Each day in the United States alone over 100 million transactions aggregating $5 Billion are authorized and initiated by cardholders at over 400,000 Automated Teller Machines (ATMs) and seven million Point-of-Sale (POS) terminals. Securing the massive daily financial flow against fraud and loss relies upon protecting and verifying cardholder Personal Identification Numbers (PINs) using methods, structures, and cryptographic algorithms originating over twenty-five years ago.
Data security systems, such as financial systems, use security techniques and systems originating in the early 1980s that were based on technologies created in the late 1970s. Computational power, cryptanalytic knowledge, breadth of targets, and creative ingenuity accessible to potential attackers have grown dramatically since origination of the systems, while defensive technologies have scarcely evolved.
The Personal Identification Number (PIN) is a basic construct for establishing identity and authorizing consumer financial transactions.
In current technology, a PIN transmitted through a network frequently passes through multiple nodes in several transaction zones. The PIN is translated from one encryption under one key to encryption under another key as the transaction passes from each zone and/or node to the next. If security is broken at any of the PIN translation points, or where some other cryptographic process takes place, PINs can be compromised.
Currently PINs are encrypted at a point-of-entry and sent with other transaction data to an acquiring host. The acquirer passes the transaction data to a financial switch that, in turn, forwards the transaction to a card issuer server. Separate keys are maintained at each zone for every adjoining node and PINS are translated—decrypted and re-encrypted—by hardware security modules at each hop. The system is complex and fragile with respect to security.