Safeguarding POS Terminals with Secure Microcontrollers
As a consumer, whether you’re paying at the pump or some other point-of- sales (POS) terminal, you want speed and convenience. You don’t want to worry about how safe your self-service transaction is.
That concern is the responsibility of the businesses providing these payment methods, as well as those who design the payment systems themselves. Unfortunately, spoofing, skimming, and hacking are not very difficult to do. Case in point: a security researcher with Rapid7, a security data and analytics solution provider, developed a small, $6 tool that can open hotel room doors and hack into POS systems and cash registers. Some credit card fraud liability has begun shifting from card issuers to merchants. As a result, the risks of being lax on security are getting even higher for businesses. And payment systems OEMs should have a vested interest in safeguarding their equipment at all potential points of entry, from sensor node to web server.
The global Payment Card Industry (PCI) Security Standards Council is responsible for maintaining, evolving, and promoting security standards for the industry. The organization, founded by major payment products companies, aims to standardize security efforts across the industry. Its PIN Transaction Security (PTS) standard, PCI-PTS, provides for robust security controls for payment systems, adding testing requirements to validate vendor documentation of policies and procedures related to device management.
Invenco, a finalist for the NZ Hi-Tech Company of the Year award, is behind the G7 OPT (outdoor payment terminal), which features the MAX32590 DeepCover secure microcontroller and has achieved PCI-PTS v4.1 certification. The G7 OPT is a fully modular EMV-compliant payment system with a 12-inch multimedia touchscreen. Providing customers with a self-service experience, the system accepts EMV, magnetic stripe, contactless (including mobile phones), barcode-reading, and mobile wallet payments. Its display can be used to keep users engaged with responsive content that can help drive additional sales. The terminal is suited for any business that wants to deliver a 24/7 self-service payment experience, from gas stations and truck stops to airports, marinas, and parking lots.
Complying with PCI PTS means the G7 OPT had to pass stringent levels of differential power analysis (DPA) attack testing. Using the MAX32590 in its design contributed to the G7 OPT’s compliance with the challenging certification requirements. Maxim is one of a few IC suppliers capable of providing a cryptographic library with sophisticated algorithm protection means. In addition, Maxim provides a security evaluation report from an independent laboratory, which helps to substantially decrease the amount of time and cost associated with PCI-PTS certification. Typically, such a certification process can take anywhere from nine months to two years. Working with Maxim can help reduce the cycle by several months.
According to Invenco Director Dave Ritten, the flagship G7 OPT product pushes the boundaries in terms of security requirements. “While on one hand we are providing an open environment for the presentation of media and graphics, we still need to meet the stringent requirements of PCI. This is not an easy position to achieve,” Ritten explained.
“After careful evaluation, we selected the MAX32590 processor as it provided sufficient processing power and security to manage the complex security and data manipulation challenges we faced with the G7 OPT design. Support from Maxim has been excellent and this helped expedite the development of the product.”
Highly Integrated Microcontroller with Built-in Security
As is the case for design engineers in many other application areas, including payment systems designers, accelerating time to market while lowering bill of materials (BOM) costs are key priorities. Using a secure microcontroller such as the MAX32590 addresses both challenges. The 32-bit, Linux-based microcontroller features an ARM926EJ-S processor core, patented external bus, and advanced physical security. It’s highly integrated, with components including:
- A memory management unit (MMU)
- 32KB of instruction cache
- 16KB of data cache
- 4KB of instruction TCM
- 4KB of data TCM
- 384KB of system SRAM
- 2KB of one-time- programmable (OTP) memory
- 128KB of boot ROM
- 24KB of battery-backed SRAM
As a result, designers can save design time and cost because they can minimize the number of external components required. Fewer external chips also means there are fewer potential entry points, making the design easier to secure. If someone attempts to breach a terminal, the microcontroller senses this and erases the authentication keys via hardware in just milliseconds.
Security features of the MAX32590 include:
- Secure boot loader with public key authentication
- AES, DES, and SHA hardware accelerators
- Modulo-Arithmetic Hardware Accelerator (MAA) supporting RSA, DSA, and ECDSA
- Hardware true random number generator
- Die shield with dynamic fault detection
- 6 external tamper sensors with independent random dynamic patterns
Deep Expertise in PCI-PTS Requirements
Security is part of Maxim’s DNA, and we work to continually improve our IP and related software. After years of work with security labs worldwide, we have unique system-level expertise as well as a deep understanding of PCI-PTS requirements. In fact, we have an in-house Security Expertise Lab that focuses on attacking hardware and software IP and developing new security features to integrate into our microcontrollers. We also maintain an applications team dedicated to financial terminals, creating turnkey, pre-certified reference designs, providing certification assistance, and delivering design and integration support. Maxim is the industry’s only IC supplier to provide PCI-PTS reports for our secure microcontrollers, reference designs, and secure Linux architecture. The company’s strong roadmap of security solutions is a testament to our commitment to this market.
So if you’re designing payment processing systems, remember that secure microcontrollers are the simplest and most cost-effective way to protect the valuable financial data flowing between cardholders and businesses.
By Gregory Guez, Executive Director, Micros & Security Business Unit, Maxim Integrated
- Ruler of Ras Al Khaimah Issues Law to Establish the World’s First Free Zone Dedicated to Digital and Virtual Asset Companies Read more
- Wombat launches low-cost JISA following surge in demand among young parents Read more
- Over 16,500 Retail Locations Nationwide Now Offer Crypto Dispensers’ CDReload Service for Unprecedented Bitcoin Access Read more
- Recognise Bank announces major growth plans in its mission to revolutionise SME banking in the UK Read more
- BNG Bank Achieves Healthy Results and Enables Clients to Make an Impact Read more