As it stands now, encryption is good for payments security – but needs streamlined processes for adoption and also technology standards. Verifone’s VP of product security, Rob McMillon, explained how such goals can be attained.
Security is top of mind for payments executives. Encryption is top of mind for security. But, in some cases, security is not proving to be cost-effective.
PYMNTS caught up with Rob McMillon, who serves as vice president of product security at Verifone, to discuss better standards across encryption efforts in the payments industry. It’s well-known, said McMillon, that “encryption keys are vital to the secure operation of payment acceptance devices” — and yet key protocols are not yet in place to promote an industry-wide standard tied to encryption.
As a result, said McMillon, “this adds cost and complexity to payment infrastructure and processes.”
Speaking a bit to the technology itself, McMillon stated that encryption keys are managed from host security modules, residing in payment gateways. And in the event that updates are needed, they can either be loaded in a remote process or what McMillon said is “direct injection at the site of deployment.” But industry standards, he added, support technology that is outdated, a 56-bit data encryption standard (DES) and triple DES.
“With today’s powerful computing resources,” said McMillon, “DES/3DES is no longer considered sufficient to withstand brute force hacking attacks.”
The migration, he continued, is underway to move to an Advanced Encryption Standard (AES), which has more robust features.
That’s especially important in an age when loading new encryption keys is “a mishmash of processes that creates complexity for payments processors and merchants,” said McMillon. “For example, a bank using its HSM for loading ATM encryption keys has to rely on different methods for payment terminals.”
To remedy that hodgepodge of processes, said McMillon, Verifone and GEOBRIDGE have been promoting alternative practices that span, for example, key per terminal options, regular key rotation, and PCi P2PE compliant point-to-point encryption.
The two firms have submitted suggested updates to the American National Standards Institute (ANSI) that McMillon said “would standardize both remote and direct key injection protocols to support AES-128 and AES-256 based encryption keys and ECC-based authentication protocols,” which would work across common networks.
The trend, he summed up, is that devices will “more and more be remotely managed from host systems. The effort to upgrade key transport protocols, which Verifone has shared with both partners and competitors, is an important step at protecting the payment environment of the future.”