NYCE Says PIN Debit Encryption Must Be Hardware Based

NYCE Says PIN Debit Encryption Must Be Hardware Based

Posted by John B. Frank Monday, June 8, 2009

I was looking for more e-vidence that a software application for PIN Debit is unsafe and I happened to stumble upon the NYCE.net website which published a white paper called: "PIN Debit Security Awareness."

In it they explain how encryption works (see charts on left and below and click to enlarge)

The most interesting (and striking) piece of e-vidence supporting hardware (HomeATM) vs. a software (whomever) approach were two "key" statements regarding PIN Encryption.

Here they are...

1. "NEVER USE SOFTWARE" followed by another simple statement:

2. "ALWAYS EMPLOY SECURE HARDWARE" (see graphic below right...click to enlarge)

I think those two statements sum it up rather NYCELY!

However, lest there be an ambivalence regarding whether hardware is the way to go...they go...on to say:

3. Secure encryption practices also depend on using secure hardware.

Financial institutions must ensure that all PINs and encryption keys never appear in the clear.

This control objective is most often accomplished by using secure hardware (also known as firmware) which masks PIN generation, encryption and decryption from human sight and, more importantly, from disclosure.

You (banks) should review the functionality of your secure hardware by assessing the vendor documentation and by asking your vendor to confirm that their devices meet the ANSI definition of tamper resistance. (Editor's Note: Tamper Resistance is part of the certification process as a PCI 2.0 PIN Entry Device)

It's NYCE to know they stand "firm" in their belief that Hardware is essential!

To Read "Best Practices for PIN Encryption" Download the white paper

This paper is intended to help you:

Learn about the "dos" and "don'ts," associated with American National Standards Institute (ANSI) standards and NYCE Network Operating Rules, for sound key management procedures and security.
Understand your responsibility for safeguarding encryption keys, even if you outsource some tasks to third parties.
Anticipate what you might expect from an audit or security review of your encryption key management procedures.
Align your encryption key processes with bank regulatory requirements

0 comments

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking