Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected. A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.
Risks of theft from point of sale (POS) malware like Abaddon is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. If it’s GammaPOS, Abaddon, Dexter or other variations of malware designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale, the attackers get only useless encrypted data. No live data means no gold to steal. Attackers don’t like stealing straw.
How to do it? The easiest way to deploy this is with contemporary Format-Preserving Encryption based devices which protect data without having to make major changes to POS data flows and applications, going end-to-end to the secure processing host, far out of reach.
Over the past few years the PCI Council has also supported the approach and called it Point to Point Encryption (P2PE) or end to end encryption. For merchants, these solutions address the risk by encrypting the payment card data before it even gets to the POS. This might be in the card reader, a reading pin pad, or even inside a reading “sled” or “wedge” attached to the POS. If POS is breached, the data will be useless to the attacker. On the other hand, the secure card readers are very, very difficult to attack and do not store live data to steal: they encrypt it and pass it up the payment process to the POS. If tampered with they are designed to destroy their contents.
The trick is getting it right so that even though the data is protected and secure, it’s still compatible to the payment applications in the merchants systems and applications in the POS itself to permit regular POS functions to continue without change. That’s where format preserving encryption (FPE) comes in – NIST recognised FFX mode AES in particular. With FPE, the data stays protected from the moment it is captured as its read or entered. The magnetic stripe data and track information (Track 1, Track 2 or even EMV data) or manually entered credit card numbers are all protected while retaining the track structure, PAN format and integrity. To the POS, it still looks and feels like cardholder data, so low impact to the way customer payments are handled. To the merchant the PCI DSS scope is dramatically reduced, the whole POS is potentially out of scope. To an attacker, there’s nothing of value to steal. The attacker would get nothing but useless encrypted data. Only the other “end” of the payment process, usually an acquirer after the payment data has passed through switches, gateways, networks and applications, can decrypt the data. For post authorisation processes, a token might be returned to the merchant for storage and re-use in applications and databases without needing live PAN data again.
When implemented correctly, this approach can dramatically reduce the cost of PCI compliance and solve huge risk challenges easily. Without having to worry about nasty POS infecting malware and the reducing the cost of PCI DSS compliance, merchants can focus on growing their business.