Marc Edwards is a Data Systems and Security Engineer for a chain of retail stores, whom I was fortunate to get acquainted with via my amateur astronomy hobby. He and his teenage daughter are avid and highly capable telescope operators. During one of our conversations at the time earlier this year when a major retailer's credit card data breach was in the headlines, Marc explained how the typical point-of-sale (P.O.S.) system works in stores and why the most commonly installed type is so much more vulnerable to intrusion than the newer and much more secure system his company is implementing. It was an amazing story. Rather than my attempting to summarize Marc's explanation, I asked him to write a short article to put in layman's terms what is going on and what is being done to correct it. What follows is a condensed version of what is a very complex topic, but he succeeds in boiling it down to the basics. Thanks Marc!
Point-of-Sale (P.O.S.) Credit/Debit Card Processing - An Insider's Viewpoint
By Marc Edwards
Most companies won't reveal how they have their security set up. Recently breached retailers have never and will never reveal publically how they were breached. They are required however to provide all information on the breach to PCI DSS. PCI (Payment Card Industry) Security Standards Council is the organization established by the Payment card companies (Visa, MasterCard, Amex, Discover) that sets the standards for required security AND enforces them.
It is a non-government agency that polices and enforces data security for credit and debit cards. The fines for having a breach are MASSIVE. For example, a retailer that was breached several years ago, and that breach is what really triggered PCI security to "standardize" their fines, were penalized >$50,000 per DAY for every day that the breach was in effect and not found - in this case 540+ days, so $27 million in just fines, not including lawsuits and judgments and customer reimbursements. Their overall liability for the breach was north of $150 million.
However, PCI standards have a lot of wiggle room for retailers to design their networks and security to work within their needs and budget, as such some companies go on the cheap and hope nothing happens; other companies, like mine, see the pattern and over the next two years we are investing $20 million in data security upgrades and preventive measures. Better to spend the $20 million now than $200 million later on fines.
One of the more expensive data security systems is called Tokenization, "a process by which the primary account number (PAN) is replaced with a surrogate value called a token."
An example of the types of networks
Following is the most common (non-tokenized) network that 85% of retailer use:
Credit Card Terminal → P.O.S. system → VPN to Corp office Servers → Credit Card Processing Server → VPN to Credit Data Warehouse Collection Service → Bank.
This is the type of system that several recent retailers that have been breached had in place. You swipe your credit card (CC), it is transferred to the P.O.S. The PIN (personal identification number) pad is nothing more than a second keyboard attached to the register, the card info is encrypted (and depending on age can be 16-bit to 256-bit encryption), but the fact is, the pad is nothing more than a keyboard device. The cashier can also swipe the card on the keyboard, and most retailers require them to enter the last 4 digits of the CC on the keyboard (the PIN pad actually only transfers the first 12 digits for most cards, the cashier has to enter the last 4), but the fact remains it is still playing the part of a keyboard, and the data is still out there in the open, and as such it is very easy to place a keylogging malware program on the P.O.S. to grab the swipe.
The card data is then sent to the corporate office credit card processing server, and at the same time stored on the P.O.S. The server is connected to the Credit Card Data Warehouse, where the approval or declination is processed and then returned to the server, then back to the P.O.S. Everything is on the same network, everything is passing through the same pipe, and it is very easy to install a USB flash drive, or drop a virus onto the network via some channel. As with recently breached retailers, vulnerable installations have one network system in their stores, and all the stores while on different carriers, are all connected to the same system; they have P.O.S. systems on the same network as their management computers, their HVAC system, phone system, etc. While on separate VLANs (virtual local area networks), all are on the same primary network - a store in New York City could connect to a store in California to verify inventory via their online system (it can determine whether a specific store has something in stock). So, as I stated to you on the phone, in one recent high profile data attack an HVAC vendor installed malware in the HVAC controls that gave them remote access to everything; this was installed in one store at one location and it gave them complete access to everything network wide. All the registers also have Internet access for cross-store lookups. While they should be secured by a proxy and routing through a VPN (virtual private network) and firewall, if someone is inside the network, it won't matter as the problem is already through the doors and into the infrastructure.
At this level only an approval or declination is made and a hold against the credit is placed, but not actually processed until the P.O.S. system runs its end-of-day procedures, where all the sales data is compressed and passed up to the corporate system for processing. It is at this time when the charges are processed - most cases it is about 48 hours from when you actually bought the item, hence why you might see "pending" on your online account information for the given Credit Card.
