Marc
Edwards is a Data Systems and Security Engineer for a chain of retail stores, whom I was fortunate to get acquainted
with via my amateur astronomy hobby. He and his teenage daughter are avid and highly capable telescope operators.
During one of our conversations at the time earlier this year when a major retailer's credit card data breach was
in the headlines, Marc explained how the typical point-of-sale (P.O.S.) system works in stores and why the most
commonly installed type is so much more vulnerable to intrusion than the newer and much more secure system his company
is implementing. It was an amazing story. Rather than my attempting to summarize Marc's explanation, I asked him
to write a short article to put in layman's terms what is going on and what is being done to correct it. What follows
is a condensed version of what is a very complex topic, but he succeeds in boiling it down to the basics. Thanks
Marc!
Point-of-Sale (P.O.S.) Credit/Debit Card Processing - An Insider's Viewpoint
By Marc Edwards
Most companies won't reveal how they have their security set up. Recently breached retailers have never and will
never reveal publically how they were breached. They are required however to provide all information on the breach
to PCI DSS.
PCI (Payment Card Industry) Security Standards Council is the organization established
by the Payment card companies (Visa, MasterCard, Amex, Discover) that sets the standards
for required security AND enforces them.
It is a non-government agency that polices and enforces data security for credit and debit cards. The fines for
having a breach are MASSIVE. For example, a retailer that was breached several years ago, and that breach
is what really triggered PCI security to "standardize" their fines, were penalized >$50,000 per DAY
for every day that the breach was in effect and not found - in this case 540+ days, so $27 million in just fines,
not including lawsuits and judgments and customer reimbursements. Their overall liability for the breach was north
of $150 million.
However, PCI standards have a lot of wiggle room for retailers to design their networks and security to work
within their needs and budget, as such some companies go on the cheap and hope nothing happens; other companies,
like mine, see the pattern and over the next two years we are investing $20 million in data security upgrades and
preventive measures. Better to spend the $20 million now than $200 million later on fines.
One of the more expensive data security systems is called
Tokenization, "a process
by which the primary account number
(PAN) is replaced with a surrogate value called a token."
An
example of the types of networks
Following is the most common (non-tokenized) network that 85% of retailer use:
Credit Card Terminal → P.O.S. system
→ VPN to Corp office Servers
→ Credit Card Processing Server
→ VPN to Credit Data Warehouse Collection
Service → Bank.
This is the type of system that several recent retailers that have been breached had in place. You swipe your
credit card (CC), it is transferred to the
P.O.S. The
PIN (personal identification
number) pad is nothing more than a second keyboard attached to the register, the card info is encrypted
(and depending on age can be 16-bit to 256-bit encryption), but the fact is, the pad
is nothing more than a keyboard device. The cashier can also swipe the card on the keyboard, and most retailers
require them to enter the last 4 digits of the CC on the keyboard (the PIN pad actually only
transfers the first 12 digits for most cards, the cashier has to enter the last 4), but the fact remains
it is still playing the part of a keyboard, and the data is still out there in the open, and as such it is very
easy to place a keylogging malware
program on the P.O.S. to grab the swipe.
The card data is then sent to the corporate office credit card processing server, and at the same time stored
on the P.O.S. The server is connected to the Credit Card
Data Warehouse, where the approval or
declination is processed and then returned to the server, then back to the P.O.S. Everything is on the same network,
everything is passing through the same pipe, and it is very easy to install a USB flash drive, or drop a virus onto
the network via some channel. As with recently breached retailers, vulnerable installations have one network system
in their stores, and all the stores while on different carriers, are all connected to the same system; they have
P.O.S. systems on the same network as their management computers, their
HVAC system, phone system, etc. While on separate
VLANs (virtual local area networks), all are on the same primary network - a store in New York City could connect
to a store in California to verify inventory via their online system (it can determine whether
a specific store has something in stock). So, as I stated to you on the phone, in one recent
high profile data attack an HVAC vendor installed malware in the HVAC controls that gave them remote access to everything;
this was installed in one store at one location and it gave them complete access to everything network wide. All
the registers also have Internet access for cross-store lookups. While they should be secured by a proxy and routing
through a VPN (virtual private network) and firewall, if someone is inside the network,
it won't matter as the problem is already through the doors and into the infrastructure.
At this level only an approval or declination is made and a hold against the credit is placed, but not actually
processed until the P.O.S. system runs its end-of-day procedures, where all the sales data is compressed and passed
up to the corporate system for processing. It is at this time when the charges are processed - most cases it is
about 48 hours from when you actually bought the item, hence why you might see "pending" on your online account
information for the given Credit Card.
