In payments security, the key is the key.
Encryption and the digital keys that allow firms to scramble and descramble data are permanent parts of the payments landscape.
Thereās a personal element to the technical wizardry, though. Data needs management, and protecting that data requires vigilance.
And yet, many firms do not have the staff in place to manage cryptographic keys. Think of it as management by āother duties as assigned,ā which is hardly an effective endeavor, as the most important security asset in a firm used to protect information (arguably the most important asset overall) is handled by people who, in some cases, have volunteered to take on the task.
Perhaps itās an IT professional, but more likely itās someone else within the organization, possibly ill-equipped for the job.
Against that backdrop, GEOBRIDGE offers cryptographic key management with an eye on what it calls ālifecycle key managementā across sales, support and consulting services focused on cryptographic key inventory. The company, through KEES™ ā its key exchange and escrow service ā also allows for remote management of a firmās existing hardware security module (HSM) structure, limiting capital expenditures by clients.
GEOBRIDGE works across the transaction spectrum, with payment brands, acquirers and service providers, deployment centers and device manufacturers.
In an interview with PYMNTS, CEOĀ Laura WayĀ delved into the evolution of cryptographic security and the ways day-to-day management of that security has struggled to keep pace in some corners of commerce.
Way told PYMNTS that āwhen you think of the sheer number of terminals, the number of merchants, the payment applications, settlement services, the mobile phone service providers ā in terms of getting cards to users and transactions back to an issuing bank for authorization ā you quickly lose count of how many interrelated, interdependent systems must truly be out there to have an effective network that allows for a card transaction to happen in a matter of seconds.
āIf itās not instantaneous, merchants lose business. [Consumers] get frustrated and walk away. They donāt complete the sale,ā she told PYMNTS.
And, Way added, when it comes to security, āwhen you embed cryptographic algorithms with that many interdependent systems, you canāt make a global update instantly just because a new algorithm has hit the market.ā
The cryptographic industry has been morphing to different key sizes and wrapping techniques, she said, and changing PCI mandates create significant challenges. Under the terms of those mandates, effective this year, encrypted keys must be managed in ābundledā blocks.
Way said use cases have evolved, which means the technology underpinning those use cases has had to evolve too. She noted that HSMs have underpinned all efforts, and form factors have changed dramatically over the last several years.
āAs recently as 2010, the only thing that was really out there was a countertop terminal or maybe a handheld terminal,ā she told PYMNTS. āBut over the last eight years, thereās been this notion of mobile payments, and mobile payments means something different to everybody you ask,ā with form factors spanning cellphones to tablets, all of which can be embedded with different algorithms. But all transactions, she continued, come to an HSM and touch an acquiring institution thatās got a process for transactions that allow for appropriate authorization.
āBecause of these different form factors and use cases,ā she said, āover the last three to five years, GEOBRIDGE has seen the emergence of dedicated key management teamsā within larger enterprises.
Beyond that scope, 80 percent of enterprises throughout the United States do not have key management teams in place. In those situations, she said, itās typical to āgrab the receptionist, somebody from marketing ā¦ if youāre lucky, somebody from IT [and then say], āYou guys come together once a month or every couple months and deal with these things and then go about your business that youāre actually hired for.āā
Itās an inefficient practice at best, as companies relying on such in-house management may be tapping people who forget passwords or who may not be cognizant that theyāre handling sensitive data.
Cautioned Way: āIf you do not control the key, you do not control the device ā and the revenues that are associated with it.ā
A business that cannot get itself up and running for three weeks because they are, in effect, waiting for keys may lose weeks of sales equating to millions of dollars.
āWe canāt get away from manual handling techniques,ā said Way, ābut we can do it faster because we know what weāre doing by building up the library and exchange points. We are able to connect the market faster, even as form factors continue to change.ā