printer friendly version

SA banks move to meet international ATM security standards

South African banks are moving quickly to meet future international security requirements for their ATMs (automatic teller machines). According to Gerhard Claassen, managing director of the Crypto Business Unit at JSE-listed, secure electronic payments company, Prism Holdings, the major card companies - Visa and MasterCard - have stated that by end-2003 all Host-to-Host PIN communication, such as that used in ATMs, must be triple DES (T-DES) based.

In addition, by the end of 2005, all PIN entry devices will have to be T-DES based. "At present, the standard encryption method used in ATMs and POS systems to protect card users' PINs is known as single DES (data encryption standard) or S-DES. However, the S-DES cryptographic algorithm has been cracked," he explains.

"While it took a specially built algorithm cracking machine 22,75 hours to break the S-DES code, it means that devices which rely on S-DES for security can no longer be considered totally secure. Hence the requirement that S-DES-based security be upgraded to far stronger T-DES."

T-DES is stronger as it enables three DES actions on a single piece of information by utilising two or three encryption keys instead of the one used by S-DES. The problem is that none of the older ATMs currently in use are T-DES compliant.

Now, banks are using a solution provided by Prism that enables the S-DES encryption process within the ATM to be converted to T-DES prior to the cardholder's PIN leaving the ATM to travel across the public network to the bank's back-end systems. In other words, only T-DES encrypted PINs move across the public network.

"In addition, the Prism system creates an avenue for the use of unique keys for each session depending on the owning financial institution's needs. This means that every time a card is used in the ATM, the S-DES-encoded PIN information is converted to T-DES using a unique encryption key. So even if the T-DES encryption on one PIN is cracked - an action that has not yet been done successfully - the same process will be required each time a PIN-protected card is used, even if it is the same card," says Claassen.

Share this article:

Further reading: