Keep cardholder’s PIN safe with AES DUKPT encryption
AES DUKPT becomes the new standard for improved data protection at POS systems. Sensitive transaction data processed in the payment network require a high-end level of security to withstand fraudulent attacks. In a new version of the PIN Security standard document, the PCI Security council announced changes in encryption methods that POS vendors must implement to process transaction data online such as cardholder’s PIN.
TDES, widely used in the payment industry, is considered as a weakened technique of PIN encryption to face the threats of elaborated fraud attempts. According the document, TDES PIN encryption will be disallowed to the benefit of AES cryptographic algorithm.
AES enhances encryption robustness, as compared to TDES. It offers a larger set of secret keys (from 128 to 256 bits), that can be generated during the whole lifespan of the terminal.
The combination of AES cryptographic algorithm and DUKPT (Derived Unique Key Per Transaction) key management scheme provide an upper level of protection for transaction data.
The challenge for terminal manufacturers is to develop innovative and convenient payment solutions for merchants and consumers, while complying with state-of-the-art technologies and the latest security standards.
At the forefront of data integrity challenges and software-based security, Alcinéo has already developed AES DUKPT key encryption solution for our customers’ secure payment solutions in transit, retail or mPOS environments.
The modular approach of our PCI logical package allow them to obtain customized PCI PTS compliant products, according their needs and supporting the most advanced security requirements in the payment landscape.
Do not hesitate to require further information on our PCI PTS POI package at : email@example.com.
The full set of documents on PIN security requirements is available on PCI Security Standard website : www.pcisecuritystandards.org.
The up-to-date version 5.0 for PCI PTS POI was released 10 months ago.
Starting in September 2017, all new devices submitted to PCI PTS evaluation shall support the 5.0 requirements, leading to a greater level of security on the new POS systems.
There is a list of changes impacting the logical part of the PCI evaluation, that Alcinéo takes into account in its PCI PTS POI software solution. These evolutions concern the core logical module and the SRED module (Account Data Protection).
Devices must support firmware update functionality. The objective of PCI Standard Security Council is to enhance the protection of cardholders’ sensitive data.
Changes in the Security Requirements :
- section B & K : devices MUST support firmware updates
- section K : the requirement for Independent Security mechanisms (K1.2) has been removed
and additional guidances are mentioned to K 1.1 requirement
Changes in the Derived Test Requirements (defining the tests to be performed by laboratories) :
- B9: Random Number – updated guidance on Deterministic Random Bit Generator
- B20 : Updated to reflect additional required information to be included in the POI security policy
- D1 : penetration protection : eliminated 10 hours minimum for exploitation time
All the changes mentioned above were released in the document from PCI SSC : POI – Summary of Requirements Changes.
Alcinéo is already developing logical modules according the 5.0 version, to provide the increased level of security required, and comply with the logical evaluation scope.
We support our customers during the development of their products and help them pass PTS evaluation. Our solution is based on a modular software approach, including Secure Boot Loader, Key Manager, Crypto Engine, and Secure Manager.
You will find all the necessary documents, Security Requirements, Vendor Questionnaire and summary of changes between v4.1 and v5.0, in the document library on the PCI website :