A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

April 26, 2021 • Issue 21:04:02

Hardware-grade security for digital commerce - Part 2

By Dale S. Laszig

In an age of anywhere and everywhere commerce, POS solutions have evolved from fixed points of sale to moveable touchpoints in stores, apps and online channels. The machines supporting these solutions can be remotely managed, networked and updated, whereas standalone models require hands-on maintenance, repair and replacement. Part 1 of this series explored hardware's role in bringing physical security to digital commerce. Part 2 shares insights from payments leaders about the fundamental mechanics behind secure, compliant transactions.

Experts interviewed herein noted that the POS is moving from payment-centric devices to distributed points of interaction as consumers increasingly transact on personal connected devices, computers, smartphones, tablets and wearables. All agree that security must be integral to design and development of the POS in all its form factors, from wristwatches to refrigerators, even when the commerce piece stays hidden in the background.

Nikki Estes, digital marketing manager at iCheckGateway.com (ICG), a payment technology provider, pointed out that consumers just want fast and simple transactions. "Consumers don't care about back-end technology, where servers are located or how many are in play," she said. "They just want to know that they can pay for things where they are, on the beach or in their cars."

Encryption, tokenization

For decades, payment card readers have encrypted personal identification numbers (PINs) to make them unintelligible to hackers, using cryptographic keys that can only be unlocked by certified key managers. The PCI Security Standards Council (PCI SSC) requires service providers to use secure, dedicated facilities when injecting keys into hardware secure modules (HSMs). The Payment Card Industry Data Security Standard (PCI DSS) also contains guidelines for remote key injection using PCI-certified point-to-point encryption (P2PE).

Tokenization, another way to disguise data, uses algorithms or token-mapping tables. Foregenix, a UK-based data security consultancy, noted that both tokenization and encryption are effective ways to remove sensitive data from merchants' scope. The company reviewed a Bluefin solution in Using Bluefin's ShieldConex for Data Protection, a white paper published in March 2021.

"Transmitting, processing and storing sensitive data is a huge risk, and appropriate controls must be identified to reduce the risk to an acceptable level," Foregenix researchers wrote. "If a malicious actor has access to encrypted sensitive data and has no access to the decryption key, the sensitive data is of no value to the attacker. In certain use cases, similar risk reduction with less complexity can be achieved by using data tokens."

Embedded payment pages

Encryption and tokenization are commonly used to protect transactions in PIN pads, ATMs and physical points of interaction. These methods also protect mobile and digital commerce, Foregenix researchers noted, citing iFrame technology as an example.

"An iFrame (or Inline Frame) is a method of seamlessly embedding a web page within another web page - the iFrame becomes a frame for displaying another web page," researchers wrote. "iFrames provide 'sandboxing' to isolate the content of the embedded frame from the parent web page, thus ensuring that information is not accessible or cannot be manipulated through various exploits by malicious individuals."

Ruston Miles, founder and advisor at technology provider Bluefin, noted that ShieldConex uses hosted fields within hidden iFrame technology to capture and encrypt sensitive data. The solution uses the same HSMs as Bluefin's hardware-based PCI-validated P2PE solution. This brings the same standard of encryption and key management to the digital world that merchants and service providers have come to rely on in the physical world, he stated.

"The merchant and consumer are not vulnerable in any way," Miles said. "And if merchants ever want to do anything with the data, they can give it to the payment gateways and processors connected to us, and they'll go off and process it, because they have that special connection to Bluefin behind the scenes to go off and revalue the data."

iFrame benefits, methodologies

Estes observed that iFrame offers a secure alternative to managing and storing sensitive data. The company's PCI-compliant, proprietary iFrame encrypts data in transit and at rest in servers around the country, she stated, using the latest industry standards.

"Embedding the iFrame inside a website or application eliminates having any actually keyed and stored financial data on a merchant's servers," Estes said. "Tokenizing the customer's information creates a pathway where only the encrypted token is stored on the merchant's server, not other vital actual payment information. This enables them to store that payment method on file in their system to use for recurring, autopay or one-time transactions without actually storing or transmitting their customers' data on their servers at any point, keeping them out of PCI scope."

