MasterCard will not permit automated encryption upgrade
The technology is called remote key injection (RKI) and enables merchants to install new encryption keys electronically, instead of having to do it manually. Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Thursday that a number of her clients said MasterCard will not allow the technology.
“It could be that MasterCard found a valid security problem with it, but they are not saying anything,” Litan said.
But MasterCard's ban does not apply to all POS terminals, Stuart Taylor, vice president of global solutions and marketing, at electronic payment solutions company Hypercom told SCMagazineUS.com on Thursday. In a memo to merchants dated June 15, which Taylor has seen, MasterCard said that RKI services are only not allowed to be used on POS terminals that are not compliant with the Payment Card Industry Data Security Standards (PCI DSS).
“From MasterCard's point of view, they are doing the correct thing in suggesting that you really need to have a defined security level on the device before you start the [automated] key injection process,” Taylor said.
Taylor said he could not quantify it, but there are a “reasonable number” of non-PCI compliant devices from a number of manufacturers in the field.
Encryption keys are used by merchants to encrypt sensitive transaction information, such as credit and debit card numbers, Chris Hamlett, director of engineering at encryption provider FutureX, told SCMagazineUS.com on Thursday. Merchants have to update their key if it is ever breached, or if they upgrade from the older Data Encryption Standard (DES) to the more secure Triple DES.
RKI technology is said to make the process of updating encryption keys faster, easier and cheaper.
But for an organization that needs to upgrade thousands of terminals, the job of manually upgrading individual encryption keys would be a time-consuming process, Litan said.
“The idea is that [with RKI technology] you can upgrade the key without having to do it manually -- a way of distributing a key electronically, very securely,” she said.
But merchants, under pressure to upgrade all POS terminals from DES to Triple DES by July 2010, will never make the deadline if MasterCard is not allowing them to make use of RKI technology, Litan said. She added that while Visa previously announced that deadline, it is now telling merchants that it will relax the enforcement of it -- a move that Litan thinks is related to MasterCard's recent announcement about RKI technology.
A MasterCard spokesperson did not respond to a request made by SCMagazineUS.com for comment on this issue. Litan said that MasterCard has not responded to numerous clients or to her personally, with questions as to why RKI technology is not allowed.
“They may have good reasons, but they are not communicating them,” Litan said.