Monday, June 8, 2009

NYCE Says PIN Debit Encryption Must Be Hardware Based

I was looking for more e-vidence that a software application for PIN Debit is unsafe and I happened to stumble upon the NYCE.net website which published a white paper called: "PIN Debit Security Awareness."

In it they explain how encryption works (see charts on left and below and click to enlarge)

The most interesting (and striking) piece of e-vidence supporting hardware (HomeATM) vs. a software (whomever) approach were two "key" statements regarding PIN Encryption.

Here they are...

1. "NEVER USE SOFTWARE" followed by another simple statement:


2. "ALWAYS EMPLOY SECURE HARDWARE" (see graphic below right...click to enlarge) 


I think those two statements sum it up rather NYCELY!

However, lest there be an ambivalence regarding whether hardware is the way to go...they go...on to say:

3. Secure encryption practices also depend on using secure hardware.

Financial institutions must ensure that all PINs and encryption keys never appear in the clear.

This control objective is most often accomplished by using secure hardware (also known as firmware) which masks PIN generation, encryption and decryption from human sight and, more importantly, from disclosure.

You (banks) should review the functionality of your secure hardware by assessing the vendor documentation and by asking your vendor to confirm that their devices meet the ANSI definition of tamper resistance(Editor's Note: Tamper Resistance is part of the certification process as a PCI 2.0 PIN Entry Device) 


It's NYCE to know they stand "firm" in their belief that Hardware is essential! 

To Read "Best Practices for PIN Encryption" Download the white paper


This paper is intended to help you:
  • Learn about the "dos" and "don'ts," associated with American National Standards Institute (ANSI) standards and NYCE Network Operating Rules, for sound key management procedures and security.
  • Understand your responsibility for safeguarding encryption keys, even if you outsource some tasks to third parties.
  • Anticipate what you might expect from an audit or security review of your encryption key management procedures.
  • Align your encryption key processes with bank regulatory requirements







Reblog this post [with Zemanta]

Disqus for ePayment News