This is the most common system in place, and not just because it is inexpensive as it is only one connection out to the data warehouse (all stores and all registers in the stores are piped thru it). Most systems may have load balanced servers (4-10 devices running in redundancy to prevent overload) but they are all piped thru the same connection. The other reason is that it is what most companies have had in place since about 2002 when PCI became standardized across all credit cards. Prior to that each CC company maintained their own policy.
Most of these companies that have been breached are running Windows XP (embedded) which is a slimmed down version of XP designed for P.O.S. systems. They have never updated and I suspect the majority of them are probably still running SP1 or even SP0 so the cost and manpower required to update them is massive, and most companies prefer to use hardware-based intrusion prevention measures, as one piece of equipment can be put into place to handle hundreds of registers, as opposed to actually going from device to device and updating.
Since these designs and technology are a decade old, it's easy to see why they are now being targeted. The technology has advanced significantly since 2002. Today we have more processing power in a smart phone then we did in desktop computers in 2002.
A less common practice is Tokenization, though with the 2016 PCI standards tokenization will be required by 2016, not just an option.
Tokenization works this way:
Credit Card Terminal → CC data sent directly to Data Warehouse via dedicated phone line or dedicated network line (not a connection shared with the register) → Data warehouse sends data to bank.
Credit Card Terminal → Token passed to P.O.S. once transaction is approved from PIN pad (via USB connection not Ethernet) → Token data along with receipt data sent upstream to corporate office for sales tracking.
The difference here is that the PIN pad or CC terminal has two connections. One is a direct uplink to the Data Collection Warehouse that processes the payments, and the other is to the P.O.S system. They are two entirely separate connections: phone/network or the dial out and USB for the Token to transfer to the resister. The PIN pad is not acting as a keyboard and simply transferring the information, it is in fact a computer within its own right and does all the processing itself. The PIN pad will only pass a token on the P.O.S. side, it will never pass CC data, and additionally it doesn't store anything. There are no external ports. The network and USB wiring is internal and hardwired to the registers, so nothing can be placed in line between the two devices. While a breach is still possible, it would have to happen up stream at the Data Collection Warehouse, it could never happen in stores with tokenized CC process, so it mitigates all of the store's liability, companies such as First Data take the brunt of the liability, and since they are a bank, their regulations are thousands of times stricter than ours.
The Token data is passed upstream to our corporate systems for us to be able to track the sales, but we never get any credit card data in our system. A Token cannot be reversed decrypted to give a CC number, it doesn't work that way. The Token changes for every transaction, it is never the same twice, and you need several bits of data to match the Token to a given customer/transaction.
Additionally our CC data passed to First Data is 256 bit encrypted, (128 bit is industry required) and our Tokens are as well.
There are increased costs associated with this setup, additional services, and in our case each of our stores has two phone services: one for a phone line, and one for a credit card line plus an ISP (DSL or T1). The PIN pads are a couple thousand dollars apiece. The cost to set up a Token PIN pad system is nearly double what it is to set up a P.O.S. that uses a PIN pad and an OS to encrypt the data.
Our company is about 80% rolled out with Tokenization, but we will be 100% in July 2015, a full year before PCI requires it to be complete.
Some of the big retailers are all using similar setups to those recently breached; it is probably only a matter of time before they are breached. To my knowledge, all of them are still on Windows XP.
How do you know which stores are using PIN pads that emulate keyboards vs. a token system? Well, that is pretty easy. If the PIN pad transfers your data to the P.O.S., that is, if you swipe the card and see your payment info populate on the cashier's screen, and it requires the cashier to accept the CC data and close the sale, they are using keyboard emulators. Alternatively, if the transaction goes the other way, where you see your purchased items and totals on the PIN pad, and you swipe the card and the register closes the sale and prints the receipt without any cashier interaction, chances are they are using a Tokenization system.
There are currently only two companies making Tokenization PIN pads:
If you see any PIN pad that is not one of these three models, then they are not sending tokens, they are sending live CC data.
By 2016 there will almost certainly be many more major data breaches. Unfortunately, companies will be very slow to adopt, even more so now that Apple Pay has been released, because it will change how credit-based purchases work if it takes off.
Posted November 21, 2014