Verifone Makes History with Payment Industry’s First AES DUKPT Key Management Implementation
LAS VEGAS, ETA TRANSACT (April 17, 2018) – Verifone (NYSE: PAY), the world leader in payment and commerce solutions, announced it has implemented AES DUKPT with its end-to-end encryption solution, VeriShield Total Protect, and its Engage family of payment devices.
Co-designed by Verifone, AES DUKPT is a new security key management standard that was approved as an American national standard in October 2017 by the Accredited Standards Committee X9 (ASC X9). It incorporates the AES cryptographic algorithm to encrypt transaction data with greater security and processing speed than Triple Data Encryption Standard DUKPT (“Triple-DES DUKPT”)—the former standard that is widely deployed by the financial services industry.
“X9 [ASC X9] is grateful to have members like Verifone that worked to develop this standard,” said Steve Stevens, the Executive Director of X9. “AES DUKPT is a major improvement over the previously used algorithms because, among other benefits, it provides a much larger set of unique secret keys.” The main advantage of AES DUKPT is AES itself, as it provides the best security cryptography has to offer by supporting up to 256-bit keys, which are immune to all known methods of attack—even quantum computing attacks.
“Payment security—with the proliferation of EMV, end-to-end encryption, and tokenization—continues to be a top priority for Verifone, as we are committed to protecting the billions of transactions that pass through our systems every month,” said Joachim Vance, Verifone’s Chief Security Architect and AES DUKPT co-designer. “Our implementation of AES DUKPT—a standard we advocated for years with other industry influencers—validates this commitment.”
While Triple-DES DUKPT supports just over one million transactions, AES DUKPT can support over 2.4 billion, providing the ability for a terminal to handle more transactions using a single key that is expected for its full lifespan. AES DUKPT support is available for VeriShield Total Protect and requires Verifone payment devices to have Application Development Kit (ADK) 4.5.
“Cybercriminals are developing new, highly-innovative methods of attack at speeds that outpace the rapid, ongoing evolution underway in payments and commerce,” said Vance. “Supporting AES DUKPT at both the hardware- and software-level demonstrates ‘crypto-agility’ in our solutions—vastly strengthening the ability to protect merchants and customers’ sensitive transaction data as security threats and standards change.”
- “The Master of Keys,” by Joachim Vance, Chief Security Architect, Verifone
- ASC X9 press release
- ANSI X9.24-3-2017, Retail Financial Services Symmetric Key Management – Part 3: DUKPT
Safe Harbor Statement under the Private Securities Litigation Reform Act of 1995 for VeriFone Systems, Inc.
This press release includes certain forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. These statements are based on management’s current expectations or beliefs and on currently available competitive, financial and economic data and are subject to uncertainty and changes in circumstances. Actual results may vary materially from those expressed or implied by the forward-looking statements herein due to changes in economic, business, competitive, technological and/or regulatory factors, and other risks and uncertainties affecting the operation of the business of VeriFone Systems, Inc., including many factors beyond our control. These risks and uncertainties include, but are not limited to, those associated with: successful implementation of AES Dukpt, execution of our strategic plan and business initiatives and whether the expected benefits of our plan and initiatives are achieved, short product cycles and rapidly changing technologies, our ability to maintain competitive leadership position with respect to our payment solution offerings, our assumptions, judgments and estimates regarding the impact on our business of the continued uncertainty in the global economic environment and financial markets, our ability to successfully integrate acquired businesses into our business and operations, our ability to protect against fraud, the status of our relationship with and condition of third parties such as our contract manufacturers, distributors and key suppliers upon whom we rely in the conduct of our business, our dependence on a limited number of customers, the conduct of our business and operations internationally, our ability to effectively hedge our exposure to foreign currency exchange rate fluctuations, and our dependence on a limited number of key employees. For a further list and description of the risks and uncertainties affecting the operations of our business, see our filings with the Securities and Exchange Commission, including our annual report on Form 10-K and our quarterly reports on Form 10-Q. We may also provide material information about us on our investor relations website at www.ir.verifone.com, in company press releases and in social media postings. The forward-looking statements speak only as of the date such statements are made. Verifone is under no obligation to, and expressly disclaims any obligation to, update or alter its forward-looking statements, whether as a result of new information, future events, changes in assumptions or otherwise.
Verifone is transforming every day transactions into new and engaging opportunities for merchants and consumers at the last inch of payments and commerce. Powered by a growing footprint of more than 30 million devices in more than 150 countries, our people are trusted experts working with the world’s best-known retail brands, financial institutions, and payment providers. Verifone is connecting more products to an integrated solutions platform to better meet the evolving needs of our clients and partners. Built on a 35-year history of uncompromised security, we are committed to consistently solving the most complex payment challenges. Verifone.com | (NYSE: PAY) | @verifone.
View Source Version at: www.verifone.com
ASC X9 TR 48-2018 Card-Not-Present (CNP) Fraud Mitigation in the United States
ANSI X9.124-2-2018 Financial Services – Symmetric Key Cryptography for the Financial Services Industry – Format
Preserving Encryption- Part 2: Key Stream with Counter Mode
ANSI X9.129-2017 (Version 01) Legal Order Exchange
ANSI X9.69-2017 Framework for Key Management Extensions