Companies that you may interact with daily in your work and personal life are constantly working behind the scenes to implement new security standards that enhance the security of some of the most vital parts of the world’s payments infrastructure.Â
Point of sale (POS) devices located at every check out station process millions of payments worldwide while emerging Internet of Things (IoT) devices will likely process payments someday very soon.
As you tap your card on a near field communication (NFC) reader, the transaction travels into the intricate payments ecosystem to be authenticated and processed in near real-time.
If the transaction were somehow compromised via a ‘man-in-the-middle attack’, in which the communications between two parties (a POS system and a cardholder’s bank for instance) is intercepted and perhaps altered – a digital eavesdropper could hypothetically record payments details sent over a system or alter that system so that they and not a merchant receives payments.
However, although cybercrime is rising dramatically and considering the $8.5 trillion in digital payments estimated to be made this year, these types of attacks are virtually unheard of but it is understandable when you consider the cryptography used in payment devices because of the various Payment Card Industry (PCI) Standard (including PCI PIN, PCI Card Production, and PCI P2PE).
The use of cryptographic keys to encrypt data in transit is one of the most powerful means for securing data in a digital world, but the way that these keys are implemented is changing and could have profound impacts on not just payments but IoT devices.
The (Pre) History of Key Blocks
POS devices, for example, need to be pre-loaded with the cryptographic keys required to safely process payments – and this can only be done in a trusted environment by authorised key custodians otherwise the transaction processed by it cannot be securely guaranteed.
This means that there needs to be a secure room known as a key injection facility (KIF) where cryptographic keys are generated and injected to give each device a unique digital identity.
But these keys do not last forever – they have an operational lifecycle and should be replaced. Traditionally, when new keys were needed, the manufacturers, deployers and their security providers would need to locally inject keys into a replacement device and then ship the device to its destination for a scheduled service replacement visit.
This is clearly a time-consuming and complex operating model with a high total cost of ownership (TCO).
This has long been the only way updates to keys could be carried out because POS devices weren’t traditionally manufactured or deployed with the ability to be securely updated remotely over-the-network.
Rising supply chain costs, staffing constraints and PCI compliance guidelines continue to drive the TCO even higher for deployers and service providers. However, the industry began taking advantage of the latest PCI standards and adapting their POS manufacturing provisioning models to enable remote key injection (RKI).
And now more than ever, it is necessary to ensure that these payment keys are created using cryptographic techniques that prevent the digital eavesdropper from tampering with the keys as they are transmitted from a secure location, over a network and into the remote POS payment device.
Based on recent mandates from PCI, encrypted symmetric keys must be managed in structures called key blocks.
The key usage must be cryptographically bound to the key using accepted methods. The X9.143 (formerly TR-31) secure key block standard specifies an acceptable method of ‘wrapping’ keys into blocks which are more secure and tamper-proof, but still able to be used by the correct parties further enabling keys to be loaded remotely with sufficient trust and assurance.
Additionally, the X9.24-3-2017 symmetric key management standard and the TR-34 (currently being standardised into X9.139) asymmetric key management technique incorporates this key block standard.
However, developing standards is only the first step. The global payment ecosystem is very complex with deeply embedded roots of trust designed to operate for a long time that are not easily adapted to new key management standards.
Thus, the challenge is not only designing and deploying new appliances (e.g., POS devices, hardware security modules, etc.) according to these new standards, but also in migrating legacy systems and their keys into compliant key blocks.
This requires extensive investment, planning and largely why PCI has recently extended the implementation deadlines several times.
But it is finally being required worldwide, so that by 1 June 2025 all keys will be stored and exchanged in key blocks, making the process of updating keys on POS devices much easier and more secure.
The Implications for IoT
As the digital world continues to connect more and more POS payment devices, IoT devices are becoming increasingly common and immediately connected to the wireless digital landscape in rapid fashion.
Some could argue that RKI makes payment devices secure, and they are inexpensive to manufacture and maintain. The RKI payment standards are in place – and these new standards and infrastructures should be leveraged for IoT security as it grows from its infancy and converges with the payment ecosystem.
By Jason Way, SVP of Payment Technologies for Utimaco.
Utimaco is a platform provider of cybersecurity & compliance solutions and services.
