White Paper

The Importance Of A Secure Payment Device

Data Security

According to the Identity Theft Resource Center’s (ITRC) yearly breach list, there were 781 reported breaches in 2015 and 1,093 in 2016. The number of data breaches tracked through June 30, 2017 hit a half-year record high of 791, a jump of 29 percent over 2016 figures during the same period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016.1 The average total cost of a data breach is now $4 million, with a cost per stolen record of $158. This marks a 29 percent increase in total cost per breach since 2013.2

As the numbers on data breach statistics continue to rise, it is clear a new approach to data security is needed if organizations want to stay ahead of the attackers and more effectively protect their data, customer information, and bottom lines.

One clear place to start is with point of sale (POS) payment devices. These systems are vulnerable because they allow direct cardholder interaction, sometimes in an unattended setting, which poses data security challenges. The usage and operational modes of the machine and its software need to be appropriately constrained to just the tasks that are necessary to perform a transaction. Precautions must be taken to reduce the chance of data being stolen, copied, fraudulently entered, etc.

Features of a Secure Payment Device

According to Justin Ning, director of sales at ID TECH, the following features are essential to preventing POS attacks:

  1. Encryption. Sensitive card data is encrypted at the time of use and cannot be decrypted or reused fraudulently. Encrypting card data at the point of use prevents it from being sniffed, stolen, or detected by outside parties.
  2. More Encryption. For maximum security, industry-standard Triple Data Encryption Standard (DES) and/or Advanced Encryption Standard (AES) encryption are used, guaranteeing a low likelihood of stolen data ever becoming usable.  ID TECH offers card readers that use 128-bit keys that meet or exceed industry standards for strong data encryption.
  3. Single Use Keys. Derived Unique Key Per Transaction (DUKPT) key management prevents transactions from being “replayed” due to the unique-key-per-transaction feature. DUKPT key management incorporates sophisticated algorithms that make a key usable only one time. Up to 1 million transactions can be performed consecutively on the same machine without reusing a key.
  4. Single Use Device Isolation. Payment devices, like Advantech’s UPOS-510, can operate isolated from other computers, reducing the risk of data comingling or other adverse consequences. Security is enhanced when payment machines are dedicated to a single purpose (payments) and not reused for other things (like word processing).
  5. Read-Only Memory. The payment device logic is in firmware, where it is well protected from attack by viruses or malware. No virus has ever attacked an ID TECH product.

The Advantech Solution

Among Advantech’s POS solutions, the latest hardware with all of the above security features is the UPOS-510. When a credit card is presented to make a purchase, its most sensitive data is encrypted in firmware at the time of presentation and never gets decrypted until it is received by a properly authenticated party, such as the issuer, financial gateway, bank, or back-end processor.

“The device is designed to encrypt (only) and is incapable of doing decryption. Hence, even if the POS system is stolen, it cannot be used to decrypt data, since it contains no software for decryption,” says Ning. “The data is ‘locked’ until an authorized party (with possession of proper keys) can decrypt it.”

Other available security options for the UPOS-510 include fingerprint biometrics, contactless card reading, chip card compatibility, magnetic stripe card reading, and many connectivity options. “All of these options make our POS-series devices a natural choice for merchants who require flexibility in connectivity options along with flexibility in payment options,” says Jason Zhang, product manager at Advantech.

Advantech also provides a range of ready-to-deploy solutions. One package specifically for POS security features is WebAccess/IVS (Intelligent Video Software) for loss prevention. “WebAccess/IVS enables users to combine video and transaction data to assist in loss prevention and provide evidence in the event of customer disputes,” Zhang explains. The camera captures images of customers at the register and the POS software captures credit card information and receipts. Every transaction is automatically recorded, making data easy to find during security audits.

“Seventy-six percent of retailers invest in CCTV, 61 percent in security guards, and 60 percent in alarm monitoring,” says Zhang. “Sometimes these investments are huge and they still miss theft and inventory losses. With WebAccess/IVS, retailers see a reduction in both hours spent reviewing video footage and operating expenses for loss prevention.”

Partnering to Leverage Security Technology

Advantech collaborates with industry-leading partners to provide the building blocks required for delivering integrated and innovative solutions to retailers. ID TECH is part of Advantech’s retail partner ecosystem, and the two have been working closely together in payment-related applications.

“We leverage the latest technology ID TECH offers from their standard off-the-shelf solutions as well as their payment modules for our mobile POS solutions and traditional stationary POS terminals,” says Zhang.

