Simon Keates | Head of Strategy and Payment Security at Thales
Today’s retail POS system looks very different to the Ritty Brothers’ ‘Incorruptible Cashier’of 1870. Now, as the muzzle of even the latest POS system begins to grey, there’s a new pup on the block – mPOS. The common thread throughout all these innovations? The need to ensure that these machines and data are ‘incorruptible’ from a security perspective.
For Ritty, it was as simple as preventing dishonest employees from pocketing money instead of depositing it. With the move to software-based POS terminals, it became much more complex, bringing the need to secure phone lines, and later leased ISDN lines back to the acquirer. The use of hardware-based encryption is recognised by the card schemes as the most practical and secure mechanism to achieve the necessary level of protection. However, the move to increasingly distributed computing is beginning to expose the cracks in protecting the channel, rather than the data itself. We only have to look to Target, Neiman Marcus, or the stores affected by the Chewbacca malware to see the systems under attack and the financial and reputational repercussions of a breach.
mPOS technology brings new challenges – introducing untrusted devices and networks into the mix. However, unlike traditional POS terminals, which only encrypt the customers’ PIN, mPOS systems encrypt all cardholder data. This data is routed back to the payment gateway, and only decrypted in an equally secure environment. Clearly, this ‘encrypt everything’ approach is logical. Why wouldn’t you protect all the data you can, to the extent that you possibly can?
It is no secret that the arrival of mPOS has had a dramatic impact on the retail experience, with regard to payment from a consumer perspective, and payment acceptance for the merchant and wider payment ecosystem. Introducing a new technology into the payments arena is always risky – it’s a tightly controlled club, with many barriers to entry, predominantly around security credentials. To get into this club, and convince the major players – banks and the card schemes – security levels must be demonstrably equal to, or even better than the existing systems.
mPOS certainly fulfils these criteria, building on and improving existing traditional infrastructure to showcase highly sophisticated encryption – certainly a trick that future POS systems would benefit from mastering.
I will be speaking about mPOS risk and security at MPE (Merchant Payments Ecosystem) in Berlin this week (18th-20th February). If you plan to attend, we’d love to see you at the Thales stand booth no. 15. Otherwise, you can keep up with the Thales team via Twitter - @Thalesesecurity – and on our blog.