MasterCard halts remote POS security upgrades

Computerworld - In a purported second major security change in recent weeks, MasterCard has decided to disallow merchants' use of remote key injection (RKI) services to install new encryption keys on point-of-sale (POS) systems, says a Gartner analyst.

Such a decision would mean that merchants hoping to upgrade the encryption on their POS terminals in an automated fashion over their networks wwould instead need to continue doing it manually and one terminal at a time in a secure off-site facility.

MasterCard's decision would also raise questions about the considerable investments made by payment systems vendors in developing remote key injection (RKI) capabilities over the past few years.

"Nobody understands the rationale for this," Gartner analyst Avivah Litan said, adding that she was informed recently of the development by two major retailers.

MasterCard did not respond to multple requests for comment and would neither confirm nor deny Litan's finding.

"This really [has thrown] a wrench in people's plans," Litan said. Merchants were counting on remote key injection for quickly upgrading their terminals to Triple Data Encryption Algorithm standards (TDES) as required under the Payment Card Industry Data Security Standard (PCI), she said. "POS vendors were all about to release this capability after spending lots of R&D and engineering money making it happen."

RKI technologies and services are designed to make the process of upgrading data encryption keys on POS terminals quicker and cheaper than current manual methods because keys can be distributed to multiple POS systems directly over secure network connections and the Internet.

The approach is believed to be faster and cheaper than current processes, which typically require each terminal to be removed from its usual location and taken to a secure room at an Encrypting Service Organization, where the key is installed manually by specialists.

The process can be especially cumbersome and time-consuming in situations where a company might have thousands of POS terminals which need to be upgraded at the same time.

Though it is still a relatively new capability, vendors such as Hypercom and Futurex have begun offering RKI services.

MasterCard's move, if confirmed, is "quite interesting," said Jim Huguelet, an independent PCI analyst. "Although not widespread, there is growing interest by merchants in RKI technologies that reduce the cost of ownership associated with periodic encryption key replacement," he said.

MasterCard's purported surprise decision comes at a time when merchants are under a deadline to migrate all of their point of sale terminals from DES to Triple DES by July 2010.

The deadline is part of a PCI requirement aimed at getting merchants to implement stronger encryption at retail locations. Amove by MasterCard to disallow RKI would make it all but certain that many organizations would miss that deadline by a wide margin, Litan said.

The move would mark a second major change MasterCard has made on security. On June 15, the company sent out an advisory to acquiring banks and payment processors stating that all Level 2 merchants -- or those processing between 1 million and 6 million payment cards annually -- would be required to undergo annual security audits by third-party assessors.

Previously, such merchants were only required to submit self-assessment questionnaire attesting to their compliance with PCI standards.