Without a doubt it is a turbulent time for European banking. Increased
competition, new mandates and technological advances, are all contributing
to the pace of change. Of these, one of the most high profile and high
impact changes is undoubtedly the widespread adoption of EMV smart cards.
For this, banks throughout the region are being encouraged by the global
card schemes (MasterCard and Visa) and national payment associations (such
as the UK’s APACS and the French Groupement des Cartes Bancaires),
to make some fundamental changes to the way their card payment systems
work. At the same time as they are updating their systems to support EMV,
many banks must also manage the transition from DES to Triple-DES encryption.
These significant migration projects need not be considered in isolation.
Banks can minimise the impact and cost of changes by identifying system
components for which a single update can accommodate both requirements.
The necessity to move to Triple DES Encryption
has resulted from the widespread acceptance of the fact
that “Single” DES is no longer secure enough
to protect financial transactions. It has been demonstrated
that DES keys can be cracked using relatively low cost hardware
in less than 24 hours. To counter this threat, MasterCard
and Visa have introduced a set of mandates and recommendations,
which lay out a timetable for the deployment of Triple-DES
for the various components of a bank’s card processing
systems. The back office host systems, and critical devices
such as the Host Security Modules (HSMs), are usually among
the first to be upgraded.
In parallel to their Triple DES Encryption
plans, European banks must also consider how to introduce
support for the acquiring and issuance of EMV smart cards.
One of the main drivers for this is the knowledge that their
exposure to fraud losses may dramatically increase in January
2005, when the “liability shift” rules from
Visa and MasterCard come into effect. If banks do not support
EMV by this time, and the other party in a transaction does,
then they may automatically become liable for any fraud.
A frightening thought, when fraud losses in the UK alone
during 2002 totalled nearly £425 million.
Like Triple-DES, the migration to EMV will affect many components of a
bank’s systems. Ensuring that the Host Security Module in the back
office has the necessary functionality is one of the first steps.
In order to clarify the requirements for Triple-DES and EMV capable Host
Security Modules, Europay (now MasterCard Europe) has developed the Europay
Security Platform (ESP) specifications. The legacy Europay Security Module
(ESM) devices that ESP replaces are used by many of Europay’s Member
banks and are neither Triple-DES capable, or upgradeable. They must therefore
all be replaced. For these reasons the ESP specifications have been designed
to allow banks to buy off-the-shelf HSM products that can be integrated
into the MasterCard Europe payment card infrastructure.
System changes for Triple-DES and EMV migration require considerable investment.
However, many banks are taking the opportunity to tackle some other related
issues that will simplify their key management and provide tangible benefits
to their business. For example, MasterCard’s ESP specifications includes
features to simplify the transferral of sets of encryption keys used for
magnetic stripe and EMV transaction processing, between a bank and the MasterCard
key management centre. This enables EMV card issuing banks to utilise MasterCard
Europe’s stand in services, for all of their card products - both
magnetic stripe & chip.
Another significant development, this time in the ATM world, that can be
piggybacked onto the Triple-DES changes, is the provision of support for
secure and automated methods to initialise ATM encryption keys. In order
to upgrade most ATMs to Triple-DES, the integral Encrypting PIN Pads must
be replaced. ATM manufacturers have recognised that this presents an opportunity
to move away from the traditional, manual methods of loading keys when ATMs
are commissioned.
The new Triple-DES capable PIN Pad products from vendors such as NCR and
Diebold are pre-loaded with RSA keys and certificates during manufacture.
A Host Security Module equipped with a complementary set of keys and certificates
can use RSA techniques to encrypt and sign packages containing an ATM’s
unique Triple-DES initialisation keys. These can be sent to an ATM over
the communication lines used for normal transaction messages, thereby eliminating
the need for teams of trusted engineers to manually enter sensitive key
components at each ATM. This can represent a significant cost saving for
the banks owning the ATMs, and enables them to maximise the benefits from
their investment in Triple-DES migration. The process can easily be automated,
enabling the ATM’s initialisation keys to be regularly replaced for
increased security.
There are clear benefits, in terms of cost savings and increased efficiency,
if a number of security upgrades are undertaken at the same time rather
than looking at each in isolation. The technology is there for the taking
but are banks looking at the big picture?
