‘No Card Payment Possible’ – What Germany’s Recent Payment Outage Means for Businesses Across the World

  • Jason Way, SVP of Payment Technologies at Utimaco

  • 28.06.2022 02:30 pm
  • #payments

Germany’s slow progress towards using cards over cash was dealt another blow in recent weeks as thousands of card reader terminals across the country suddenly stopped being able to accept Visa payments. Retailers were suddenly having to announce to customers that they had to pay by cash, Mastercard or another form of payment since every H5000 card reader was unable to connect to a network operator to carry out transactions. Although it was mostly older card readers that were affected, even larger chains like Aldi and Zara experienced problems. Some terminals have been able to be updated remotely, but many needed to be manually updated.

It was only during the pandemic that card payments overtook cash payments in Germany, while in the UK the crossover happened as early as 2016. Although contactless payments are rising rapidly, there is a culture of concern about privacy in Germany that isn’t present in many similar countries, and it has slowed the public’s adoption of payment cards. This recent outage isn’t going to help matters.

However, there are top-level changes to the way that card readers work that could fix these problems, or at the very least allow them to be fixed far easier. New key injection systems mean that payment companies can send updates to all the card readers on their network, bypassing the difficult procedures that have previously been in place.

So, what are these changes and how might they prevent another large-scale payment outage?

Key blocks and payments

Most people would assume that point of sale (POS) systems would be frequent targets for criminals – after all, $8.5 trillion in digital payments are estimated to be made this year, and taking even a tiny percentage of that would be highly lucrative. However, there is very little significant fraud in this area because of the rock-solid cryptography used in payment devices because of the various Payment Card Industry (PCI) Standard (including PCI PIN, PCI Card Production, and PCI P2PE). The use of cryptographic keys to encrypt data in transit is one of the most powerful means for securing data in a digital world, but as we’ll see the way that these keys are implemented is changing and could have profound impacts on not just payments but IoT devices.

Based on recent mandates from PCI, encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods. The X9.143 (formerly TR-31) secure key block standard specifies an acceptable method of ‘wrapping’ keys into blocks which are more secure and tamper-proof, but still able to be used by the correct parties further enabling keys to be loaded remotely with sufficient trust and assurance. Additionally, the X9.24-3-2017 symmetric key management standard and the TR-34 (currently being standardized into X9.139) asymmetric key management technique incorporates this key block standard.  

However, developing standards is only the first step. The global payment ecosystem is very complex with deeply embedded roots of trust designed to operate for a long time that is not easily adapted to new key management standards. Thus, the challenge is not only in designing and deploying new appliances (e.g., POS devices, hardware security modules (HSMs), etc.) according to these new standards but also in migrating legacy systems and their keys into compliant key blocks. This requires extensive investment and planning and is largely why PCI has recently extended the implementation deadlines several times. But it is finally being required worldwide, so that by June 1st of 2025 all keys will be stored and exchanged in key blocks, making the process of updating keys on POS devices much easier and more secure. 

The implications for payments

As the digital world continues to connect more and more POS payment devices, IoT devices are becoming increasingly common and immediately connected to the wireless digital landscape in a rapid fashion. Remote key injection makes keeping payment devices secure, simple, and inexpensive to manufacture and maintain. The remote key injection payment standards are in place and financial ecosystems are racing to comply. These new standards and infrastructures should be leveraged for IoT security as it grows from its infancy and converges with the payment ecosystem.

This ability to issue mass updates to payment systems across countries, or even across the world, might not be able to prevent problems like those that affected Germany – there will always be human error – but it will be able to significantly reduce the time taken to fix the problem. Being able to reduce outages from days to minutes will go some way towards helping German shoppers become more comfortable with using payment cards.

Related Blogs

Other Blogs