Hypercom Corp. has developed a system for updating remotely the encryption capabilities of its payment terminals — a process that currently requires companies to send the machines to a secure facility.
The Scottsdale, Ariz., company said its HyperSafe Remote Key System, which was announced last week, will make it easier and cheaper for merchants and processors to replace or upgrade terminals.
For the first time, "we can securely distribute and inject a symmetric debit key to a terminal that's in a nonsecure location," Scott Goldthwaite, Hypercom's vice president of global solutions, said in an interview last week.
"We've set up a secure pipe between the devices, and we can exchange any type of data, whether that's a transaction" or an encryption key.
The technique was adapted from one used to update the encryption features on automated teller machines, which accept new keys remotely because moving the large machines is often impractical, Mr. Goldthwaite said.
"With a POS terminal, if there's a problem with the key, you can put it in a box, give it to the UPS guy, and send it back to a facility to get rekeyed. With an ATM, that's a little more complex; you can't pull an ATM off the wall," Mr. Goldthwaite said.
Installing new encryption keys is a relatively common process for merchants, Mr. Goldthwaite said; new encryption keys are needed, for example, when a merchant switches processors, upgrades terminals, or needs to reset a machine.
Various security standards, which restrict access to encryption keys, have required companies to ship terminals to secure sites for new keys.
Mr. Goldthwaite said that under the HyperSafe Remote Key System, the servers that manages the keys are kept in a secure location, and that his company's new system meets industry guidelines for remote key management.
Hypercom has been planning for the deployment of such a remote updating system for some time, he said, and many of its existing terminals have been built with such a system in mind. "All these features are really dormant in the terminal. They don't need to come back."
In addition to making the process of updating or reissuing keys faster and more cost-effective, using Hypercom's system can speed up the deployment of new payment terminals, Mr. Goldthwaite said.
Some terminal distributors do not have the secure-room setup needed to install keys, he said, and "Hypercom has distribution centers all over the world that don't have key facilities, so now we can do key injection at those facilities."
Hypercom has been testing the remote updating system since the third quarter, Mr. Goldthwaite said, but he would not name any of the companies that participated in the trials.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the Hypercom system could prompt more merchants to upgrade their encryption, which would improve overall card security within the payments industry.
Shipping payment terminals "has always been the labor-intensive part of upgrading terminals," Ms. Litan said.
"For example, to move from single DES to Triple DES encryption, a new key has to be injected. It's so simple. It's simple technically, but having to do all these key upgrades physically was always a huge barrier."
Also, upgrading terminals at merchant locations could be more secure than sending them to another facility, Ms. Litan said, since fewer people gain access to the machines in the process. "They can do it electronically overnight and not affect anyone."
Brian Riley, a research director in the bank card practice at TowerGroup, a Needham, Mass., independent research firm owned by MasterCard Inc., agreed that installing new keys remotely would improve security in the payments industry.
In one card security breach discovered last year in the United Kingdom, skimming devices were found inside some payment terminals, Mr. Riley said, and they may have been installed by insiders who had gained access to the machines.
"Every time anybody touches it, anytime it goes through its supply chain, or anytime it's going through anywhere, there's risk," Mr. Riley said.
Hypercom's method of updating terminals without moving them "could eliminate some vulnerabilities."
Mr. Riley does not expect the process to prompt many merchants to upgrade their payment terminals, but said it will make it easeir when they do decide to make a change.
Installing new keys when switching processors is not a huge ordeal, he said, since machines are often leased and are typically swapped out when the processor changes. "It's a convenience factor."
Hypercom's method may come into play more frequently if the terminals need to be reset, which can be necessary when, for example, they are dropped or lose power, Mr. Riley said.
