How to improve ATM security with remote key loading

By David Close, chief solutions architect, Futurex 

Remote key loading offers ATM operators the rare opportunity to both improve operating efficiency and enhance security. Yet, despite the fact that this technology has been well-proven around the world, only 44% of financial institutions are currently using RKL according to ATM Marketplace's 2019 ATM and Self-service Software Trends report.

The cryptographic keys used to protect sensitive data, such as PINs, in transit play a vital role in protecting against information theft as sensitive cardholder information is sent back to the card issuer for validation. Good security practice dictates that these keys should be updated periodically. 

Loading new keys into the ATM has traditionally been done manually through a process known as direct key injection. For POS terminals and PIN entry devices, this involves bringing the devices to a key injection facility where key administrators manually inject each device. This can be time consuming and expensive. It requires the upfront cost of maintaining a validated PCI Level 3 key injection facility, and the operational costs of shipping devices to the KIF anytime they need to be rekeyed. For larger devices, like ATMs, organizations typically send two-person teams to each ATM to load updated encryption keys. 

An expensive, error prone process

For organizations with widespread ATM or POS networks, this manual process can be a significant operational expense with a high susceptibility to human error in cases where long strings of hexadecimal characters need to be entered by hand. And if a key were to be compromised, due to the time involved with rekeying an entire ATM network, a swift reaction to the compromise is nearly impossible. These problems all go away with RKL, which both improves security and reduces operational costs. 

RKL allows keys to be updated in a secure and compliant manner remotely over a network. Removing humans from the equation eliminates the possibility of human error or criminal activity while the keys are being manually updated. And since uploading a new key remotely is both easier and more cost-effective than doing so manually, it's possible to update keys more frequently than once per year, making them less prone to attack. If a breach is suspected, new keys can be simply be uploaded at the touch of a button.

RKL also facilities crypto agility to accommodate changes in cryptographic algorithms. For example, all new ATM installations since 2002 were required to employ the triple data encryption algorithm, a major security improvement over the original data encryption standard used to encrypt PINs.

But an even more secure advanced encryption standard is coming with the release of the latest version of ANS X9 TR-31, which, for the first time describes a standardized method for transporting AES keys. Additionally, transitioning to the SHA-2 hashing algorithm is a challenge many ATM deployers are facing, and RKL significantly eases the migration process.   

Trusted key exchange

Successful RKL operations require collaboration and standardized communication protocols between the device manufacturer and the RKL provider. The backbone of RKL is trust at both ends of the key exchange — one end being the RKL provider and the other being the field-level device. This trust is established by a certificate authority, which provides both the endpoint terminal and the RKL platform with a digital certificate. This certificate serves as a private key in the public key infrastructure used to facilitate secure key exchanges.

The endpoint devices and the RKL provider must use the same communication and encryption protocols. The most common and accepted encryption standard for RKL is TR-34, but there are others in use depending on manufacturers, geographic location and other factors. It is important for RKL providers to be accommodating in their platform design to allow integration with multiple manufacturers.

After initial setup, deployment of RKL is a turnkey affair. For on-premises deployments, hardware security modules are used to facilitate key lifecycle management, including generating, distributing and injecting ATM encryption keys. These tamper-evident, tamper-responsive servers are equipped with an internal secure cryptographic device for key storage and comply with FIPS 140-2 Level 3, PCI HSM, and other major industry standards. The ATM RKL functionality provided by HSMs is also available in the cloud for organizations that prefer hosted cryptographic services. 

Once the RKL solution is in place, batch import functionality makes it easy to set up large number of ATMs at once. After the ATMs have been organized into groups, administrators can set up rules for managing keys and automating key rotations and other updates.

RKL provides a secure and cost-effective method for loading and managing ATM encryption keys across entire ATM networks, making it the strongest security choice for financial institutions. If you're one of the 66% of ATM networks still relying on manual key injection, it may be time for a closer look at a RKL solution.