News

Taking the risk out of key management

February 14, 2006

This article appeared in the ATM & Financial Self-Service Executive Summary, Winter 2006.

ATM key management has become increasingly more time-consuming and challenging. Triple DES and American National Standards Institute (ANSI) requirements have left financial institutions with the burden of ensuring PIN data is secure. And just to make sure FIs are minding their P's and Q's, networks are conducting audits.

This story and all the great free content on ATMmarketplace is supported by: NATIONWIDE

To meet the requirements and ensure audit compliance, many FIs are turning to automated key management systems, said Rick DuVall, senior ATM products manager for Omaha, Neb.-based ACI Worldwide Inc.

"I think a lot of financial institutions are taking advantage of the types of solutions we and our competitors sell for key management because it's much easier. Financial institutions have been making this move (to a more automated system) for the last couple of years."

Pressure from the networks, coupled with the need to prove that keys are managed correctly, is pushing FIs of all sizes out of the key management business.

"With Triple DES and all the additional key strokes you have to enter and all of the audits you have to go through to prove that you are doing key management correctly, it is easier to say 'I use this package or that package,'" Duvall said.

Jason Anderson, director of technology security products for Bulverde, Texas-based Futurex, a data encryption specialist, said new security requirements also are pushing FIs in one of two directions: outsourcing management of their ATM networks or purchasing a key management solution.

Futurex's Key Management Server, a product the company released two years ago, manages keys and keeps a record for auditing purposes.

"Networks require through audit mandates that you have a tamper-resistant security module that stores and protects the keys," Anderson said. "In order for banks and credit unions to pass the audit, they have to prove they are protecting the keys. Our product takes care of the dirty bookkeeping part of it. The box can communicate with your host - it sends cryptograms to the host so the keys are never exposed."

Anderson said he expects card issuers to start leaning on the networks for audits this year, and those audits are likely to leave some banks and credit unions scrambling.

Encryption specialists also expect changes in key management requirements in the near future.

Currently, Visa and MasterCard require that each ATM have its own unique master key. Changes to those master keys aren't required on a regular basis - at least not yet.

DuVall said in the near future those networks likely will require that master keys at each ATM be changed at regular intervals.

"Key management systems automate the process of generating valid keys for ATMs, a task that is difficult and time consuming for people because it involves generating random numbers," said Steve Weingart, chief technology officer at Futurex. "Letting a computer perform this process makes it more reliable, easier and much faster."