Hypercom Remote Key Update and Clarification Regarding MasterCard 3DES

MasterCard has issued a bulletin that disallows merchants’ use of remote key injection to install new encryption keys on non PCI-approved POS terminals, regardless of the manufacturer. The key words to note here are “non-PCI”. A trade publication article has subsequently appeared in which an industry analyst not affiliated with MasterCard suggests MasterCard is not allowing remote key injection period. The article is incorrect.

MasterCard appears to be concerned that even though the host end of a remote key injection solution may comply with all PCI and ANSI requirements, if the key injection process is performed on a terminal of unknown security status (non-PCI), there is a risk of key compromise. Hypercom believes MasterCard is acting in the best interests of the payment industry as a whole given the wide array of pre-PCI devices in the field and the range of approaches that a vendor may take in designing a remote key injection system.

The restriction that MasterCard’s decision presents is limited solely to non-PCI approved terminals. There is absolutely no reason that our customers should stop using the HyperSafe® Remote Key System when injecting to Hypercom PCI compliant products.

Here is the background: On June 15th, 2009, MasterCard issued a 3DES bulletin that, among other things, provided guidance to acquirers and merchants about the injection of new 3DES keys in non-PCI terminals. In this bulletin, MasterCard states that non-PCI terminals to be injected with a 3DES key must comply with the following:

• The device must be Triple DES-capable.

• If the device is not Triple DES-capable, then the only option available is to replace it with a PCI approved device.

• The process of injecting a Triple DES key must be undertaken in compliance with the Payment Card Industry PIN Security Requirements.

• The injection of the Triple DES key must be undertaken at a key injection facility that complies with the requirements in Appendix B of the Payment Card Industry PIN Security Requirements.

How does the bulletin restrict remote key injection?
There is no restriction for remote key injection on PCI-approved payment terminals. There is, however, a restriction for non-PCI approved POS terminals. Item #3 in MasterCard’s bulletin states that the key injection process for non-PCI approved terminals must comply with PCI PIN Security Requirements AND item #4 states that the injection for non-PCI terminals must occur in a key injection facility that complies with Appendix B of this same standard.

What security guidelines does the HyperSafe Remote Key System follow?
Hypercom’s HyperSafe Remote Key System complies with the Payment Card Industry PIN Security requirement 2.0, including Normative Annex A. Evidence of this compliance is via a third party audit which Hypercom completed in November, 2008 prior to launching HRKS. In addition, Hypercom has audited compliance for the ANSI x9.24 part 2 and TR39 controls, both of which are additional standards that our industry utilizes to determine the security and safety of any key injection methodology.

What should Hypercom customers know?
There is no reason whatsoever to stop remotely injecting the Hypercom L4150, L4250 and T/M 4200 products.

HRKS is the industry’s only standards-based remote key injection product that allows retailers to quickly and securely initiate on-site, in-store debit key injection at the point-of-sale. HKRS eliminates the need for secure room key injections by incorporating PKI (Public Key Infrastructure) to securely distribute symmetric 3DES keys. HRKS meets ANSI x9.24 and Visa PIN Security Guidelines for remote key management, and is FIPS 140-2 Level 3 and X509 compliant. While we are the only company currently offering remote key injection, the MasterCard bulletin affects any/all competitors seeking to introduce similar remote key solutions.

As an advocate for our industry and our customers, we understand the industry’s migration to 3DES will be arduous. We developed our remote key product in a concerted effort to save the industry substantial time and cost associated with the July 2010 mandate. We will work with MasterCard to selectively review some non-PCI approved terminals which we believe are sufficiently secure to meet the PKI requirements of MasterCard.