RSA or ECC elliptic curve. A PKI is used to establish secure connections between multiple remote endpoints. For example, in the payments industry, PKI is used is to push cryptographic keys out to ATMs or to point-of-sale (POS) terminals. Historically, the key is in those POS terminals and the keys had to be physically injected. Now, with remote key distribution, stated Cason, organizations can use a PKI to securely push down new keys over the air, so you never have to take the terminals out of service. From a consumer standpoint, if you're Bank of America ATM card holder and you want to withdraw money from a Chase Bank ATM. Since everything is underpinned by cryptography, Chase and Bank of America share what's called a key exchange key. When you enter your PIN in a Bank of America ATM, they never know what your PIN is because it's automatically encrypted right there at the point of capture and taken to a hardware security module (HSM), where it's decrypted and translated to a key that Chase owns. All of this security transactioning happens in the background and is transparent to the customer.
Describing HSMs as "purpose-built, tamper-evident, responsive devices that securely process cryptographic operations," Cason noted HSMs were initially deployed on-premises to provide a secure environment for digital signing and encrypting, decrypting and translating data. Today, he stated, hybrid and cloud-based HSM models are backed by physical HSMs.
Cason further noted that the industry's migration to cloud services began in earnest in 2010 and 2011, but a lack of suitable cloud payment HSMs created a roadblock for companies trying to integrate with leading cloud service providers like AWS, Azure and Google. Virtual access points (VAPs) have solved for this need, he stated.
"Organizations had to figure out where they were going to host their payment applications," Cason said. "Some took a hybrid, multi-cloud approach with diversified vendors, such as AWS and Azure. From there, it was simply a matter of spinning up a virtual access point or VAP."
Cason pointed out that VAPs are a timely solution, both for legacy providers and born-in-the-cloud fintech startups. In fact, he added, a lot of fintechs don't even have offices and work remotely with staff all over the world. "Imagine telling a digital native that has everything in the cloud to get a data center where they can rack HSMs and send staff to manage them," he said. "You'd get laughed out of the room. Cloud payment HSMs are perfect for fintechs and neobanks."
The State of Cyber and Digital Security, a white paper published by ABI Research in May 2022, revealed that HSMs are finding their way into new markets, creating new revenue opportunities for fintechs, IoT manufacturers and cloud security providers.
"New market opportunities mean increased competition; incumbents have to respond quickly to the innovation presented by new entrants," ABI researchers wrote, urging HSM OEMs to bring innovation "to the underlying foundation on which [HSMs] are built and which cannot be easily replicated by new entrants like hyperscalers and cloud providers, i.e., implementation of cryptographic algorithms and development of internal security architecture."
Perella has seen an uptick in outsourced HSMs and key management, which he noted are better suited for small businesses than in-house systems. "Subscription service models are scalable and you don't need to know the technology," he said. "You give it something sensitive and get back a token that would be useless if intercepted by an attacker."
Cason agreed that HSM-as-a-service has made HSM technology accessible to more businesses. He believes the challenges facing service providers have more to do with provisioning hardware and achieving compliance than going to the cloud. Anyone can get a cage or two, he said, co-locate some HSMs and call it a service; what's harder is providing flexible, on-demand capabilities that fit individual clients and meet regulatory standards.
"You can't have an HSM environment without going through a PCI PIN audit," Cason said. "And if you're doing point-to-point encryption (P2PE), which is becoming standard in retail, you'll have to pass a PCI P2PE audit and other tests to ensure you're encrypting data from end to end."
ABI researchers identified quantum-safe technologies as another trend to watch, stating the imminent release of draft quantum-resistant cryptographic algorithms, known as Post-Quantum Cryptography (PQC) by the U.S. National Institute of Standards and Technology, will soon be added to security technology product lines.
"The eventual standards will significantly reshape the cryptographic status quo, as the world transitions from classic crypto to quantum-safe algorithms," ABI researchers wrote. "In turn, this is driving the consulting opportunity for advising on PQC migration strategies, and especially within financial, government, and enterprise markets."
Perella called PQC an evolution of cryptography, similar to AES algorithms replacing RC4. "Organizations can leverage PQC for long-lasting data protections," he said. "But the maturity of PQC algorithms has not been tested with enough rigor to rest on our laurels."
Part 2 of this series will take a closer look at how experts are leveraging and deploying PQC, once again editing Paytech's most fundamental DNA code. 
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
