AES is the symmetric crypto algorithm du jour, but AES remains largely unused by retail banking terminals, which have only recently been dragged into the 1990s by migrating from 1DES to 3DES. The journey from 3DES to its successor AES would be fraught with peril, here be dragons.
The relatively recent upgrading of ATMs and EFT-POS devices from 1DES to 3DES was obviously worthwhile, but nonetheless was arduous, costly, and protracted, involving epic changes to technology and infrastructure. These difficulties arose despite the crypto algorithm remaining unchanged – 3DES is simply performing 1DES three times, using a different key for the middle iteration. How much more difficult would it be to migrate to an entirely new algorithm?
From the terminal's perspective, moving to AES would affect at least the following areas:
• Loading AES master keys into the PIN-pad, either local keyboard entry or "remote key loading" across a public network.
• Downloading AES working keys.
• AES for PIN encryption, MACing, and EMV cryptograms.
• Administrative reports, such as the AES keys' check digits, or which AES keys are loaded.
• AES as part of the cipher suite for SSL communications.
Aside from a new algorithm, the lengths of the keys and data would also change. AES keys are 128, 192, or 256 bit, while 3DES keys are 112 bit. AES data is 128 bit, DES data is 64 bit. These different lengths would impact the entire infrastructure.
The $26.103 question is how to encrypt a PIN or generate a MAC using AES. I would be interested to know if there are plans to release AES extensions for the ANSI X9.8 (PIN) and X9.19 (MAC) standards.
After the expense and effort of the migration from 1DES to 3DES, and given that 3DES is still considered adequately strong (unlike 1DES upon its abandonment), I find it difficult to envision much industry enthusiasm for a move to AES. I find it easier to envision deployers gathering as an angry pitch-fork-wielding mob, chanting that they will adopt AES when you pry 3DES from their cold dead PIN-pads.
Update 19/Oct/2012
I just saw a working draft of a new version of ISO 9564-2 (approved algorithms for PIN encipherment) which includes AES. The details of the AES implementation are still being debated, but it's really happening. The first snowflake of the avalanche...