Guidelines for Designing Secure PCI PED EFT Terminals - Embedded.com

Guidelines for Designing Secure PCI PED EFT Terminals

In today's increasingly connected world, financial transactions areunder attack. Although online transactions are often cited as securityrisks the danger is not limited to online transactions, but includescredit and debit cards purchases made at restaurants orbrick-and-mortar stores as well.

According to the Wall Street Journal, in a single 33-month period,over 87 million credit cards were compromised. That represents billionsof dollars in stolen merchandize and lost revenue.

The opportunities for theft and fraud will only continue to grow as electronic funds transfer (EFT)technology grows in popularity. In today's retail market place, forexample, this electronic funds transfer technology touches the life ofevery consumer.

You'll find it in credit card processors, multi-lane grocery storesand retailers, hotels, restaurants, taxis, high-value vending machines,banks and internet commerce. According to market analyst firm, Frost& Sullivan (2007), a number of trends are driving the increasingneed for security in EFT, or as they are also called, point of sales (POS), terminals .

These trends include the rise of wireless technology, the growingpopularity of loyalty/gift cards, the increasing use of broadband (TCP/IP )technology, the adoption of contactless card payment in the quickservice restaurant industry, the rising use of online debit (with PINnumber) applications and the increasingly rapid adoption of EFT systemsbeyond the traditional retail market and into vertical markets such ashealthcare and the electronic payment of government benefits.

With the ever increasing risk of fraud from savvy, high-techhackers, there is no doubt that higher levels of security at EFTterminals and other secure payment devices such as ATMs, unattendedkiosks, smart vending machines and, increasingly, mobile phones.However, the same risks are also present in securing personalinformation.

Recent headlines point to secure information breaches in the areaof health records, social security numbers and other types of privateinformation. As consumers and businesses become increasingly concernedabout the security of both their financial transactions and theirprivate information, it will be imperative to ensure security across anincreasingly wide range of connected devices.

But with higher security comes higher costs. Frost & Sullivanreports that new security requirements, increased legislative activityand the need to introduced new technologies to remain competitive areall driving up the cost of competing in the secure payment industry. Atthe same time, many emerging, high-volume EFT terminal markets, such asBrazil, Central Europe, China, and India, are exerting downwardpressure on EFT terminal prices.

As a result, EFT terminal manufacturers are faced with the challengeof maintaining a high level of security while keeping system costs incheck in order to meet the cost structures in emerging markets. Thissituation results in an extremely competitive market where EFT devicemanufacturers are seeking to gain market share based on offeringsoftware add-ons, better customer support and highly customizedproducts.

This article reviews some of the design choices and designtechniques that EFT terminal manufacturers can use meet the challengeof developing highly secure, cost effective, PCI PED-certifiedterminals.

Increased Security vs. IncreasedCost
Maintaining security, whether it is for a physical site, such as a bankvault, or an electronic device, such as an EFT terminal, has alwaysbeen a race between those doing the protecting and those trying tobreak in.

With the advent of computer-based encryption and security systems,this race has accelerated, essentially following the pace of hightechnology advancements. In addition, as more and more financialinstitutions offer direct access to their merchant services, thepotential for costly breaches involving electronic theft and fraud havegrown exponentially. As a result, there is a rapidly growing need forelectronic security systems with ever higher levels of sophistication.

The payment industry has responded to this need by establishingstricter security standards designed to make penetrating securetransaction systems, such as EFT terminals, so difficult and complex asto be cost-prohibitive for the criminal. After all, for a thief, if theROI of a crime is too low, it's not worth the cost and risk.

Naturally, while every financial institution wants the highestlevel of security possible, it has to weigh the risk of a securitybreach against what it can afford to pay for the optimal secure paymentsystem. This is especially true in developing countries, which alsooffer some of the largest opportunities of growth for secure paymentapplications.

Meeting Today's Secure Transaction
ThreatsSecure payment systems face three common forms of attack today -physical, environmental and fraud. Physical attacks involve actuallyopening the system to access the memory to steal critical data, such asencryption keys and PIN numbers, as well as debit and credit cardnumbers.

Environmental attacks involve tampering with the temperature, poweror frequency in such a way as to cause a security glitch to occur thatallows the attacker to steal data. Fraudulent attacks involve stealingterminals, tampering with the innards to install a trace capability,replacing the terminal and then using the compromised appliance tocapture data remotely.

Figure1. Three Common Forms of Attack

For a secure payment system to meet the requirements of today'smarket, it must be secure against all these forms of attack. It alsoneeds to be able to process transactions quickly, must be easy to use,have a flexible communications capability, and ideally, it should beable to take advantage of new multimedia technologies and applications.

In order to deliver such capabilities, it must include a robustsecurity subsystem and a high-performance microprocessor, supportmultiple card readers, provide LCD screen support and offer a varietyof communications options.

Cost-Effectively Meeting the PCIPED Specification
The Payment Card Industry Pin Entry Device (PCIPED) specification, developed by VISA and Master Card, isthe latest security specification for EFT terminals, and is designed tosecure the PIN information stored in a terminal from theft by hackers.

In order to cost-effectively deliver products meeting thisspecification, manufacturers of next-generation EFT terminals need totake into account microprocessor and operating system considerations,internal vs. external memory needs, secure key storage and erasurerequirements, battery life vs. tamper sensor trade-offs, switch andmesh design, chip package and pin-out selection, PCB layout guidelines,and whether to use a chip set or system-on-chip (SoC).

