ACI Worldwide
 
case studies products News and Events services trends support
Home
 

Since the early seventies, the security of PINs has been protected by a method of encryption referred to as DES, the Data Encryption Standard. While this encryption algorithm has served us well over the years, advances in computing power and the science of cryptanalysis are now bringing DES toward the end of its useful life. Various US and international standards organizations, as well as several card associations, are recommending the replacement of single DES with triple DES.

How does triple DES work?

In simple terms, triple DES encryption means encrypting data three times instead of one. The most common form of triple DES encrypts data once using one key, decrypts the results using a second key, and then encrypts again using a third key. Since there are three DES operations, up to three different DES keys can be used. For example, PIN encryption using "two-key triple DES" would first encrypt the PIN block using the first key (or "left half"), decrypt the result using the second key ("right half"), and re-encrypt the output using the first key ("left half"). The added strength of triple DES comes from the additional keys used (effectively creating a longer key) and the additional rounds of encryption.

What's wrong with DES?

The only known successful attack on DES is the exhaustive key determination, or "brute force" attack. This attack is analogous to unlocking a combination lock by trying every possible combination. When DES was first conceived, its 56 bit key length was thought to be immune from this type of attack, given the computing power available at that time. However, since 1998 several publicized events demonstrated DES key exhaustion could be achieved. In February 1999, a successful key exhaustion attack was performed in 22 hours and 15 minutes. The technology used for this attack is currently available on the open market.

Why should I care?

It is unknown how much fraud has resulted from "cracked" DES keys, however, it is quite conceivable that substantial fraud losses could appear in the future. More significant than fraud losses is the potential loss of confidence by the public in the security of the network. A successful hacking of an ATM or POS system could generate significant media attention, causing serious brand damage to an ATM network or financial institution.

Interchange Mandates

Several card and bank associations have already mandated triple DES implementation, and others will follow. Organizations that determine national and international standards have declared that single DES has reached the end of its useful life. Thus, these organizations have called for the use of triple DES, which provides stronger encryption to protect hacking attacks. Most mandates call for a phased implementation of triple DES, beginning with the encryption of PINs between the host (BASE24 in this case) and the interchanges. At a later date, mandates will require triple DES from the acquiring devices all the way to the point of authorization. MasterCard, for example, has published the following mandates for triple DES:

  • April 2001: Members may use triple DES at their option
  • April 2002: Newly installed, replaced, or relocated ATMs and POS devices must be triple DES capable
  • April 2003: Member and processor host systems must support triple DES. ATMs placed in service after April 2002 must actively use triple DES.
  • April 2005: All ATMs must be triple DES compliant (Visa: 12/07)
  • April 2005: It is strongly recommended that POS devices use triple DES

ACI’s Solution for Triple DES

With the advent of triple DES, ACI introduced a new architecture for managing transaction security in its BASE24 payment engines. Today, all cryptographic functions, such as PIN verification, message authentication, chip authentication, and card verification are managed through ACI’s Transaction Security Services.

Transaction Security Services is built on ACI’s new open and multi-platform Enterprise Services software technology and manages all cryptographic functions, such as PIN verification, message authentication, chip authentication and card verification. The module provides an end-to-end Triple DES processing solution, from driving ATM terminals to authorizing transactions to switching transactions out to the various card networks.

ACI’s Transaction Security Services combines support of Single and Triple DES, allowing customers to live in a mixed environment until card association and network mandates require them to completely adopt Triple DES. The module is certified with NCR, Diebold and Fujitsu brand ATMs, and supports hardware security devices from Thales e-Security, HP Atalla, Security Products Group and Eracom Technologies, Banksys and Bull.

Transaction Security Services is the foundation for all current and future cryptographic functionality within ACI software. It supports current industry PIN processing requirements as well as Europe’s emerging chip standards, Canada’s Interac requirements and Visa’s unique key per ATM mandates.

Contact us to learn more today.
 


 
   
 
company | contacts | careers | investors | user groups | partners | search | home
 
solutions | case studies | products | news and events | trends | support | site map
   
  The entirety of this Web site is copyright © 2008 ACI Worldwide, Inc.
All products are trademarks or registered trademarks of their respective companies.   Disclaimer
Web site comments/questions? Click here to contact the Webmaster.