The Green Sheet Online Edition
June 23, 2008 • Issue 08:06:02
Protect data with hidden shield
In the wake of recent, well-publicized data breaches at major retailers, a potential weakness was exposed in the Payment Card Industry (PCI) Data Security Standard (DSS).
The standard may not adequately address data in transit issues at merchants' in-house networks. Regardless, if data is sent out from the POS terminal unencrypted, it could be easy pickings for hackers.
But now that the vulnerability is widely known, businesses can take steps to secure data at merchant locations, so that even if data breaches occur, the data would be useless to fraudsters.
A relatively new solution to the security gap is encrypting data directly at the POS with what is known as Triple DES. DES stands for Data Encryption Standard. Triple DES means when a card is swiped or otherwise employed at the POS terminal, the data is run through the encryption key three times inside the terminal, exponentially increasing the complexity of the encryption and rendering it nearly impossible to crack.
San Jose, Calif.-based POS terminal maker VeriFone employs Semtek Innovative Technologies Corp.'s version of Triple DES - called Hidden Triple DES - in its VeriShield Protect system.
"Hidden" means that after the data is encrypted, VeriShield is able to format the data so that it looks exactly like an unencrypted mag-stripe data string - including the bank identification number and the last four digits of the card - which most systems are designed to read.
By "hiding" the encryption from merchants' systems, the systems - such as cash registers and back office servers - read the information as if it were in its standard, unencrypted form. According to Paul Rasori, Vice President, Global Product Marketing, VeriFone, this means systems need not be reconfigured to understand the Triple DES encrypted data when VeriShield is incorporated.
VeriShield doesn't require merchants and acquirers to make changes to existing software infrastructures. "The systems that touch that data along the way don't have to be changed," Rasori said.
But once the encrypted data leaves the merchant location, it must be decrypted for it to be processed. For that end, VeriFone has partnered with San Diego-based Semtek for Cipher Device Metrics Servers (CDMS).
When the data reaches the centralized CDMS servers, it is decrypted and sent over secure networks for back-end processing.
So, once data is encrypted at the POS, VeriShield has it decrypted for processing as well. "There is really no competition [for VeriFone] in the market that has those two elements in tandem," Rasori said.
VeriFone recognizes that no system will ever be entirely secure. And so Rasori said VeriFone built into VeriShield a real-time status and alert system that flags suspect transactions for the benefit of merchants, ISOs and acquirers.
Currently, VeriShield is only available for VeriFone's MX series of POS terminals. The MX terminals are designed for large retailers with multilane terminals. But Rasori said that, no later than the end of calendar year 2008, VeriShield will be available for its Vx line of POS devices designed for small and mid-sized merchants.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.