Advantech leverages its Premier Partner relationship with Intel to secure the ideal CPUs for both POS and security functionality. The UPOS-510 is offered in both Intel Celeron J1900 and the latest Skylake sixth-gen processor flavors. “The J1900 brings an additional level of security to the POS,” explains Andrew Gentry, RSD marketing segment manager, Intel Retail Solutions Division.

“J1900 features security characteristics unique to Intel,” says Gopi K. Agrawal, RSD technical sales manager, Intel. “First, there is Intel Silicon, which transmits large amounts of data. Second, there is Secure Boot, which uses digital signature technology to guarantee that only the correct operating system is used to boot the Gateway. Third is Intel’s Platform Trust Technology for credential storage and key management used by Windows 8 and Windows 10 and which supports BitLocker for hard drive encryption. Finally, the Intel Software Guard Extension offers application-level protection via encrypted memory.”

When enabled and fully configured, Intel’s Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system.3

Intel Platform Trust Technology (PTT) improves the authentication process by enabling disk encryption keys to be locked (or sealed) to the platform configuration so that keys are only released if the platform configuration has not changed from a known good configuration.4

Intel Software Guard Extensions (SGX) technology is for application developers who are seeking to protect select code and data from disclosure or modification. Intel® SGX makes such protections possible through the use of enclaves, which are protected areas of execution in memory. Application code can be put into an enclave by special instructions and software made available to developers via the Intel SGX SDK.5 

“Our combined solutions result in a unique system in the marketplace that features increased performance and security for the UPOS-510,” says Gentry.

Best Practices for Ensuring the Security of a Payment System

“Increased security is easily attainable with the following best practices,” says Ning.

  1. Inspect Daily. Payment systems should be checked daily, by appropriately trained employees, for signs of tampering, skimming, or alteration, and a machine’s self-check routines should be invoked daily to be sure firmware and software are valid and working correctly, with the proper version.
  2. Train your people. Clerks and merchants should understand how their equipment works, how to run self-check diagnostics, and how to operate the equipment in accordance with industry best practices.
  3. Make it easy. Payment software should contain clear, self-documenting user interfaces and prompts that show a customer how to use the system properly. Prompts and interfaces should be simple and self-explanatory.
  4. Stay up-to-date. Follow the manufacturer’s recommendations for firmware upgrades, key rotation, self-test diagnostics, system maintenance, and operation. This is particularly important with respect to contactless (RFID or NFC) card readers.

References

  1. At Mid-Year, U.S. Data Breaches Increase at Record Pace, Identity Theft Resource Center, July 18, 2017, http://www.idtheftcenter.org/Press-Releases/2017-mid-year-data-breach-report-press-release.
  2. Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and CyberScout, Identity Theft Resource Center, Jan. 19, 2017, http://www.idtheftcenter.org/Press-Releases/2016databreachespressrelease.html.
  3. Frequently Asked Questions for Secure Boot, Intel, referenced Jan. 26, 2018. https://www.intel.com/content/www/us/en/support/articles/000006942/boards-and-kits/desktop-boards.html
  4. Intel PTT White Paper from 2014, referenced Jan. 26, 2018. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/enterprise-security-platform-trust-technology-white-paper.pdf
  5. Intel SGX website, referenced Jan. 26, 2018. https://software.intel.com/en-us/sgx

 

More on Advantech’s Secure POS SystemsUPOS-510

UPOS-510
15" Stylish Modularized POS System

  • 15.1" TFT display in LED backlight.
  • Flat and borderless front PCAP touch panel design.
  • Fanless design for quiet operation.
  • Aluminum alloy tower of stand provide the reliable system and able to deploy in small space.
  • Clean cable and screwless back design
  • Reserved display hatched for peripheral requirement

UPOS-510 is a modern industrial-grade POS system powered by an Intel® Celeron® J1900 and Core™ i5-6300U processor. The slim and borderless front touch panel offers a maximized viewing area and is IP65-rated for water and dust protection. The small footprint design makes UPOS-510 the ideal system for limited-space installations and medium and small businesses. The easy-access back cover allows users to conveniently access/replace HHDs. Additionally, UPOS-510 supports I/O expansion for flexible installation and can be equipped with diverse peripherals, such as a secondary rear-mounted display, to satisfy diverse applications in retail and hospitality environments.

Learn more about UPOS-510: https://buy.advantech.com/iRetail-Solutions/POS-Systems-Modular-POS-Systems/AUS_31435.products.htm

Chat with an Advantech Retail Expert about stationary and mobile tablet POS hardware and software: 877-825-4146