While there are many microprocessors available for use in securitysystems, the industry has standardized around the ARM processor, whichoffers the MIPS required to handle the increased requirements of thePCI PED standard at a reasonable cost. Using an ARM processor alsoensures compatibility with other ARM-based security systems and offersan established migration path for future security upgrades.

Ideally, the operating system should include a dual-busarchitecture. Typically, the secondary bus pins are located in thecenter of the processor's package (usually a ball grid array) forincreased security. The primary bus is used to contact the securitysystem's main memory, while the secondary bus is used only to contactthe system's secure memory block where PIN information is stored.

This secure information is typically located in an external memorydevice. The use of an external primary memory device as opposed to oneembedded in the processor enables the EFT terminal manufacturer tooffer more memory for a lower cost. It is also recommended that theoperating system be one such as Linux or Windows that is widely usedand compatible with other secure transaction systems.

Requests for data stored in the external memory must beauthenticated using an encrypted key, which should be a minimum of2,048 bits long to ensure the desired level of security.

Once the request is authenticated the secure information is sent toan embedded SRAM block inside the processor where the information isprocessed. In the case of a detected intrusion, the system shouldactively erase all sensitive data stored in both the internal andexternal memory. The use of an authentication system, a secure bus andan external memory device combine to increase the cost of any attack onthe system.

Most EFT terminals include a number of sensors designed to detectany attempts at physical intrusion. These typically includetemperature, voltage and frequency sensors that are turned on atpre-set intervals to determine if an intrusion attempt is being made.

Sensor readings are generally recorded in a SRAM-based tamper logdesigned to allow investigators to determine the type of break-inattempted. The encryption key is loaded, and the SRAM and sensors areoperational from the time the terminal is completed and are powered bya battery until the system is installed and connected to an externalpower source.

As a result, terminal designers must take into consideration thelength of the battery life and the frequency and duration the sensorchecks to ensure critical operating data is not lost before theterminal is installed.

The PCI PED specification also includes guidelines for PCB layout.These include the use of a wire mesh that protects the top and bottomof the processor package, enabling tamper detection circuits thatmonitor shorts, opens and resistive changes.

At the same time, normally closed mechanical and keypad switches candetect attempts to open the terminal case or lift the keypad membrane.Keypad traces are typically routed through the wire mesh to preventtapping and to eliminate the need for attack-prone ribbon cables.

In addition, the secondary secure bus is usually routed through theinner layer of the board, while the external memory is located underthe wire mesh, as are the processor and the battery.

It's also recommended that a BGA package be used for devices insecurity systems. The BGA package helps prevent the probing of theinner pins used for the secure bus and provides protective metalshielding over the device to prevent probing via X-rays.

Advantages of a Single System on aChip Solution
There are currently two different solutions available today. One is atwo-chip solution using a general processor and a secondary securityco-processor. The other is a fully integrated application-specificsystem on a chip (SoC) solution.

An SoC approach offers several advantages over a two-chip securitysolution. As an integrated solution it is fully optimized to deliver onboth performance and security requirements in a smaller footprint,while also helping to reduce potential avenues for intrusion.Consequently it results in a lower overall system cost.

For an SoC to meet the needs of the PCI-PED specification, it mustinclude an on-board security island where security keys are stored, aswell as temperature, voltage and frequency sensors to detect variousmeans of intrusion.

If an intrusion attempt is detected it must be able to erase allsensitive information via a hardware-based memory erase that is fasterand more reliable than the traditional microcontroller-based eraseprocedure. It should also include a communication pipe to send creditcard information and PIN for verification.

This helps to reduce system costs by eliminating one of the twochips normally required for this function. It should also be able toread either smart cards or those using magnetic strips.

While the right hardware is critical to the success of an EFTterminal design, it doesn't, by itself, offer the system developer acomplete solution. In addition, to the right secure hardware, a fullsoftware environment, including on- and off-chip drivers and an easilyported Linux operating system are needed.

ZiLOG, for example, offers a secure-transaction-specific referencedesign kit , as well as a robust suite of ARM design tools, enablingour developers to quickly and cost-effectively bring their EFT devicesto market.

Conclusion
The growth in fraud and identity theft has been one of the unfortunatedownsides of an increasingly connected financial services industry. Theresult is a need for increased security for secure transactionapplications such as EFT terminals and the introduction of the PCI PEDstandard by VISA and Master Card.

Increased security, however, increases cost. EFT terminalmanufacturers wishing to penetrate the growing secure payment marketsin developing countries must be able to deliver competitively pricedsolutions that can meet these new security requirements.

Consequently, EFT terminal manufacturers must make careful designdecisions if they are to meet the equally important, but notnecessarily compatible requirements of high security and low systemcost. An optimal solution includes an ARM processor, an external securememory and secure key storage, and erasure capabilities. It alsoincludes mesh wire and switch security measures as well as the latestin secure packaging and PCB layout.

While both multi-chip and single-chip solutions that meet theserequirements are available, single-chip solutionsoffer the benefits of lower overall system cost, simplified design,reduced time to market, and minimal potential intrusion routes.

This article has focused on the EFT terminal market. As consumersand businesses continue to embrace the digital age, however, the numberof connected devices will continue to grow and this growth will presentthe electronics industry with an opportunity to expand the capabilitiesof these devices to include secure payment and secure informationtransfer and storage. This in turn will drive the need for a high levelof security to be built into a wide range of devices beyond EFTterminals.

Steve Pope, isDirector of Applications Engineering; Ray Chock, is Vice President,Strategic Architecture, and Michelle Leyden Li, Director, Marketing andStrategic Planning, Zilog, Inc.,where she is responsible for the new ZA9L, the first in series of32-bit, ARM-based ASSPs focused on the security transactions market.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.