This
is the most common system in place, and not just because it is inexpensive as it is only one connection out to the
data warehouse (all stores and all registers in the stores are piped thru it). Most
systems may have load balanced servers (4-10 devices running in redundancy to prevent overload)
but they are all piped thru the same connection. The other reason is that it is what most companies have had in
place since about 2002 when PCI became standardized across all credit cards. Prior to that each CC company maintained
their own policy.
Most of these companies that have been breached are running Windows XP (embedded)
which is a slimmed down version of XP designed for P.O.S. systems. They have never updated and I suspect the majority
of them are probably still running SP1 or even SP0 so the cost and manpower required to update them is massive,
and most companies prefer to use hardware-based intrusion prevention measures, as one piece of equipment can be
put into place to handle hundreds of registers, as opposed to actually going from device to device and updating.
Since these designs and technology are a decade old, it's easy to see why they are now being targeted. The technology
has advanced significantly since 2002. Today we have more processing power in a smart phone then we did in desktop
computers in 2002.
A less common practice is Tokenization, though with the 2016 PCI standards tokenization will be required by 2016,
not just an option.
Tokenization works this way:
Credit Card Terminal → CC data sent
directly to Data Warehouse via dedicated phone line or dedicated network line (not a connection
shared with the register) → Data
warehouse sends data to bank.
Credit Card Terminal → Token passed
to P.O.S. once transaction is approved from PIN pad (via USB connection not Ethernet)
→ Token data along with receipt data sent
upstream to corporate office for sales tracking.
The difference here is that the PIN pad or CC terminal has two connections. One is a direct uplink to the Data
Collection Warehouse that processes the payments, and the other is to the P.O.S system. They are two entirely separate
connections: phone/network or the dial out and USB for the
Token to transfer to the resister. The
PIN pad is not acting as a keyboard and simply transferring the information, it is in fact a computer within its
own right and does all the processing itself. The PIN pad will only pass a token on the P.O.S. side, it will never
pass CC data, and additionally it doesn't store anything. There are no external ports. The network and USB wiring
is internal and hardwired to the registers, so nothing can be placed in line between the two devices. While a breach
is still possible, it would have to happen up stream at the Data Collection Warehouse, it could never happen in
stores with tokenized CC process, so it mitigates all of the store's liability, companies such as
First Data take the brunt of the liability, and since they are a bank, their regulations are thousands of times
stricter than ours.
The Token data is passed upstream to our corporate systems for us to be able to track the sales, but we never
get any credit card data in our system. A Token cannot be reversed decrypted to give a CC number, it doesn't work
that way. The Token changes for every transaction, it is never the same twice, and you need several bits of data
to match the Token to a given customer/transaction.
Additionally our CC data passed to First Data is 256 bit encrypted, (128 bit is industry
required) and our Tokens are as well.
There are increased costs associated with this setup, additional services, and in our case each of our stores
has two phone services: one for a phone line, and one for a credit card line plus an ISP (DSL
or T1). The PIN pads are a couple thousand dollars apiece. The cost to set up a Token PIN pad system is nearly
double what it is to set up a P.O.S. that uses a PIN pad and an OS to encrypt the data.
Our company is about 80% rolled out with Tokenization, but we will be 100% in July 2015, a full year before PCI
requires it to be complete.
Some of the big retailers are all using similar setups to those recently breached; it is probably only a matter
of time before they are breached. To my knowledge, all of them are still on Windows XP.
How do you know which stores are using PIN pads that emulate keyboards vs. a token system? Well, that is pretty
easy. If the PIN pad transfers your data to the P.O.S., that is, if you swipe the card and see your payment info
populate on the cashier's screen, and it requires the cashier to accept the CC data and close the sale, they are
using keyboard emulators. Alternatively, if the transaction goes the other way, where you see your purchased items
and totals on the PIN pad, and you swipe the card and the register closes the sale and prints the receipt without
any cashier interaction, chances are they are using a Tokenization system.
There are currently only two companies making Tokenization PIN pads:
If you see any PIN pad that is not one of these three models, then they are not sending tokens, they are sending
live CC data.
By 2016 there will almost certainly be many more major data breaches. Unfortunately, companies will be very slow
to adopt, even more so now that Apple Pay
has been released, because it will change how credit-based purchases work if it takes off.
Posted November 21, 2014
|