CONTINUE TO SITE »
or wait 15 seconds

Article

Remote key loading: The next in ATM security for ISOs

With Triple DES behind them, ISOs give remote ATM key loading a second look.

April 19, 2009 by Tracy Kitten — Editor, AMC

Dennis "Abe" Abraham has spent the last five years waiting for remote key loading to reach a tipping point. The president of Concord, N.C.-based Trusted Security Solutions Inc., developer of the A98 remote key loading system, says the timing for RKL is finally right, and independent sales organizations are now seriously considering their options.
 
Though complicated by complex algorithms and multiple levels of encryption, the function of remote key loading is simple. Basically, RKL eliminates the need for ATM technicians to physically visit ATMs for manual key changes — thus eliminating expense and the possibility for human error.

After completing their investments in Triple DES upgrades, ATM deployers are now finally able to focus some time and money on RKL. Up to this point, financial institutions have expressed interest in RKL, but few have made large investments. In the ISO space, movement has been, by and large, non-existent.

 
And there are a few reasons for that.
 
Deployers of off-premises ATMs have not been as diligent about ensuring their keys are changed. In fact, before the October 2008 release of version 1.2 of the Payment Card Industry Council Data Security Standard, no definitive requirements for key changing existed. ATM deployers were required to change keys if and when audited, but audits were not mandated across the board.
 
Under version 1.2, keys must be changed every 12 months, and the networks are watching, says Chuck Hayes, product development manager for Long Beach, Miss.-based Triton Systems of Delaware. That PCI push has encouraged manufacturers like Triton to start marketing RKL part of the overall ATM offering.
 
"It's a differentiator for us," Hayes said. "It's the first time an RKL solution has been brought to market for the off-premises space, and that's helping us enjoy a competitive advantage."
 
Triton's patent-pending RKL offer may only require a software upgrade, if the ATM already has Triton's upgraded encrypting PIN pad.
 
For an ISO that acquires and needs to merge a fleet of remote-key capable ATMs with an existing fleet of ATMs that aren't remote-key ready, the Triton solution calls for a mere switch of the host for transaction processing, Hayes says.
 
"The business case for ISOs is simple: less key handling," he said. "That's an advantage. If an ATM key was corrupted, the host could rekey that ATM within minutes, rather than having to go through the manual process of sending someone out, which takes time and expense."
 
A case for ISOs and FIs
 
RKL adoption is definitely picking up, Abraham says, from the FI and ISO sides of the business.
 
"In today's economy, the price of labor is going up and the number of people is diminishing," Abraham said. "Everybody is looking for more efficient ways of doing things."
 
Wes Dunn, the director of business development for Hayward, Calif.-based Tranax Technologies, says adoption of remote key loading will be critical for ISOs in the coming the months.
 
"The ISOs are the ones that lose out on this deal, because if they have to go out and change those keys manually — especially when we are already in a business of pennies — and have to do it once a year, it's going to get very expensive. The ISO is going to have to bear the cost, because the retailer is not going to understand why the keys need to be changed and is not going to pay for it."
 
Tranax expects to launch its own RKL solution by the end of the year.
 
"We understand the importance of it," Dunn said. "With all of the regulation, it's going to become a very hot topic very fast, and the financial implications of not doing remote key could be potentially devastating."
 
Like ISOs, the business case for RKL also is reaching a tipping point for more FI adoption.
 
"Up until now, there have been a lot of other things going on in the financial space, and many banks didn't see that they were losing too much money in this area — at least not enough to make it worth an investment," Abraham said. "Besides, up until recently, many ATMs out there weren't even capable of doing remote key. Now that Visa requires all new ATMs to be remote-key capable, the market's perception is changing."
 
Trusted Security now works with Triton, Wincor Nixdorf, Diebold Inc. and NCR Corp. on remote key solutions.But some hurdles still need to be jumped.
 
For one, Abraham says, many PCI auditors and rule makers are not educated well enough about RKL to conduct audits and set policy.
 
"They are trying to connect symmetric cryptography to asymmetric public key cryptography, and there is no connection there," Abraham said. "There are a lot of rules being made that don't make sense. We have a need for a lot of education."
 
Diebold's patent raises eyebrows
 
RKL can be handled in one of two ways: either through a signature-based protocol or a certificate-based protocol. NCR and Wincor Nixdorf International rely on the signature-based method. Diebold uses certificate-based protocol.
 
With signature-based protocol, the data structure is very simple. It's a structure of information that has a digital signature attached to it, such as a public key.
 
With certificate-based protocol, the data structure is much more complex. The data being transmitted is much larger, so it's not easily transported over dial-up networks. And the certificates themselves contain much more information.
 
"Because of that complexity, implementation for Diebold CBP (certificate-based protocol) would not work on a Triton CBP," Abraham said. "They each have differences; so consequently, we end up implementing different protocols."
 
What concerns other manufacturers and bankers, as it relates to Diebold's certificate-based protocol, Abraham says, is that because the solution is patented, permission must be granted by Diebold to utilize the protocol. Everyone is worried about a lawsuit.
 
Some manufacturers have developed their own key loading solutions. Others, like Triton, are working with third parties like Trusted Security.   "In our system, we treat everything as a data transport, so the ATM deployer doesn't have to worry about the difference in CBP or SBP," Abraham said. "We do all of that stuff internally."

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More
Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
Replacing the ATM: Pros and cons of new vs. remanufactured
Romanian man arrested for alleged cash trapping ATM scheme
First National Bank to open 30 branches
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'