GPRS encryption

[nambiarenator]

We have the following setup at our end.

We are having mobile ATMs for which we use corporate GPRS service (client to site). Our service provider gives us APN name which is unique per subscriber. All the SIMs subscribed for corporate GPRS service only connect to APN to establish data communication channel.

Can anyone please let me know whether encryption would be mandatory in the aforementioned type of setup?


Thanks in anticipation!

[lyalc]

the PCI Glossary includes GPRS as a network considered "public" and hence untrusted.

Recent hacker-conference presentations have shown that the commonly used A5/1 and A5/2 encryption algorithms used by most/all GPRS network operators are trivially weak. Source codeis, I think, openly available

Accordingly, transmission of card data on GPRS networks needs additional encryption beyond that available from the carrier - SSL, IPSEC etc.

Also, the PCI network controls relevant to any other wireless network and PCI section 1 (e.g. perimeter firewalls) are required in the scenario.

lyalc

[jbhall56]

I would concur with Lyalc's analysis that you need something additional to secure your communications link between your ATM switch and the ATMs.

We had a banking client a number of years ago that had ATMs posted at a number of sports venues that used cellular technology for the communciations link to these ATMs. They were using a Cisco router that connected to a cellular modem. The router implemented an encrypted VPN link between the ATM and the ATM switch to secure the ATMs' communciations.