Digital Transactions Authoritative, insightful and timely information for payments professionals
Vendors in the ATM industry are beginning to move ahead with systems that would allow machine owners to remotely install and manage encryption keys mandated by a new security standard set by the bank card networks. The introduction of solutions for remote administration of Triple DES keys comes even as a new American National Standards Institute (ANSI) standard covering the procedure is being circulated for review and approval. Industry observers expect the new standard to become final later this year. Vendors say they are responding to concerns among ATM deployers about the cost of sending field personnel to each ATM to install or change the keys. The first such effort was unveiled this week with an announcement by San Jose, Calif.-based I-S-Cubed Inc., a supplier of secure key-management software, that it will ship later this month a remote-administration package to a large, unnamed credit union. The company has developed the system in tandem with Mosaic Software, a provider of transaction software with U.S. offices in Deerfield Beach, Fla., and ATM vendor Diebold Inc., North Canton, Ohio. The credit union will use the system to automatically update Triple-DES cryptographic keys on ATMs. The vendors also say the system will simplify and streamline security audits, producing a menu of reports and key management activity. As things stand now, banks and other deployers must distribute the Triple DES encryption key, used by the ATM to encrypt cardholders' personal identification numbers as they enter them, by sending two technicians to each machine to install it. Each technician is armed with a piece of the key. Public key cryptography protocols would allow deployers instead to download the keys electronically to each ATM, allowing them to eliminate the cost tied up in personnel visiting each machine. But current ANSI standards do not permit the use of public key cryptography for key management in ATMs. That may change later this year, however. A new ANSI standard paving the way for remote electronic distribution of Triple DES keys via public key cryptography could be available by the fourth quarter. The new standard, technically part two to ANSI X9.24, is under review by industry participants (Digital Transactions News, Feb. 17). “ATM manufacturers and application developers have moved ahead with remote key management solutions in parallel with the development of the standard and also in response to current security recommendations from organizations like Visa, MasterCard, Star, and others,” says an I-S-Cubed spokesperson. “If future standards emerge or change over time, [we are] able to update [our] security management solution easily because of a centralized approach which includes field updatable software. This enables customers to realize reduction in cost of operations now while also providing them with a centralized security management solution that can be updated keeping them in step with new or changing requirements.” Public key cryptography relies on a system of public keys?published electronic codes?and private, or secret, keys, to scramble and unscramble messages such as PINs. Triple DES refers to the number of applications of the DES encryption standard, long used to scramble PINs in ATMs and point-of-sale terminals. The old standard of single DES encryption is no longer considered adequate now that computing power has reached levels that permit breaking single-DES-encrypted messages.
