The Green Sheet Online Edition
May 11, 2009 • Issue 09:05:01
Private pathway for POS data
For POS traffic traveling across the Internet, a new security tool called AprivaNet from information technology (IT) security company Apriva provides what is akin to the cyber version of an underground tunnel: a special router, separate and hidden from public Internet channels, through which POS information can pass invisibly.
"What's unique about this particular product is it supports a separate payment network, a secure or dedicated payment network," said Bill Clark, General Manager for Apriva Secure Payments Division.
"So we actually separate point-of-sale traffic from all other traffic and by doing so have some unique capabilities to keep transactions from going where they shouldn't go."
For merchants with either wireless or Ethernet-connected POS terminals, customer transaction data usually flows through the same router as other outgoing data to an open-ended network. AprivaNet, on the other hand, captures that data and sends it separately, effectively concealing it from hackers trolling the Internet's main pathways and disguising its origin.
"What's interesting is you end up, in many cases, encrypting the data twice because you're putting it on a private network which encrypts it, but what you're also hiding are those endpoints," Clark said.
"On a private network, those endpoints are invisible to people who might be in the middle ... it kind of makes the users of those private networks disappear. So, yes, there's a stream of encrypted traffic, but you don't know where they're going, where it came from, or what might be in that data stream. And, in a way, it's like making sure your point-of-sale traffic is a needle in a haystack - it makes it harder to go after."
Encryption alone not enough
Clark added that although POS data is typically encrypted, it often remains vulnerable to hacking because of its presence on public networks. The encryption alone will protect it in many cases, but fending off more sophisticated hackers requires multifaceted solutions, he noted.
"What you have is all of these fringe elements trying to penetrate, trying to access, trying to put viruses in," he said. "Those are all security issues that really don't have anything to do with the fact that the transaction has been encrypted."
"Today, IT-connected, Internet-connected merchants are really the target for PCI, because they have a device that's connected on public networks," he said. "It makes them vulnerable to hacking, and it makes them vulnerable to viruses that can be implanted on their systems - and that can then send data out of the Internet ... TJ Maxx was a perfect example." (Retailer TJX Companies Inc. revealed a massive data breach in 2007.)
A complete package
While routing merchant data through a private network is AprivaNet's primary function, that service is part of a larger security package that helps to ensure compliance with the Payment Card Industry (PCI) Data Security Standard.
Clark said that package includes a 24-hour monitoring device that informs a merchant whenever "configuration problems" occur within the network, such as connection problems or device tampering; a self-assessment security questionnaire; PCI-required penetration scanning; and a guarantee that Apriva will "cover the expense of any remediation cost" up to $50,000 for PCI violations associated with using the device.
"This is a form of encryption that is not just the private POS network," Clark said. "We're also bundling in the TrustKeeper tools [Trustwave's on-demand compliance management technology] to help you document you're compliant; you have the self-assessment questionnaire, the scanning that's required, the guarantee ... all those are additional risks that we're addressing."
Clark said the service will hit the market by May 15, 2009.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.