News

Companies partner to ensure compliance

April 5, 2006

This article appeared in the ATM & Financial Self-Service Executive Summary, Spring 2006.

Maintaining consumer confidence in ATM and POS transactions is taking on new importance, and everybody is getting in on the action. From Visa, MasterCard and financial institutions to the American National Standards Institute (ANSI) and transaction processors, security compliance is top priority.

This story and all the great free content on ATMmarketplace is supported by: Futurex Request free info from this company!

For David Talach of San Jose, Calif.-based VeriFone Holdings Inc., system complexities have necessitated change. The POS software and terminal provider is working to differentiate itself in the market by providing merchant-customers grounded security options.

VeriFone teamed with Bulverde, Texas-based data-encryption specialist Futurex more than a year ago for POS terminal key injection. Put simply, VeriFone wanted to offer a key-management solution that would help protect its customers.

The market demands more security - a reality that is necessitating the need for more dynamic systems. And that complexity is helping drive the need for secure key loading.

Customers want assurance that their installed base can be supported, Talach said. And because VeriFone isn't interested in competing with Futurex, striking up a partnership made sense.

"It's good for companies like ours to work with others that focus on areas like secure key injection," he said. "At the end of the day, it's not about locking your customers into one key injection scheme; it's about helping provide solutions that support their security mandates as they grow."

Complying with standards

For Futurex, the partnership has helped spread the word that compliance with key management is not an option. Visa and MasterCard are serious about compliance with standards like Triple DES and secure key injection. If they find an out-of-compliance terminal, they'll deny access to their networks.

All of that, of course, is pushing processors and FIs to educate their merchants. But gray areas still crop up.

Take ANSI's Teaching Guide guidelines as an example, said Futurex spokeswoman Stephanie Brunner.

"In the past we have received calls questioning TG-3 compliance," she said. "Customers may not completely understand how their hardware security device is or is not in compliance."

TG-3, the third generation of ANSI's Teaching Guide, is garnering a lot of attention these days, said Jason Anderson, Futurex's director of technology security products.

"The first version came out in '98 and the new version will come out this year," which includes changes to symmetrical and asymmetrical keys," he said.

So what is TG-3 and what does it require?

For the networks, compliance with TG-3's key management guidelines is, well, key.

"The reason for the standard in TG-3 is set up to minimize risk, and that's why there are audits," Anderson said.

For its part, Futurex helps its customers comply with TG-3 guidelines, namely through an audit trail, said Futurex chief scientist Steve Weingart.

"At the ATM, for instance, the auditors would ask how a key is generated - that determines how often it must be changed," he said. "For POS key injection, auditors want similar information. Our devices automatically log all the information."