Advice

PCI DSS and security for IoT-enabled payment terminals

The Device Chronicle spoke with Mark Messenger, General Manager, APAC, Vix Technology about IoT devices and securing payments from physical payment points by supporting PCI DSS and other key standards.

Building strong trust networks around payment is a key strategic concern for acquirers who use embedded devices as payment end points with PCI DSS for consumers. In industries being rapidly transformed by digital and IoT including retail, mass transit, mobility-related services, power networks and automotive this concern is magnified. 

Strong security standards with PCI DSS and PCI PTS

The key to building trust and security is the implementation of strong security standards on the IoT devices, system and application downloads and end to end networks that facilitate the payments. The PCI DSS and PCI PTS standards provide the backbone for the security framework that enables safe payments over IoT devices. The standards are administered by the Payment Card Industry Data Security Standards Council and mandated by the major payment card providers.  PCI DSS enables payment to be secured end to end where cardholder data including the Personal Authorisation Number (PAN), credit card number, card expiry date on the cards and the card PIN number. In the IoT context, embedded devices must be set up by the payment acquirer in a way that there is no possibility for a thief to tamper with the flow of data. Such tampering could involve intercepting data coming off the cards or the PIN pads. Such cardholder details could then be used to defraud the payment networks.

Mark explains much of the background to secure payment. Much of the focus to this point has been on securing the end point interaction with the payer’s card. This could be the chip and pin reader, the magnetic strip reader or the contactless interface at the point processing starts inside the device. The objective is to secure data, protect it at rest so the data if stored on the device is encrypted within, and ensure that it is encrypted to be sent across the network. It is equipped with a set of security keys that has a trust relationship between the reader and the host system so there is no way to intercept the data. These public keys, public certificates and asymmetric keys protect the pin pads. This prevents thieves from detecting the keystrokes that determine what the pins are, and mapping the pins to personal authorisation numbers, and for storing both of these details which would facilitate card details skimming off of the device. 

Securing the applications with PCI DSS

The payment hardware has had much of the focus for encryption. But the applications that are downloaded to the devices need to be protected from being compromised too. Mechanisms must be put in place to allow the secure download of applications onto a device. Thieves and fraudsters must be prevented from injecting other nefarious applications through insecure channels onto the device to monitor it. The bootloaders, kernels, and operating systems of the devices must be securely downloaded and signed from a trusted source. This is a critical part of the PCI DSS domain. 

Explaining the PCI DSS framework

Mark explains that the PCI framework is about protecting anything that interacts with the card and pin entry. An acquirer must be certain that there is no way to compromise any of those things and open up opportunities for unauthorised third parties to get hold of the cardholder data. Industry leaders such as ARM, and ST Microelectronics are taking a consortium approach to supporting the PCI framework across payment authorisation networks and the automotive industry where the embedded devices that are used are very similar in design. These hardware vendors are putting securitisation onto their chips and providing trusted execution environments on the devices so acquirers can download secure kernels onto the devices for running Android or Linux-based applications. Mark explains that “Effectively two applications can be downloaded – one is “trusted” and the other is “untrusted”, and these applications can be run across a wider variety of devices. There is also a trend towards soft positive devices, where the acquirer can take an existing device without the physical security, secure it at the chip level, download PCI secure applications and manage it in the same way they would an encrypted device.” 

Fraud threats

The fraud threats from end point payments on devices come in several combinations. If a thief can get access to the credit card’s payment authorization number, the expiry date and the user PIN, that card could be cloned  and in certain circumstances used to make payments. If the thief can get access to the expiry date, the card ID and the person’s name and address, then the card can be used for e-commerce transactions. Naturally, acquirers and consumers are paranoid about trying to protect these details.

Acquirers need PCI DSS certification

In the secure payment ecosystem, the onus is on the acquirers and not the payment card providers to secure their payment devices. So the acquirers must be PCI certified so in the event of payment fraud the banks will insure them against it. The banks work with terminal providers and application developers to ensure the applications that link into the bank’s systems are PCI certified. PCI DSS is the operational security standard and when it is applied to a payment terminal, the acquirer needs to ensure that the device is PCI PTS-certified. This is the key payment terminal certification. Mark stresses that both the hardware and software must be up to these PCI standards to plug into the payment network so that cyber insurance can be attained to protect against payment breaches. 

Device types for PCI DSS

Any device that accepts a physical payment must be PCI DSS- and PCI PTS-certified. These connected devices can include EFT pin pads, smart card readers for EMV payments, mobile phones and tablets with secure payment applications. In the mobile phone payment world, Android is dominant where in Mark’s estimation 19 out of 20 Android devices currently support PCI. Many purpose built payment devices are based on open source versions of Linux and they require a terminal management solution to support secure application downloads. In the cases of pin pads or stand alone card readers, vendors will be using a mix of Linux or Android, and often a small embedded microcontroller handing some secure code in a secondary reader. 

Industrial applications for PCI DSS

What are the industrial applications that benefit from the use of the PCI framework with embedded devices? Mark replies “Anywhere you are using an asset or renting an asset, you will need a secure download of an application to form the trust.” Power systems will use PCI certified devices and payment infrastructure more and more as we move to distributed solar networks. You will want to securely download the payment and billing applications onto those devices because you will end up with trust networks for the feedback tariffs for power going back into the network so all those industrial power devices. Power meters and battery charging banks will need this for a trust network. The new digital business models in the automotive industry will need PCI-compliant payment devices. “Vehicles will need secure downloads for services such as road usage charging or other “pay as you go” models in which the vehicle and the payment sources need to be identified and verified.” 

Secure and robust OTA software updates

Secure software updating mechanisms are needed to update the secure payment devices certified with PCI. These will often be large fleets of devices with low footprint kernels where the provider needs a low cost deployment model for these devices and also needs to take away the heavy lifting from their IT group around the device management lifecycle. They will achieve this by finding a best of breed partner to manage the complexities of device management for them. The QSA process will ensure that security features that the over-the-air software update solution has put in place will meet the requirements of the PCI certification. 

For more information on remote terminal management, OTA secure software updates and getting the right device security framework in place read this article on the Triangle of Trust™

PCI DSS and Mender Enterprise for OTA software updates

Recent Articles