Point-of-sale (POS) terminals are the essential backbone of modern businesses, from bustling restaurants to dynamic retail merchants. They enable seamless payment processing by accepting credit and debit cards, while handling sensitive information such as PIN (Personal Identification Number) and card details. Any fraudulent activity on POS Terminals leads to losing customers’ sensitive information and consumer trust. According to the latest studies, 95% of all data breaches are financially motivated.
POS Terminals are a standard for the majority of merchants in retail and their number is expected to increase throughout the next couple of years. The ABiresearch report on POS and mPOS Devices, published on May 15, 2023, estimates that portable POS device shipments will grow from 11.63 million in 2022 to 14.9 million in 2027.
Therefore, the security of POS Terminals is crucial as a base for payment security and customer’s trust. In this article, we’ll explore why POS security matters, and the key steps businesses must take to protect their customers data.
Point-of-Sale (POS) Security: The Growing Threat of Malware Attacks
Malware attacks targeting POS Terminals have become increasingly sophisticated and prevalent. Cybercriminals deploy malicious software to exploit vulnerabilities in POS Terminals, gaining access to sensitive customer information, including payment card and PIN data. These attacks can go unnoticed for long periods, causing significant harm before detection. The growing frequency and sophistication of malware attacks highlight the urgent need for proactive measures like secure encryption of payment data with encrypted cryptographic keys.
Encrypted keys ensure that even if a hacker gains access to the data, they cannot decipher it, thus securing the transaction process and protecting customer information.
POS Terminals at Risk – Online and Offline
Online and offline Point-of-Sale (POS) Terminals are increasingly at risk from cyber threats such as malware attacks. When connected to payment networks, these terminals can be vulnerable to malware designed to intercept sensitive payment data, allowing cybercriminals to steal credit card information or manipulate transactions. Even offline terminals are not immune, as malware can be introduced through compromised software or devices, later exfiltrating data once reconnected. To safeguard against these risks, encrypted keys must consistently be implemented on POS terminals for payment data encryption, ensuring that any captured data is rendered useless to attackers. This encryption acts as a critical layer of defense, protecting transactions from online and offline threats.
With the increasing malware and risk for online and offline POS Terminals, encrypted keys are clearly important for payment security.
However, what are encrypted keys and how do they differ from unencrypted keys?
Encrypted Keys vs. Unencrypted Keys
In the past, legacy key loading methods allowed unencrypted keys to be loaded into POS terminals as long as strict PCI security controls were in place at the key loading facility. Data encryption keys (DEKs) protect payment data by encrypting it. However, if these keys are left unencrypted, cybercriminals can easily use them to access sensitive information. On the other hand, encrypted keys offer an extra layer of protection. Even if an attacker manages to steal an encrypted key, they can't use it without the key encrypting key (KEK). This added security makes it much harder for hackers to compromise the underlying payment data at POS terminals.
Role of Encrypted Cryptographic Keys in POS Terminal
Cryptographic keys stored in POS Terminals play a pivotal role in ensuring the protection of payment data. They guarantee end-to-end data encryption as soon as the data enters the system. The following points provide you with detailed information about the utilization of keys in POS Terminals:
Encryption of Payment Data:
One critical step in preventing compromise is encrypting the data when the cardholder enters their payment card into the POS Terminal. Cryptographic keys ensure complete security for the customer’s payment card data, including the PIN, by encrypting them.
Establishing Trust with Payment Network:
Before sending the encrypted data to the payment processors, the POS Terminals must authenticate themselves to establish trust. Cryptographic keys play a crucial role in developing this trust by enabling secure and unique communication between the POS Terminal and the processor while ensuring that only authorized POS Terminals can share data with them.
Compliance Fulfilment:
PCI mandates that POS Terminals provide PIN security by using compliant encryption techniques, such as 3DES or AES.
Processing Offline Transactions:
In some cases, the POS Terminal might have to work offline. This means it might not be continuously connected to payment networks, but the payment still needs to be processed. In this scenario, the data will be securely encrypted and stored using cryptographic keys until the terminal is reconnected to the network.
Utimaco’s Solution for Encrypted Key Loading
Utimaco’s KeyBRIDGE POI provides a key injection solution that allows you to load encrypted keys as well as legacy (unencrypted) keys into POS Terminals. Customers can deploy KeyBRIDGE POI in their key injection facility for local injection or in data centers for remote key loading. Additionally, Utimaco delivers a service that offers remote key loading, removing the burden of managing key loading complexities and PCI compliance.
