Imagine you’re on a treasure hunt—actually, multiple treasure hunts. You have different maps for finding different buried chests, all starting from the same Point A. Each map has directions on how to get to Point B, Point C, and so on, with specific instructions such as, “Walk 10 paces north” or “Five paces west.” Simply follow the directions and you’ll find your buried treasures.
Now, imagine having the maps, but Point A is hidden. What good are all those coordinates if you don’t know where to start? Sure, you can stumble upon a treasure, but the odds of this are greater than a billion to one.
In the treasure-rich landscape of electronic payment processing, an encryption algorithm is only as strong as its keys. The keys are what allow sensitive data to be encrypted and decrypted from one point to the next, with the most important key—the master or base derivation key—being the secret Point A. If not kept secret, eager pirates would have free rein to intercept any and all sensitive cardholder information available, right from the point of first contact with the payment device.
For every master key in the payment process, other important keys are derived along the way that handle encryption, decryption, authentication, and integrity of data. The modern industry standard for this key management scheme is known as Derived Unique Key Per Transaction, or DUKPT (pronounced “duck putt”). The algorithm was first introduced in the late 1980s by Visa, but didn’t achieve industry relevance until the 1990s.
The strength of DUKPT as an algorithm is its ability to generate unique keys for every transaction (like our unique treasure maps from before), without requiring the device that originated the transactions to retain any sensitive information that could link to any previous keys. Using the master key (our Point A) and data elements contained in the transaction, the receiving device can derive the key used by the originating device.
“DUKPT simplified key management on every device; it made them safer,” says Joachim Vance, Chief Security Architect at Verifone. “Before DUKPT, payment devices were not considered very secure. They were vulnerable as far as protecting the keys used in each transaction.”
Verifone has long used DUKPT in its payment solutions, since at least the early 90s, but the standard has seen its own revolution over time. Today, AES (Advanced Encryption Standard) DUKPT offers an algorithm that can do everything previous incarnations of DUKPT could do, but at scale. Specifically, AES DUKPT takes advantage of advancements in cryptography to allow for greater processing speeds; a terminal can handle more transactions from its single, initial key than is expected for the life of the device.
“There is a real push to use the AES version of DUKPT,” said Vance, who co-created the new standard and has been behind the push since 2009. “With the existing DUKPT, known as TDEA DUKPT, each device’s unique initial key is limited to just over 1 million transactions. With AES DUKPT, each device can support nearly 2.5 billion transactions.”
While the scale of AES DUKPT is vital, especially for hightraffic areas, the security of its encryption standard is still seen as the biggest advantage, according to its co-creator.
“The main advantage of AES DUKPT is AES itself,” says Vance, noting that AES was approved as a federal government standard over 15 years ago. “AES DUKPT allows the future of financial transactions to finally move into the best security that cryptography has to offer. AES DUKPT supports up to 256-bit keys, which are immune from all known methods of attack, even quantum computing
attacks.”
In September 2017, AES DUKPT was approved by ASC X9, an accredited standards developing organization for the U.S. financial services industry. While it won’t be commonly used until next year, Verifone has functioning implementations ready to go. We expect all of our new devices to support AES DUKPT in 2018.
Payment security—with the proliferation of EMV, end-toend encryption, and tokenization—continues to be a top priority here at Verifone, as we strive for solutions that protect the billions of transactions passing through our systems on a monthly basis. As an early adopter of AES DUKPT, we aim to increase that protection to anywhere and everywhere fraudsters may lurk.
