In payments security, the key is the key.
Encryption and the digital keys that allow firms to scramble and descramble data are permanent parts of the payments landscape.
There’s a personal element to the technical wizardry, though. Data needs management, and protecting that data requires vigilance.
And yet, many firms do not have the staff in place to manage cryptographic keys. Think of it as management by “other duties as assigned,” which is hardly an effective endeavor, as the most important security asset in a firm used to protect information (arguably the most important asset overall) is handled by people who, in some cases, have volunteered to take on the task.
Perhaps it’s an IT professional, but more likely it’s someone else within the organization, possibly ill-equipped for the job.
Against that backdrop, GEOBRIDGE offers cryptographic key management with an eye on what it calls “lifecycle key management” across sales, support and consulting services focused on cryptographic key inventory. The company, through KEES™ — its key exchange and escrow service — also allows for remote management of a firm’s existing hardware security module (HSM) structure, limiting capital expenditures by clients.
GEOBRIDGE works across the transaction spectrum, with payment brands, acquirers and service providers, deployment centers and device manufacturers.
In an interview with PYMNTS, CEO Laura Way delved into the evolution of cryptographic security and the ways day-to-day management of that security has struggled to keep pace in some corners of commerce.
Way told PYMNTS that “when you think of the sheer number of terminals, the number of merchants, the payment applications, settlement services, the mobile phone service providers — in terms of getting cards to users and transactions back to an issuing bank for authorization — you quickly lose count of how many interrelated, interdependent systems must truly be out there to have an effective network that allows for a card transaction to happen in a matter of seconds.
“If it’s not instantaneous, merchants lose business. [Consumers] get frustrated and walk away. They don’t complete the sale,” she told PYMNTS.
And, Way added, when it comes to security, “when you embed cryptographic algorithms with that many interdependent systems, you can’t make a global update instantly just because a new algorithm has hit the market.”
The cryptographic industry has been morphing to different key sizes and wrapping techniques, she said, and changing PCI mandates create significant challenges. Under the terms of those mandates, effective this year, encrypted keys must be managed in “bundled” blocks.
Way said use cases have evolved, which means the technology underpinning those use cases has had to evolve too. She noted that HSMs have underpinned all efforts, and form factors have changed dramatically over the last several years.
“As recently as 2010, the only thing that was really out there was a countertop terminal or maybe a handheld terminal,” she told PYMNTS. “But over the last eight years, there’s been this notion of mobile payments, and mobile payments means something different to everybody you ask,” with form factors spanning cellphones to tablets, all of which can be embedded with different algorithms. But all transactions, she continued, come to an HSM and touch an acquiring institution that’s got a process for transactions that allow for appropriate authorization.
“Because of these different form factors and use cases,” she said, “over the last three to five years, GEOBRIDGE has seen the emergence of dedicated key management teams” within larger enterprises.
Beyond that scope, 80 percent of enterprises throughout the United States do not have key management teams in place. In those situations, she said, it’s typical to “grab the receptionist, somebody from marketing … if you’re lucky, somebody from IT [and then say], ‘You guys come together once a month or every couple months and deal with these things and then go about your business that you’re actually hired for.’”
It’s an inefficient practice at best, as companies relying on such in-house management may be tapping people who forget passwords or who may not be cognizant that they’re handling sensitive data.
Cautioned Way: “If you do not control the key, you do not control the device — and the revenues that are associated with it.”
A business that cannot get itself up and running for three weeks because they are, in effect, waiting for keys may lose weeks of sales equating to millions of dollars.
“We can’t get away from manual handling techniques,” said Way, “but we can do it faster because we know what we’re doing by building up the library and exchange points. We are able to connect the market faster, even as form factors continue to change.”