Friday, May 1, 2009

New Standard for Encrypting Card Data in the Works - HomeATM Already Done

Banking / Finance News
Source: ComputerWorld
Complete item: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132420

Description:
The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process.

And among the companies in the forefront of the effort is Heartland Payment Systems Inc., the Princeton, N.J.-based payment processing firm that announced in January what some analysts think could end up being the largest data breach involving credit-card information thus far.The Accredited Standards Committee X9, which is accredited by the American National Standards Institute, is set to launch an initiative formally known as the Sensitive Card Data Protection Between Device and Acquiring System program. ASC X9 develops and maintains numerous standards for the financial services industry in the U.S., and participants said this week that the goal of the new effort is to develop a data encryption standard to protect information from the moment a card is swiped at a payment register to the end of the transaction chain at a so-called acquiring bank.

The need for such "end-to-end" protection has become increasingly apparent within the payment card industry in the wake of the continuing breaches at companies such as Heartland and RBS WorldPay Inc., another payment processor that disclosed a system intrusion last December.

But while proprietary tools are available from a few vendors for achieving that type of protection, there currently is no standard approach
, said Sid Sidner, director of security engineering at ACI Worldwide Inc., a vendor of payment processing software in New York.


And yes, HomeATM's proprietary approach to securing online transactions is way ahead of the game.  Not only do we provide end-to-end protection, but we also encrypt the Track 2 data, which is what they are talking about here.  Furthermore, we utilize DUKPT key-management to provide an enhanced layer of security for PIN entry, something that CANNOT be done with a software based approach to PIN Entry, and are the "first and only" company to engineer, develop and manufacturer a PCI 2.0 Certified PIN Entry Device specifically designed for eCommerce use.  So is HomeATM ahead of the game?  We're the only end-(to-end) game in town!  Let me provide more information on DUKPT key managment (from Wikipedia)


In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away from the devices that hold the shared secret. The encryption is done with a derived key, which is not re-used after the transaction. DUKPT is used to encrypt electronic commerce transactions. While it can be used to protect information between two companies or banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices.


DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:

  • enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
  • each transaction will have a distinct key from all other transactions, except by coincidence,
  • if a present key is compromised, past and future keys (and thus the transactional data encrypted under them) remain uncompromised,
  • each device generates a different key sequence,
  • originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.

Continuing on with the story:

As a result, ACI, which is a member of the ASC X9 group, wrote up a "work request" in February suggesting the development of a standard. According to Sidner, the effort will focus on the formatting of "cryptographic payloads" to carry sensitive data over transaction networks. The goal, he said, is to create something akin to the level of standardization that exists now for protecting PIN data. Although numerous messaging formats are used to transport cardholder data over a transaction network, the cryptographic blobs that protect the PIN data itself in each message looks exactly the same.

A similar encryption standard would require few or even no tweaks to the existing payment systems infrastructure, claimed Sidner, who is chairing the working group set up to carry out the project. As part of the standards effort, ASC X9 may also look at the viability of using the same security-key management mechanism that is currently used for PIN security, he said.

E-Secure-IT
https://www.e-secure-it.com





Reblog this post [with Zemanta]

Disqus for ePayment News