MasterCard seeks to clarify remote POS security upgrades policy

Merchants can use remote-key injection if the service is PCI-compliant, company says

MasterCard today clarified a June 15 bulletin about the use of remote key injection (RKI) services for upgrading encryption protocols on merchants' point of sale (POS) terminals, saying it was not an edict.

The bulletin was interpreted by some as a signal that MasterCard was disallowing the use of RKI services as a way to do the upgrade, instead requiring merchants ship terminals to secure offsite locations for upgrades.

[ Keep up on the latest networking news with our Technology: Networking newsletter. ]

After initially not responding to Computerworld's requests for clarification, MasterCard today said in a statement that the bulletin was only meant to provide guidance stating the most secure option for upgrading was to have it performed at a key injection facility.

However, it said, merchants can use "Remote Key Injection services to upgrade the terminals if those services meet all aspects of the PCI [Payment Card Industry] Pin Security Requirements."

MasterCard's guidance around RKI comes at a time when merchants are under a deadline to upgrade their POS terminals to support Triple Data Encryption Algorithm (TDES) standards. Many had planned on using emerging remote key injection services to upgrade their systems over the network automatically rather than having to dismantle each device and ship them to an offsite facility for upgrade.

The wording in MasterCard's explanation today is slightly different from the original bulletin also. The bulletin had appeared to specifically prohibit non PCI-compliant PIN entry devices from RKI, said Stuart Taylor, VP of global solutions and marketing at Hypercom Corp., a vendor of electronic payments products.

Today's statement referred to the need for RKI "services" to be compliant with PCI standards, while making no mention of the need for the devices to be compliant. MasterCard did not respond to a request for further clarification.

But their message appears to be the same as the June bulletin, which is that companies cannot use remote key injection services unless their devices are PCI PED (Payment Card Industry Pin Entry Device)-compliant, Taylor said.

The PCI PED standard went into effect in mid-2007 and requires all merchants to ensure that the PIN-entry devices at the point of sale terminals meet some minimum security standards.

First products compliant with the standard became available sometime towards the end of 2007. As a result, an unknown number of installed PEDs are likely to be non-PCI compliant and therefore not permitted to use RKI, even though many of the devices are capable of securely accepting remotely injected keys, Taylor said.

MasterCard's rule leaves merchants who are using non-PCI PED compliant devices with a couple of options, Taylor said. The first: To simply have the upgrade to TDES done in the traditional manner at a secure facility at an offsite Encrypting Service Organization.

Those wishing to use RKI services could also consider asking MasterCard for a waiver if their PEDs are equipped to handle RKI and can do so in a secure manner, he said.

The third option for merchants looking to do RKI is to upgrade their terminals to PCI-compliant ones, he said.