New attack trend pushes POS encryption to the fore

Computerworld - The relatively scant attention that retailers have paid to securing their point-of-sale systems over the past few years is making the POS setups increasingly attractive targets for cybercrooks who are looking to steal payment card data.

Hoping to help merchants address that situation are a handful of vendors who have begun offering new products aimed at making POS environments a lot harder to crack.

The biggest of those vendors is VeriFone Holdings Inc., which last month released a security tool designed to let merchants encrypt credit and debit card data from the moment a card is swiped at a merchant's PIN entry device all the way to the systems of the company's external payment processor.

VeriFone's VeriShield Protect software is based on patented technology from Semtek Innovative Solutions Corp., which makes appliances for securely decrypting data. VeriFone said that Semtek's technology, called the Hidden Triple Data Encryption Standard, can be used to encrypt personal account numbers and the so-called Track 2 data stored on the magnetic stripe located on the back of payment cards. That information includes card numbers and their expiration dates.

A key feature in VeriShield Protect is that it encrypts payment card data in such a way that the information will still be recognizable as valid card data by other POS applications, said Jeff Wakefield, vice president of marketing at VeriFone. As a result, merchants won't need to tweak or modify their POS systems in any way to accommodate the encryption technology, he claimed. But at the same time, encrypting the card data will render it totally useless to anyone who steals the information, Wakefield said.

A separate device — which could be installed by either a retailer or its payment processor — then would be used to decrypt the data before transactions are processed.

Merchants using newer models of VeriFone's PIN entry devices can have the encryption function "injected" into them for less than $50 per device in license and service fees, Wakefield said. He added that the vendor doesn't have a published list price for new PIN devices that support the technology, because per-device prices can vary depending on the individual installation.

Meanwhile, the decryption appliances, which are made by Semtek and sold by VeriFone, can cost from $50,000 to upward of a million dollars for high-throughput, fully redundant systems. Larger retailers that want to exercise direct control over all aspects of their payment card transaction process might invest in such systems themselves, Wakefield said. But, he added, most small and midsize merchants will likely look to their payment processors to handle the decryption component.