Payment industry history with first AES DUKPT key management implementation

AES DUKPT key management

Verifone says it has implemented AES DUKPT with its end-to-end encryption solution, VeriShield Total Protect, its Engage family of payment devices, and Carbon 8 & 10.

Co-designed by Verifone, AES DUKPT is a new security key management standard that was approved as an American National Standard in October 2017 by the Accredited Standards Committee X9 (ASC X9). It incorporates the AES cryptographic algorithm to encrypt transaction data with greater security and processing speed than Triple Data Encryption Standard DUKPT (“Triple-DES DUKPT”)—the former standard that is widely deployed by the financial services industry.

“X9 [ASC X9] is grateful to have members like Verifone that worked to develop this standard,” said Steve Stevens, the Executive Director of X9. “AES DUKPT is a major improvement over the previously used algorithms because, among other benefits, it provides a much larger set of unique secret keys.” The main advantage of AES DUKPT is AES itself, as it provides the best security cryptography has to offer by supporting up to 256-bit keys, which are immune to all known methods of attack—even quantum computing attacks.

“Payment security—with the proliferation of EMV, end-to-end encryption, and tokenization—continues to be a top priority for Verifone, as we are committed to protecting the billions of transactions that pass through our systems every month,” said Joachim Vance, Verifone’s Chief Security Architect and AES DUKPT co-designer. “Our implementation of AES DUKPT—a standard we advocated for years with other industry influencers—validates this commitment.”

While Triple-DES DUKPT supports just over one million transactions, AES DUKPT can support over 2.4 billion, providing the ability for a terminal to handle more transactions using a single key that is expected for its full lifespan. AES DUKPT support is available for VeriShield Total Protect and requires Verifone payment devices to have Application Development Kit (ADK) 4.5.

“Cybercriminals are developing new, highly-innovative methods of attack at speeds that outpace the rapid, ongoing evolution underway in payments and commerce,” said Vance. “Supporting AES DUKPT at both the hardware- and software-level demonstrates ‘crypto-agility’ in our solutions—vastly strengthening the ability to protect merchants and customers’ sensitive transaction data as security threats and standards change.”