Until a couple of years ago, financial institutions typically devised one easy-to-remember encryption key and installed it on all of its ATMs.
That's not the case anymore.
A mandate from VISA and MasterCard requiring unique master keys at every ATM has led FIs of all sizes to frequently produce new keys and organize a means for managing the effort.
 This story and all the great free content on ATMmarketplace is supported by:
 |
Story continues below...
Engage Customers with Strategic ATM Marketing
So, you’ve taken the plunge and launched one or more targeted offers at the ATM. But, are you getting those 20% take-up rates you were hoping for? Phoenix customers are. Find out five ways to drive more revenue with ATM marketing.
Managing keys "is expensive and it takes a lot of time," he added. "Basically, you have gone from something that was a non-job to something that is a great deal of work."
Time and money
Whether they use older machines that require two technicians to manually insert new keys at each location or newer ones that support remote key software, FIs are investing time and money into coordinating and managing the upgrade.
Weingart said some FIs are doing key management on computers that handle the data in plain text. Furthermore, he said, some are not placing a high enough priority on physical security for computers used in the management process.
"Any place the key is handled in plain text really needs a host-security module," he said.
Jim Shaffer, a product manager at Omaha, Neb.-based ACI Worldwide agreed.
"You could have the greatest cryptography, but if you don't protect the keys, it is useless," he said.
Drew Foley, the director of electronic services for LynxGate Solutions, a Moorepark, Calif., ATM management firm, said FIs are starting to realize the importance of physical security for key management.
"Controls over key management at FIs have become more stringent as attacks have become more sophisticated," Foley said. "There is a higher level of awareness at both an executive level and an audit level to actual risks, as well as the need to anticipate and prepare for potential future risks."
A game of wait-and-see
Weingart said the move to create unique keys has followed a path similar to that of Triple DES, where many FIs are taking a wait-and-see approach.
He said his company has created a hardware security device - the KMS7000 - that can protect key-management systems for both manual and remote key changes.
Jason Anderson, product group manager for Excrypt (an ATM network security application) at Futurex, said interest in the hardware has increased as more FIs have delved into developing and managing unique keys.
"That product is getting a good deal of attention," he said. "We are seeing many companies start by looking for a simple way out, but once they get involved with it, they realize how complicated it can be and then they start looking for a better solution. They start to look for a real solution instead of just a Band-Aid."
