Click to return to BOL home page
Banker Store eCard Exchange Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads BOL Conferences CrimeDex Em@il Education FREE Briefings Record Retention

   

















    Site Map

    Our Sponsors

    Home



Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
Technology Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


Triple DES PIN Encryption for Automated Teller Machines
by Dean Stewart, Director of Product Planning and Management


Personal identification number (PIN) requirements for ATMs are changing. Financial institutions have been using the single Data Encryption Standard (DES) for PIN entry security in ATMs for nearly 25 years. With DES, a binary number called a key is used to encrypt and decrypt data. The DES algorithm uses a 56-bit key length. Triple-DES is simply another mode of DES operation, which specifies three rounds of encryption, effectively increasing the key length to 168 bits.

Recently, several factors have heightened the urgency for financial institutions to migrate the ATM infrastructure to the more secure triple-DES PIN encryption environment. Although there have been no cases of fraud linked to an actual breach of DES, financial institution risk management groups are aware of the increased risk factor and support migration to a triple-DES PIN encryption for their ATMs.

To address this issue, MasterCard and VISA are requiring new security enhancements for ATMs that tie into their network. This will provide improved security for financial transactions. These requirements mandate the use of the ANSI X9.52 encryption algorithm (Triple-DES or TDES) along with encrypted PIN Pads (EPP). Below are some frequently asked questions to help understand the timing and requirements regarding the upgrade to triple-DES.

What is the timing of these required changes?
As of April 1, 2002, any newly manufactured or relocated ATM needed to comply with the triple-DES and EPP requirement according to information provided by MasterCard. All ATMs tied to VISA or MasterCard's network must comply with the requirements by April 1, 2005. Note that these deadline dates are specified by VISA and MasterCard and are subject to change. Most networks have established their own timetable for compliance. Credit unions are encouraged to contact their card association or network provider for a current status of deployment deadlines.

Who has to follow these requirements?
All ATM owners that utilize or are affiliated with the Visa and/or MasterCard network must comply.

Why are these mandates being implemented?
There are two parts to the new keypad requirement; the triple-DES algorithm and the Encrypted PIN Pad (EPP) module.

Triple DES (TDES)
DES was approved by the American National Standards Institute (ANSI X3.92) in 1981 as a private sector encryption standard and is the most widely deployed commercial cryptographic algorithm in the world. This algorithm uses a 56-bit key length. In the 20 years of its use, there have never been any findings indicative of algorithmic weakness. Despite the strength of the DES algorithm, advances in computer speed and processing power are approaching the point where brute-force searches of its 56-bit key space can be accomplished within a reasonable time period. The Triple DES algorithm answers this problem by specifying three rounds of DES operations, effectively increasing the key length to 168 bits. This Triple DES implementation was released and described in ANSI X9.52.

Encrypted PIN Pad (EPP)
With normal keypads, the PIN entered by the customer is sent in "raw" state via a cable to a separate circuit card module containing encryption integrated circuits. For most countries, this arrangement was satisfactory because the cable and circuit card are located within the secure chest area of the ATM. In order to decrease PIN theft fraud, VISA and MasterCard are now requiring an encrypted PIN pad (EPP) in place of the keypad. The EPP is a sealed module that immediately and locally encrypts the PIN after entry. There are no "raw" PIN numbers accessible to electronic hackers either by physically tapping onto wires within the ATM or remotely sensing electromagnetic radiation emitted through ATM wiring. Any tampering of the EPP causes it to permanently disable itself. The unit must then be removed and shipped back to the manufacturer to be reset.

Does the new keypad affect the software or network?
Yes, financial institutions must also work with their host processor to meet certain requirements. Because the numeric and function keys may have changed location, host processor changes may be required.

First published on BankersOnline.com 7/8/02






Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.