A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

June 08, 2009 • Issue 09:06:01

VoIP not a secure option

By Scott Henry

I've often talked up the benefits of Internet protocol (IP)-based communications for payment terminals. Speed of service, ability to leverage digital subscriber line (DSL) service and advanced transaction security are a few of the many advantages a POS device with integrated IP technology can provide.

Unfortunately, the same is not true for the increasingly popular solution known as voice over IP (VoIP).

VoIP translates analog signals of a standard phone line to digital data, namely IP, through a VoIP adapter or digital converter. While this provides immense benefit to businesses - freeing them from the tyranny of local phone companies by rendering communications more flexible and cost-effective - it is not a good medium for dial-up payment terminals.

The biggest problems involve quality of service (QoS) and security. A key QoS element for mission-critical applications, such as card transaction processing, is the use of transmission control protocol (TCP). IP communications split up data into packets that can be routed separately and recompiled at end points. However, delivery of all packets is not guaranteed, and IP does not resend undelivered packets. Proper retry and guarantee logic is the responsibility of the TCP layer.

Although this lack of quality may be acceptable for voice applications because the human mind compensates for the dropped packets, it is devastating for POS applications - which likely receive "modem error" messages instead of authorizations. This is because host computers are receiving the data and cannot fill in the blanks of an incomplete transmission, resulting in the modem error signal.

More important than QoS is security. For its designed usage - voice communication - VoIP does not emphasize security. After all, who is likely to be listening to your telephone conversations? For card processing, however, security is essential for preventing cardholder data compromises. As stipulated by the card brands' security guidelines, it is necessary to protect IP-based transactions with Secure Sockets Layer or equivalent encryption.

VoIP data is typically sent in the clear, which I believe is an outright violation of these guidelines. Unfortunately, this is not a scenario VeriFone or other hardware vendors can address within the security, telecommunications or application modules of POS devices.

Unstoppable forces

At the moment, the dangers of this weakness are relatively limited, as VoIP has penetrated only a fraction of the overall communications market. But VoIP is a cheap alternative to a regular business line, with both lower monthly fees and no usage fees, making it an attractive alternative for small businesses.

Our concern is that the exposure to credit card fraud due to VoIP will grow exponentially as telecommunications companies nationwide continue to ramp up their efforts in marketing the VoIP solution.

When a merchant transmits data to a processor via VoIP, the processor and the acquirer may be completely unaware of this. Yet, that doesn't necessarily shield them from liability for fraudulent transactions. It's vital that you monitor your merchant base for use of VoIP and ensure that retailers do not attempt to use VoIP for terminals with analog dial modems. There are definite advantages for merchants who want to enter the broadband realm, but they need to leave analog terminals out of the equation.

For merchants who already have a cable or DSL Internet drop for their PCs, it is extremely cost effective to replace land-line telephones with VoIP systems. Rates are relatively cheap, and many telecom companies are competing for their business. Changing service providers is relatively easy and can often be accomplished by reconfiguring a merchant's VoIP adapter or simply swapping it out with a mail-dropped replacement.

Retailers who adopt VoIP may still use their dial terminals on a regular dial line for point-to-point transaction processing, although that means they'll have to keep paying a separate phone bill and deal with land-line maintenance and service issues.

Economically, it probably makes more sense for a merchant with VoIP to leverage that IP connection and convert to an IP-based payment terminal. Instead of plugging an analog-based terminal into a VoIP adapter, the merchant's IP POS terminal connects by the Internet router either through direct Ethernet cable or wireless link.

This provides high-speed, always-on transaction capabilities and ensures no degradation of service.

Extended benefits of IP

The speed, transportability and versatility of Internet-based payment terminals can extend card-based payments far beyond the store countertop and into new revenue-generating venues such as sidewalk sales, outdoor garden departments, and even airports, malls or stadium kiosks.

Once the domain of geeks and nerds, IP has become increasingly simple to use, with millions of people using it transparently to surf the Web, send and receive e-mail, download music, or shop online.

IP has been adopted by general commerce worldwide as the standard way to communicate with the Internet or private networks.

Merchants using broadband IP experience transactions of three to four seconds, compared to about 14 seconds for dial-up. Additional benefits include faster downloads and an always-on connection that eliminates connect time and provides increased security for safer transactions.

IP-enabled terminals can utilize browsers with secure SSL to support a variety of different applications at the POS, such as prepaid telephone cards, gift cards, loyalty programs and utility payments.

An IP-based merchant base also provides a tantalizing opportunity for development of managed services, ranging from security to estate management. Just make sure merchants aren't trying to mix-and-match IP and analog inappropriately. end of article

Scott Henry is Director, North America Product Marketing, for VeriFone. He can be contacted at scott_henry@verifone.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing