" class="no-js "lang="en-US"> Safeguarding POS Terminals with Secure Microcontrollers - Fintech Finance
Thursday, March 28, 2024

Safeguarding POS Terminals with Secure Microcontrollers

As a consumer, whether you’re paying at the pump or some other point-of- sales (POS) terminal, you want speed and convenience. You don’t want to worry about how safe your self-service transaction is.

That concern is the responsibility of the businesses providing these payment methods, as well as those who design the payment systems themselves. Unfortunately, spoofing, skimming, and hacking are not very difficult to do. Case in point: a security researcher with Rapid7, a security data and analytics solution provider, developed a small, $6 tool that can open hotel room doors and hack into POS systems and cash registers. Some credit card fraud liability has begun shifting from card issuers to merchants. As a result, the risks of being lax on security are getting even higher for businesses. And payment systems OEMs should have a vested interest in safeguarding their equipment at all potential points of entry, from sensor node to web server.

The global Payment Card Industry (PCI) Security Standards Council is responsible for maintaining, evolving, and promoting security standards for the industry. The organization, founded by major payment products companies, aims to standardize security efforts across the industry. Its PIN Transaction Security (PTS) standard, PCI-PTS, provides for robust security controls for payment systems, adding testing requirements to validate vendor documentation of policies and procedures related to device management.

Invenco, a finalist for the NZ Hi-Tech Company of the Year award, is behind the G7 OPT (outdoor payment terminal), which features the MAX32590 DeepCover secure microcontroller and has achieved PCI-PTS v4.1 certification. The G7 OPT is a fully modular EMV-compliant payment system with a 12-inch multimedia touchscreen. Providing customers with a self-service experience, the system accepts EMV, magnetic stripe, contactless (including mobile phones), barcode-reading, and mobile wallet payments. Its display can be used to keep users engaged with responsive content that can help drive additional sales. The terminal is suited for any business that wants to deliver a 24/7 self-service payment experience, from gas stations and truck stops to airports, marinas, and parking lots.

 

Complying with PCI PTS means the G7 OPT had to pass stringent levels of differential power analysis (DPA) attack testing. Using the MAX32590 in its design contributed to the G7 OPT’s compliance with the challenging certification requirements. Maxim is one of a few IC suppliers capable of providing a cryptographic library with sophisticated algorithm protection means. In addition, Maxim provides a security evaluation report from an independent laboratory, which helps to substantially decrease the amount of time and cost associated with PCI-PTS certification. Typically, such a certification process can take anywhere from nine months to two years. Working with Maxim can help reduce the cycle by several months.

According to Invenco Director Dave Ritten, the flagship G7 OPT product pushes the boundaries in terms of security requirements. “While on one hand we are providing an open environment for the presentation of media and graphics, we still need to meet the stringent requirements of PCI. This is not an easy position to achieve,” Ritten explained.

After careful evaluation, we selected the MAX32590 processor as it provided sufficient processing power and security to manage the complex security and data manipulation challenges we faced with the G7 OPT design. Support from Maxim has been excellent and this helped expedite the development of the product.

Highly Integrated Microcontroller with Built-in Security

As is the case for design engineers in many other application areas, including payment systems designers, accelerating time to market while lowering bill of materials (BOM) costs are key priorities. Using a secure microcontroller such as the MAX32590 addresses both challenges. The 32-bit, Linux-based microcontroller features an ARM926EJ-S processor core, patented external bus, and advanced physical security. It’s highly integrated, with components including:

  • A memory management unit (MMU)
  • 32KB of instruction cache
  • 16KB of data cache
  • 4KB of instruction TCM
  • 4KB of data TCM
  • 384KB of system SRAM
  • 2KB of one-time- programmable (OTP) memory
  • 128KB of boot ROM
  • 24KB of battery-backed SRAM

As a result, designers can save design time and cost because they can minimize the number of external components required. Fewer external chips also means there are fewer potential entry points, making the design easier to secure. If someone attempts to breach a terminal, the microcontroller senses this and erases the authentication keys via hardware in just milliseconds.

Security features of the MAX32590 include:

  • Secure boot loader with public key authentication
  • AES, DES, and SHA hardware accelerators
  • Modulo-Arithmetic Hardware Accelerator (MAA) supporting RSA, DSA, and ECDSA
  • Hardware true random number generator
  • Die shield with dynamic fault detection
  • 6 external tamper sensors with independent random dynamic patterns

Deep Expertise in PCI-PTS Requirements

Security is part of Maxim’s DNA, and we work to continually improve our IP and related software. After years of work with security labs worldwide, we have unique system-level expertise as well as a deep understanding of PCI-PTS requirements. In fact, we have an in-house Security Expertise Lab that focuses on attacking hardware and software IP and developing new security features to integrate into our microcontrollers. We also maintain an applications team dedicated to financial terminals, creating turnkey, pre-certified reference designs, providing certification assistance, and delivering design and integration support. Maxim is the industry’s only IC supplier to provide PCI-PTS reports for our secure microcontrollers, reference designs, and secure Linux architecture. The company’s strong roadmap of security solutions is a testament to our commitment to this market.

So if you’re designing payment processing systems, remember that secure microcontrollers are the simplest and most cost-effective way to protect the valuable financial data flowing between cardholders and businesses.

By Gregory Guez, Executive Director, Micros & Security Business Unit, Maxim Integrated

  1. allpay Appointed as Official Supplier on Crown Commercial Service’s Open Banking and Fund Administration & Disbursement Services Dynamic Purchasing Systems Read more
  2. Oliver Wyman Announces Mariya Rosberg as Americas Head of Banking and Financial Services Practice Read more
  3. Alchemy Pay Invests in UK Fintech LaPay and Secures API License as Part of Global Web3 Expansion Read more
  4. QNB Introduces FAWRAN for Fast Payments Within Qatar Read more
  5. The Paytech Show #79: What’s next for US banks in the FedNow era? Read more