New attack trend pushes POS encryption to the fore

Vendors offer new tools to try to help retailers stop data-in-transit thefts

The relatively scant attention that retailers have paid to securing their point-of-sale systems over the past few years is making the POS setups increasingly attractive targets for cybercrooks who are looking to steal payment card data.

Hoping to help merchants address that situation are a handful of vendors who have begun offering new products aimed at making POS environments a lot harder to crack.

The biggest of those vendors is VeriFone Holdings, which last month released a security tool designed to let merchants encrypt credit and debit card data from the moment a card is swiped at a merchant's PIN entry device all the way to the systems of the company's external payment processor.

VeriFone's VeriShield Protect software is based on patented technology from Semtek Innovative Solutions, which makes appliances for securely decrypting data. VeriFone said that Semtek's technology, called the Hidden Triple Data Encryption Standard (H-TDES), can be used to encrypt personal account numbers and the so-called Track 2 data stored on the magnetic stripe located on the back of payment cards. That information includes card numbers and their expiration dates.

A key feature in VeriShield Protect is that it encrypts payment card data in such a way that the information will still be recognizable as valid card data by other POS applications, said Jeff Wakefield, vice president of marketing at VeriFone. As a result, merchants won't need to tweak or modify their POS systems in any way to accommodate the encryption technology, he claimed. But at the same time, encrypting the card data will render it totally useless to anyone who steals the information, Wakefield said.

A separate device -- which could be installed by either a retailer or its payment processor -- then would be used to decrypt the data before transactions are processed.

Merchants using newer models of VeriFone's PIN entry devices can have the encryption function "injected" into them for less than US$50 per device in license and service fees, Wakefield said. He added that the vendor doesn't have a published list price for new PIN devices that support the technology, because per-device prices can vary depending on the individual installation.

Meanwhile, the decryption appliances, which are made by Semtek and sold by VeriFone, can cost from US$50,000 to upwards of a million dollars for high-throughput, fully redundant systems. Larger retailers that want to exercise direct control over all aspects of their payment card transaction process might invest in such systems themselves, Wakefield said. But, he added, most small and midsize merchants likely will look to their payment processors to handle the decryption component.

Another company targeting the POS security market is Merchant Warehouse, a credit card processing firm that provides services to about 50,000 retailers, most of them small or midsize. The company offers a product called MerchantWare, which like VeriFone's technology is designed to enable merchants to encrypt card data from the beginning to the end of the sales and payment process.

While VeriShield Protect is focused on the PIN pad devices that are used by customers themselves to swipe their cards, Merchant Warehouse CEO Henry Helgson said that MerchantWare is aimed more at POS systems in which cards need to be handed over to a cashier.

MerchantWare is based on technology from MagTek, a rival of Semtek. Like VeriShield Protect, Magtek's product also encrypts data at the card reader. But integrating the technology into existing environments does require "minimal" updates to a company's POS software, Helgson said.

Join the newsletter!

Error: Please check your email address.

More about GartnerGatewaySemtek Innovative SolutionsVerifoneWakefield

Show Comments

Market Place

[]