Millions of terminals, hundreds of millions of cryptographic keys — and someone has to keep track of it all. Executives from GEOBRIDGE and POS Portal spoke to PYMNTS about the ways key management works across far-flung distances, with urgent deadlines, to make sure all goes as expected when cards gets swiped at the terminal.
GEOBRIDGE: Encryption Key Management: The Dos And Don’ts
Most consumers never give a second thought to technology that underpins payments. When a customer swipes or inserts a card at the point of sale (POS), what’s top of mind is the item for which they have paid, perhaps the payment method, and maybe how they’ll get it home. They might muse over how much money is left in the till, so to speak, after the completed transaction.
But the intricacies of what happens when a customer swipes or inserts their card may never factor into consideration. Technology, after all, is in the background when it works well.
However, pause for a minute and the intricacies of what it takes to pay — the mechanics that underpin the billions of payments across millions of terminals, far-flung across the globe — might seem staggering.
Consider how, in each terminal, a cryptographic key is in place — one that, in turn, creates a unique cryptographic key each and every time a cryptographic transaction occurs. Those keys are needed to render the card data unreadable and usable. And the keys themselves? Voluminous. To the tunes of millions of keys, tied to devices and terminals, they cross sales channels — through resellers — and are used by end customers, such as merchants.
Think then of key management as the “key to the key.” It is no easy task when the keys must be injected onto terminals, as well as managed and tracked — in essence, finding the proverbial needle in a haystack. Get the process wrong, and the terminal is rendered unable to process payments and, by extension, the merchant loses sales.
In an interview with PYMNTS, executives from strategic market partners GEOBRIDGE and POS Portal delved into the intricacies of key management — a field where scale, accuracy and speed are paramount in a world in which digital transactions are gaining traction. The two companies tackle the complexities of managing keys on a global scale, as POS Portal works to deploy keys across terminals before they reach resellers or end merchants.
And it’s no cookie-cutter process. POS Portal takes point of interaction (POI) devices and configures them to the specifications demanded by various stakeholders in the payments space. Those stakeholders range from acquirers to processors to ISOs. That configuration from POS Portal, in tandem with GEOBRIDGE’s KeyBRIDGE platform, is essential — and so is its monitoring — before the devices are shipped into the channel.
Streamlining Key Management
The executives who spoke to PYMNTS noted that POS Portal — as a long-standing GEOBRIDGE customer — continues to expand upon newer and more efficient streamlined services, by collaborating with GEOBRIDGE to extend KeyBRIDGE as the centralized key management platform that anchors the operation.
GEOBRIDGE Chief Technology Officer Jason Way said, in combining his firm’s centralized key management appliance and POS Portal’s hardware offerings, “We work together to create an agnostic solution that allows for the injection of [POS] terminals with the dozens, if not hundreds, of manufacturers. All of these practices are heavily monitored and audited through PCI and other sub-audit practices. At the end of the day, you need to have a very secure end-to-end facility — and it is a very high-stress environment with [daily] deadlines.”
Gone are the days when a POS device might be outfitted with a single encryption key needed for debit transactions. Now, with the emergence of things like point-to-point encryption, POS devices are increasingly being fitted with as many as 10 encryption key slots.
The permutations are staggering. Consider the fact that, as POS Portal Senior Product Engineer Brandon Audisio said, there are base derivation keys that can be utilized and injected on any certified terminal. All told, POS Portal leverages GEOBRIDGE technology to manage cryptographic keys for all major acquirers across the industry. The sense of scale and management required becomes quickly apparent, if not daunting. The KeyBRIDGE platform, GEOBRIDGE’s enterprise key management system, tracks unique keys. PYMNTS learned that KeyBRIDGE can track granular information, including manufacturer, model, and physical serial number — everything, right down to the specific key slots to which any of those keys were sent.
This extended functionality is made possible, in part, through GEOBRIDGE’s (ARCK™) secure RESTful API that helps ensure keys are delivered in a secure environment.
All of this, by the way, takes place against a backdrop where regulations are only getting stricter. From an audit perspective, POS Portal must prove that it placed a unique key into every single device that goes out the door.
The configurations are no cookie-cutter variety either, said Audisio, as they are all customized, to some degree. In essence, they build “a thousand things a thousand times,” rather than one thing a thousand times. The keys must be managed in a clean, structured format and in a centralized way that Audisio said “makes it fairly easy for someone without a lot of experience to manage those assets with a high level of accuracy.”
So, with scale comes considerable customization, but also — critically — the need for speed. The executives from both companies told PYMNTS that haste without waste is top of mind. That point — quick turnarounds — was emphasized by POS Portal’s VP of Client Solutions Evamarie K. Ghiggeri.
Ghiggeri told PYMNTS, “Accuracy and speed are critical. We get thousands of orders every day.”
GEOBRIDGE’s Jason Way said, “One of the bigger challenges when new devices hit the market is trying to figure out, ‘Does the device work?’ They go through a certification process with the acquirer and, as is all too often, the acquirers have a lot of keys too, and they’re trying to prove it works or doesn’t work. Sometimes they can’t figure out which key was actually used to run the test transaction.”
To avoid the possibility of mistakes or confusion in configuration, POS Portal’s Drawbridge program leverages API calls made through the KeyBRIDGE appliance. This systematic verification process ensures that any one of the 500 million-plus configurations is confirmed before a device is ever shipped.
“If someone gets the wrong thing from us, they aren’t going to be able to accept payments, and they’re going to be losing money,” said POS Portal’s Audisio. “We know the entire configuration stack that was supposed to go on to that [terminal], and now we have an automated confirmation of exactly what got put onto that device.”
Working in tandem, he said, the two companies leverage technology to ensure hardware will work the way it’s supposed to when it gets there — and, crucially, before it ever ships out.