uperpowers of the payments industry have joined forces to fight the obvious bad guys - credit card fraud and identity theft - but also a less obvious one - the lack of a global standard for implementing Triple DES (3DES) encryption technology in their payment devices.

A consortium of industry leaders - ACI Worldwide, Diebold Inc., Thales e-Security and VeriFone, Inc. - has published a plan¹ that encourages the financial industry to adopt a global 3DES standard to allow for easier integration and operability between each element of an end-to-end electronic payment solution: from the host software to host security modules, ATMs and POS terminals.

Many suppliers in the payments industry are still using single DES systems, although many are starting to shift to 3DES. Triple DES (3DES) is a data encryption standard algorithm that encrypts input data three times. The 3DES encryption procedure is exactly the same as single DES, but since it is repeated three times, it becomes even harder to crack an encrypted message, thereby raising the level of fraud protection for PIN-based debit transactions initiated at ATMs and POS terminals.

Authorities in the cryptography community believe single DES key management systems are vulnerable to hacking because of rapidly advancing technology. In other words, devices still operating with a single DES system need a security upgrade. And without any type of global standard in place, the payments industry consortium believes, vendors will have to develop their own implementations, placing an added burden on the integration of different systems.

"The resolution of this issue is essential for the continued interoperability of the worldwide payments networks," said Paul Meadowcroft, head of transaction security at Thales e-Security. "Thales is fully committed to the development of an industry-wide solution and its implementation within the Thales transaction-security products."

The consortium is creating a global specification that can be adopted by other companies to improve interoperability between all of their systems.

"We believe that the result of our work will provide interoperability and key protection our customers require for their 3DES implementations," said Charles Linberg, CTO of ACI Worldwide.

The consortium intends to work with leading card associations, other vendors and industry-standards organizations in the United States and internationally to finalize and adopt the specification for 3DES.

Even Visa and MasterCard are encouraging the implementation of an end-to-end 3DES compliant solution, from the point of card acceptance to the issuer host.

However, even 3DES encryption may not be strong enough to protect data for much longer. The DES algorithm itself is becoming obsolete and will eventually be in need of replacement. The National Institute of Standards and Technology (NIST) is holding a competition to develop the Advanced Encryption Standard (AES) as a replacement for DES. Triple DES has been endorsed by NIST as a temporary standard to be used until the AES is finished.

¹ To receive a copy of the consortium's specification and submit comments, go to http://www.aciworldwide.com/3des/