An Information Gap Sparks a Dust-Up over Remote Key Injection

Is MasterCard Inc. putting the kibosh on a new technology called remote key injection that makes it easier to enhance the security of point-of-sale payment terminals? That's the impression some payments executives got after reading an online Computerworld article Wednesday that said MasterCard was insisting on manual injection of security keys into terminals. But MasterCard and an executive with a major POS terminal maker say that's not really the case. Behind the controversy is the upgrading of POS terminals to meet the so-called Triple Data Encryption Standard, or Triple DES. That particular requirement is just one part of the card networks' efforts to get hardware and software into compliance with the Payment Card Industry data-security standard, or PCI. The major networks?Visa Inc., MasterCard, American Express Co., Discover Financial Services, and JCB?enforce PCI, though the PCI Security Standards Council sets the technical requirements. POS terminals use encryption keys to mask PINs customers enter when performing debit card transactions. The encrypted PINs are then unencrypted by issuing banks or stand-in processors and compared with the ones on file during authorizations. Merchants usually change these keys when they switch processors. But it's a big job for merchants with numerous devices, as it requires them either to send a technician to work on each terminal or to ship all the devices to a so-called secure room, which can take days or weeks. By contrast, remote key injection (RKI) allows merchants to change out keys over the Internet or via phone lines. Also, RKI costs merchants only about half as much as manual key injection (Digital Transactions News, April 27). The Computerworld article said MasterCard had decided to disallow merchants' use of RKI and instead require them to manually upgrade their terminals. Such a rule not only would raise costs for merchants, but it also might threaten one of the major new revenue streams of the POS terminal makers. With security getting much more attention in recent years because of data breaches, virtually all of the terminal vendors have their own iterations of RKI in the works and see enhanced POS security as a lucrative selling point. But the article left out one important detail, according to Stuart Taylor, vice president of global solutions and marketing at manufacturer Hypercom Corp., Scottsdale, Ariz. Citing a June 15 MasterCard bulletin, Taylor says MasterCard's requirement that terminals be physically upgraded only applies to those that aren't PCI-compliant. MasterCard confirmed that view in a statement Friday. “Last month, MasterCard issued a security bulletin to provide guidance on how point-of-sale terminals could be upgraded from Triple-DES capable to Triple-DES compliant encryption,” the statement says. “In the security bulletin, MasterCard provided guidance stating that the most secure option to upgrade the terminals is to follow PCI PIN security requirements and have the upgrade performed at a key injection facility. However, our customers and vendors can use remote key injection services to upgrade the terminals if those services meet all aspects of the PCI PIN security requirements.” Taylor hasn't talked with MasterCard, but he agrees there are legitimate reasons for manual injection of old terminals. “The RKI systems rely on the host injection system being able to authenticate the device that it is loading the key into,” he says. “The way we do that is public key encryption. I think the concern of MasterCard is that if the device is completely insecure, you may not be able to authenticate the device you're injecting.” That raises the question of just how many old terminals are out there. The U.S. has 12 million or more POS terminals deployed, by some estimates. But neither Hypercom nor several consultants contacted by Digital Transactions News would guess as to how much of the installed base is pre-PCI. Taylor says only one of Hypercom's devices, the L4100 for multilane retailers, would be affected by the MasterCard policy. The issue came to light after Computerworld spoke with security analyst Avivah Litan of Stamford, Conn.-based Gartner Inc. Some of Gartner's clients had gotten wind of MasterCard's RKI plans but didn't have details. Litan tells Digital Transactions News that she's trying to get more details from MasterCard. The card networks usually distribute bulletins only to their member card issuers and merchant acquirers, a process that can create confusion until the contents of the bulletins trickle down to merchants. “Obviously, people wouldn't be calling Gartner if MasterCard were communicating effectively,” she says. However the RKI issue unfolds, MasterCard clearly is taking a higher profile regarding PCI. Visa, the largest card network, has been front-and-center on most PCI-enforcement issues since the card networks combined their rulebooks about five years ago. Recently, MasterCard raised eyebrows when it said medium-sized, or so-called Level 2, merchants must have on-site PCI inspections by a qualified security assessor by Dec. 31, 2010. The PCI rules have permitted assessors to remotely inspect merchants' systems for compliance. In apparent recognition of the work that lies ahead for gas stations and convenience stores to upgrade their card security by its July 1, 2010 deadline, Visa recently said that it wouldn't enforce the Triple DES requirement for non-automated fuel dispenser POS locations until Aug. 1, 2012. Automated fuel dispensers that don't use Triple DES by next July at least must use a technology called Single DES with Derived Unique Key per Transaction (DUKPT).