Triple Data Encryption
Triple Data Encryption Standards (TDES) defined
The American National Standards Institute’s (ANSI)-sanctioned encryption algorithm standard used by all debit-capable transaction terminals for PIN encryption is named TDES. TDES (also known as Triple DES, TDES or 3DES) was developed to combat potential security breaches and add more security protection by being more secure than its predecessor, Data Encryption Standard (DES).
The TDES algorithm uses either a 16-byte, “double-length key” (32 hexadecimal digit) or a 24-byte, “triple-length key” (48 hexadecimal digit) key. The encryption algorithm is run three times both with the double and triple-length key. When performing the encryption algorithm, TDES uses three independent key parts, versus one algorithm used in DES.
When is the Compliance Deadline
Security upgrades mandated by Visa® required that all debit-capable, point-of-sale PIN-entry devices (POS PEDs) comply with the TDES by July 1, 2010. Any U.S. merchant accepting PIN debit transactions who did not comply with the TDES requirement by July 1, 2010 is at risk of losing the ability to accept PIN debit transactions. Merchants may also face Visa enforcement for not using TDES on all attended POS after August 1, 2012.
How to Check Compliant POS-PED Devices
To verify that your POS PEDs are compliant you can look at the bottom of your equipment to see if it contains a TDES certification label. If you cannot locate this information feel free to contact us at 866.823.1960 and we can further assist you.
Does this upgrade only affect Global Processing System merchants?
No, It affects everyone. Visa made it mandatory for all merchants to upgrade their POS PEDs with TDES by July 1, 2010. Visa instructed its members, the acquiring financial institutions and processors to manage compliance. Global Processing Systems has notified all of our customers of these changes.
Who will pay for the TDES upgrade?
Any merchant will be responsible for the costs associated with their upgrade if they wish to continue accepting Visa PIN debit cards. Pricing and equipment upgrades will depend upon the age of the merchant’s current equipment, type of equipment, and POS network service providers.
Will TDES require buying new equipment?
It is possible that some Global Processing System merchants are using debit-capable transaction terminals that are TDES-capable, but they would need to be injected with the correct TDES encryption keys. As mandated by Visa, a merchant with a TDES-capable POS PED may upgrade simply with an injected POS PED. A merchant with a non-capable POS PED must purchase a capable, injected POS PED.
Does Visa have any additional documentation on this security requirement?