28 December 2013
I’m fortunate to know the fraud heads at the top 5 banks in the US and UK from my time at 41st Parameter. The current scoop is that this hack is still being researched and there is no smoking gun (as of today). Technically a Payment Terminal should have only 2 connections: 1) to the POS to obtain order total and to provide authorization and 2) to the processor to deliver the encrypted card information.
Before I move on let me give a little industry background here. Dedicated payment terminals can take many forms. In independent small stores they can be stand alone devices, typically sold by ISOs and locked down to work with a single processor. They can also be very large complex devices with multimedia capabilities and space for custom applications. For example Verifone had a Verix Architecture which separates the secure card transaction platform from an “open” environment where apps like couponing, loyalty, and customer communication can run. Have you ever wondered why payment terminals even existed? Afterall most POS systems (IBM, Micros, Aloha, NCR, …) can take a card swipe directly.. The reason is largely PCI compliance. Theoretically the Payment Terminal is a locked down device that went through the rigor of PCI testing AND it allows the retailer to NEVER touch card data. As soon as the card is swiped it is encrypted with the “keys” of the processor… AND this data flows only in a single controlled, dedicated “tunnel” to the processor. This is also why most payment terminals are NEVER updated. Where a top 5 grocer may have 800 person organization working to customize their POS software (ex IBM 4690) the have NO ONE working to customize their payment terminal. Let me reiterate.. my data indicates that less than 5% of all payment terminals are EVER updated. Most terminals are UNMANAGED assets owned by the processor.
If any of you have ever sat through a presentation by Verifone or Ingenico this may shock you. As they present these ridiculously large consumer facing communications devices which require constant updating. Of course the updates are SHOULD not touch the secure part of the payment terminal OS. But strange things happen when you open a new pipe (beyond just the POS and Processor).
Middleware and Loyalty
I’m not laying this on Verifone (yet), as most top retailers use card information from the payment terminal to feed their back office loyalty systems. On your mag stripe there are 8 tracks of data (see Wiki and ISO 7813), for example 24 characters of your name. A retailer could also choose to route transactions through their own middleware prior to sending for authorization (instead of Payment Terminal to Processor). For example, Target’s Red Card can only be authorized by Target Financial services. In this model they could have routed the transaction through the processor and back to TFS or could have routed all transactions through TFS and stripped the red card data. This would keep a processor from seeing their sales volume, and reduce processing costs, but also put the entire PCI burden on themselves. I do not know the architecture here, but if this is the case… target is the only entity on the hook unless it was a payment terminal OS break (in my view).
Retailer Lessons Learned
- Keep the Payment Terminal as a locked down isolated device owned by the processor
- If you need loyalty information get it from processor post authorization
- Get serious about supporting debit cards NOW or you will see a shift soon
- Throw out any “apps” in the payment terminal that are not owned by your processor
- Secure those pipe and test often.
Debit card politics
As soon as this happened I saw some faceless analyst on MSNBC telling consumers to never pay with their debit cards, and never use PIN. I’m typically not a consipriracy theorist, but readers of my blog know that Banks are working hard to discourage debit… we can expect to see more of this. Retailers need to take on the role of debit advocates NOW… No one else is going to push this product, and I think everyone will be surprised at how fast consumer attitudes can move if there is a view that the product is not safe or secure.
Sorry for short blog. Happy New Year.