A:I've used the terms Triple DES and DUKPT quite a bit in recent posts. To clarify, let's just start by saying that DUKPT does not reallycompete with Triple DES.  Let's go over them one by one.

The DES stands for Data Encryption Standard, a block cipher that wasselected as an official Federal Information Processing Standard (FIPS)for the United States in 1976.

Triple DES, sometimes shortenedfurther as 3DES, increases the difficulty of cracking the encryption byapplying three rounds of action: an encryption, a decryption and anencryption, each with independent keys.

3DES has becomepopular for encrypting financial transactions because it is potentiallyfar more secure than DES, which has been shown to yield its secretssomewhat quickly to relatively cheap hardware.

Both DES and 3DESuse a symmetric key. In other words, the same key enciphers anddeciphers the protected data.  To keep the key secret, a secure key-management system is required.

Worldwide, POS devices handle billions oftransactions per day.  If the keys to even a small portion of that traffic was discovered, we'd have a tremendously huge problem.  Which is my segway to DUKPT.

One way to prevent fraud is to use a different key for "eachtransaction," (Derived Unique Key PerTransaction)   HomeATM's secure devices (and thus your transactions) are "Protected by DUKPT" and each one is initialized with amaster key.   The master key is from which the unique keys are derived, one for each"per" transaction.

The benefit of DUKPT is that even if an attacker discovered the key toa particular transaction, none of the other transactions from the samedevice would be able to be decrypted with that key.

That  said, a potential attack point (from a fraudster) would be themaster key stored in the encrypting device. However, because HomeATMuses DUKPT, our device is built so that tampering with the device wipesthis master key out.

These derived keys are used to encrypt transactiondata with a symmetric cipher such as 3DES. HomeATM also takes it onestep further and encrypts the Track 2 data as well.  If you ever haveany questions regarding financial transaction security or how HomeATMprovides true end-to-end-encrypted transactions, feel free to email me. 

Before I get to the next question, I've got one for you. 

When you "type" your card number into a "box" on a merchant website, is it protected by DUKPT?  Is it encrypted?  If so, DES or 3DES?  First one to send me the correct answer gets a Free HomeATM PED!

Q: What is TRUE end-to-end encryption?  (E2EE)

A: First of all, "true"end-to-end encryption can only occur with a PIN based transaction.  Itdoesn't exist outside of that scope because there is a point in theprocess where the cardholder data is decrypted and before it is re-encrypted is that is the point where it is vulnerable. 

With that said, Heartland's proposal for end-to-end encryption has promulgated E2EE into a hot topic.

I would point out that Heartland's E2EEproposal came "AFTER" their breach...while HomeATM institutedtheir end-to-end encryption from "the very beginning."  I'm not bragging.  I'm proudly displaying our insight into the weaknesses inherent in the payments system and  how we improved upon said weaknesses.

But let's get back to Heartland, shall we?  In this post I will attempt to explain why they CANNOT magically snap their fingers and introduce E2EE on their own.  They need cooperation from others in the industry.

Whileit's true that some large U.S. retailers encrypt cardholder data while in transit,  it's also true that most don't.  Therefore...in order for E2EE to work, a lot of retailers would need to revamp their system(s).  Very costly indeed.

Inaddition, the top full-service U.S. payment processors also don'tcurrently support E2EE;  thus, retailers that encrypt card datain transit typically must decrypt it before they send it to theirprocessor. 

The key word here is decrypt.  That is the weak point, the vulnerability,  and as such, also the problem. 

That said, PIN Debit is an entirely different animal.  Card brand standardsrequire that PINs are encrypted end-to-end.   In fact, speaking about Heartland's quest for E2EE, Distinguished Gartner Analyst Avivah Litan stated: 

End-to-endencryption would be most effective if data was encrypted from the timea card was swiped at a POS until it reached the card issuer, similar tothe way personal identification numbers (PINs) currently are encryptedaccording to card brand standards.

Starting to get the point?  If not here's some more insight as Ms. Litan went on to state:

"Heartland is limited by the scope of systems it manages and from which it accepts data;it can only seek to influence the card industry to carry end-to-endencryption beyond the processor stage, through the card networks andonto the card issuers.

"The proposal's success also depends on merchants' willingness to invest in terminal upgrades that support card data encryption."

(Editor's Note: For instance...HomeATM's PCI 2.0 Certified SafeTPIN PED which also encrypts the Track 2 data.)  Avivah continues:

"If Heartland implements its proposed project more securely than it hasmanaged in the past with its network, it will make payment cardprocessing more secure for merchants, especially if they don't managethe encryption keys and leave key management to their processor.   

Nevertheless, the process will always include vulnerabilities at the point where data is encrypted and decrypted. 

"Thesevulnerabilities can be limited by using "sound key managementpractices" and enforcing extra security measures, such as "requiringtwo separately managed sets of keys for cryptographic operation" 

Can you provide an example of a "sound key management practice?  That's why HomeATM is the closest thing to TRUE end-to-end encryption in the industry.  (our industry being eCommerce payments and Real Time Money Transfer.) 

In the bricks and mortar world, end-to-end encryption doesn't exist and the whole system would need to be revamped.  You can learn more about that in this related post where Avivah Litan asks:

• Hacked! Is Visa Next? (pindebit.blogspot.com)