Another benefit of iFrame is that it delivers frictionless checkouts without redirecting shoppers to a payment page, Estes stated. Instead, they can check out on the merchant's website within an integrated space that reflects the merchant's color and branding. Channel partners can choose self-hosted, ICG-hosted and semi-integrated iFrame implementation models, she noted.

Estes went on to say that the iFrame solution ranks highly with ISV referral partners who want to control the user experience while staying out of PCI scope. Using the iFrame gives them that desired look and flow, enabling them to maintain a positive user experience while seamlessly integrating ACH and credit cards into their application, she pointed out, adding that these capabilities help ICG partners and clients stay in compliance with standards and rule changes as updated.

Software-based, hardware-driven

Justin Pike, founder and chairman of MYPINPAD, a global provider of secure authentication solutions, noted that his service offering is software-based with hardware components. "When the PCI SSC published the software-based PIN entry on commercial off-the-shelf solutions (SPoC) specification in 2018, it enabled payments to be taken on connected devices rather than boxes," Pike said. SPoC has significantly reduced related complexities and costs of payments acceptance, he added.

In a similar way, MYHSM, a former sister company of MYPINPAD, developed a SaaS-based solution for managing hardware secure modules. The company was acquired in 2020, by global technology leader Utimaco. Stefan Auerbach, chief executive officer at Utimaco, called MYHSM a leading provider of Payment HSM as a Service.

"Utimaco recently introduced our next-generation high performance HSM platform called u.trust Anchor," Auerbach said. "[The solution] reduces complexity in HSM installations, solves the challenges of cloudifying HSMs and gives cloud service providers and enterprise customers scalability and elasticity to add both payment and general purpose HSM applications/services that usually require different hardware."

Stakeholder benefits

Reflecting on POS technology evolution, Pike mentioned that recent changes are positively impacting stakeholders across the entire commerce value chain. He offered these examples:

  • Consumers: Consumers can use a multifunctional front-end device, such as a smartphone or tablet, to manage payments, which eliminates the need for single-use hardware like a POS terminal. They can also change the PIN on their payment card without having to visit an ATM or bank branch.
  • Payment service providers: PSPs can use MYPINPAD's Contactless Payments on Commercial off-the-shelf (CPoC) solution without attaching a hardware dongle to a device. End-users can tap a card against a smartphone or tablet, which means the PSP will no longer have to subsidize the cost of dongles.
  • Financial institutions: Banks can use MYPINPAD's SDK to integrate the cloud-based CPoC solution into their mobile banking apps. The solution replaces costly infrastructure, such as dedicated servers and computers, which require support by specialists.
  • Business customers: Merchants can use the app for payment acceptance, for example, a tradesperson could accept payment on the job. MYPINPAD provides small and midsize enterprises with a fixed per transaction-based model, which is delivered as-a-service.

Consumer-centric commerce

Miles has seen a paradigm shift in retail and hospitality environments as consumers acclimate to self-directed, contactless payment methods. "Consumers can choose to make an in-app or remote transaction wherever and whenever they want, whether they are at home, on the road or in-person at a store," he said. "The payments industry stands to win big as consumer-centric digital engagement drives acceptance higher with richer experiences that will replace cash with electronic payments."

Pike agreed that flexible, cloud-based systems are transforming the customer experience. Unlike previous checkout scenarios that required consumers to enter a card number, expiration date and CVV, it’s now as simple as pushing a one-time payment terminal to the consumer’s device, he stated. "The consumer taps their own card against their own device, which could be a smartphone, tablet or smart watch, and enters their PIN," he said. "This provides more security and flexibility in the customer experience. And as for how this applies to the IoT and connected commerce, it’s really just the beginning of what is possible."

Miles envisioned a not-too-distant future where refrigerators ping smartphones, using Bluetooth or Wi-Fi, to initiate payment transactions. "Your connected refrigerator connects to an app on your phone to request home delivery from your preferred shopper service," he said. "The payment is completed on your cell phone, using tokens and encryption for security and 3DS for multi-factor authentication. This consumer-centric, contactless, connected-commerce interaction maintains safety, security and convenience for the consumer and all platforms involved." end of article

Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing