| Where money is concerned, security is paramount. Financial institutions, international card organizations, government agencies and even consumers have demanded the most secure technology since the banking industry's move to electronic systems. In the mid-1970's, IBM created a cryptographic algorithm known as the Data Encryption Standard (DES) that was eventually adopted by American National Standards Institute and became the standard for financial institution data encryption. DES is effective in data encryption as long as the key remains secret. With no known shortcuts to cracking DES other than trying every key possibility, DES remained a strong algorithm for more years than originally anticipated. However, by 2000, PC systems existed that could solve a DES key in about 22 hours!
The use of Triple DES (3DES) is a stepping-stone solution for newer encryption technologies such as the Advanced Encryption Standard (AES). Although potentially complex in its implementation, 3DES at least fits the existing DES infrastructure and is backwards compatible with existing DES. Triple DES is much more than three times the encryption strength of DES. By comparison, if a DES key can be ascertained by trying all combinations of key values in 22 hours, determining the two key values in 3DES would take 1.8 trillion centuries!
MasterCard International is the first of the international networks to set an implementation deadline for 3DES. In January 2001, MasterCard released a statement requiring that all new/replacement devices (such as ATM and POS) must be 3DES capable by April 2002; 3DES implemented between the financial institutions host system and the MasterCard network by April 2003; with full 3DES implementation by April 2005. Host processors connected to gateways to MasterCard (such as Pulse) are impacted as well.
Implementing 3DES can be a complex undertaking, even in a straightforward transaction processing system. First, all the components of the system must be inventoried to determine all components impacted by 3DES, including cryptographic devices, transaction endpoints (ATM, POS, PIN pads), transaction processing software, key management policies and procedures, etc.
Once all components are identified, each must be evaluated to determine its 3DES capability and readiness, which involves contacting vendors of transaction devices, cryptographic hardware, transaction processing software systems and reviewing the validity of the financial institution's key management policies and procedures. This human component, if overlooked, can short circuit the effectiveness of the 3DES technical components.
All non-3DES capable components will have to be upgraded or replaced. Given the MasterCard requirement, some aspects of a 3DES implementation project can occur in phases. Euronet Worldwide's Professional Services Organization (PSO) can assist with the financial institution's 3DES challenge with awareness, joint requirements planning (JRP), tactical delivery and project office.
PSO assistance with general 3DES awareness could be as simple as a few hours in a conference call and e-mail information, or it could be as complex as an onsite visit to discuss 3DES, what it is, how it impacts a financial institution, and what the financial institution needs to think about.
Once a financial institution understands the general nature of 3DES, they need to clearly understand the impact on all technical and non-technical processes and procedures affected by 3DES. PSO can evaluate an institution's software and hardware systems, processes/procedures, and upcoming business plans, and help identify how 3DES impacts the financial institution.
Euronet's Delivery organization can address the standard systems and components impacted by 3DES (i.e., ITM, DCM's, HSM's, etc.). However, financial institutions must be aware of and deal with a number of other things. If the institution purchased Euronet services, Euronet's delivery will have identified what they need to address outside of what Euronet supplies. If the financial institution needs help/consulting in this area, PSO can offer assistance.
Some financial institutions may have too much to accomplish and don't have time to focus on 3DES. PSO can offer project oversight, by supplying project management consulting, to assist the institution in rolling out 3DES. This would entail PSO managing the "overall" project, from coordinating Euronet's efforts to the efforts of other vendors (ATM, POS, HSM, etc.).
PSO is available to evaluate all of the financial institutions' needs. Just give your Euronet sales team a call. |
