Designing Next-Generation Payment Terminals That Meet PCI PTS 3.x Requirements - Maxim

Designing enhanced yet secure payment terminals is discussed in this application note. We expose the pitfalls that manufacturers face for PCI-PED PTS certification and explain how they can be addressed and solved by the use of two-chip architecture, based on the MAXQ1850. This article was also featured in Maxim's Financial Terminals Product Guide, 1st edition (PDF, 2.4MB). A similar version of this article appeared in the March-April 2011 issue of CardsNow! Asia Magazine. Card-based transactions are soaring, with over 110 billion worldwide in 2009. This expansion has several causes. Increasingly global payment schemes guarantee broad acceptance, and the available technologies and standardization efforts are making transactions more reliable, convenient, and inexpensive for merchants. Perhaps the most important factor, however, in the success of card-based transactions is the growing confidence of cardholders in the payment system—from the initial purchase, to the debit, and beyond. New Terminals, New Trends Financial terminals have become the vehicle for delivering a range of new services from payment-products companies. Terminals are no longer simple card-reading machines. They have become sophisticated computing devices capable of performing transactions, managing inventories, and running business applications. This changing role is clearly indicated by the new terminology used to describe terminals: formerly known as point-of-sale (POS) devices, they are now called point-of-interaction (POI) systems. POI systems must now communicate faster and more easily (e.g., with USB, Ethernet, Wi-Fi®, or Bluetooth®). They must support several concurrent applications and handle a plurality of card types (payment cards, loyalty cards, etc.). Also changed are the conditions of use. POIs must sometimes operate in moist environments, either outside or inside. They are frequently portable and ergonomic, sporting visually appealing form factors that complement the merchant's image. Widespread reuse of available technologies makes the terminals look and feel like the everyday devices with which we are familiar, such as smartphones, notebooks, and gaming consoles. Modern POIs employ similar design aesthetics, feature rich color displays, use sophisticated touch-screen interfaces, and offer connectivity features that facilitate their integration into information systems. Full exploitation of these hardware technologies enables software reuse as well, from off-the-shelf operating systems to software stacks that allow abstraction of hardware layers. In general, software reuse speeds development, reduces validation risks, and provides faster time to market with lower R&D costs. Terminal Security The main difference between POI terminals and consumer electronics (CE) devices is the need for high levels of security. The global deployment of EMV* cards means global threats. Attacks can be executed quickly and globally if appropriate countermeasures are not in place. Furthermore, the expenses incurred in making an attack (in terms of tooling, time spent, etc.) can be higher because the return on investment is higher. For that reason, the largest threat to security is now considered to be crime syndicates. The interactive features, multiple communication interfaces, and advanced services offered by today's complex financial terminals all serve as potential open doors for attackers. As a response, coordinated efforts have been made to adapt those advanced services to the security levels necessary to ward off attacks. The Payment Card Industry Security Standards Council (PCI SSC) was founded by the major payment-products companies—American Express, JCB, MasterCard, and Visa—to standardize security efforts across the industry. The PCI SSC developed a standard called PIN Transaction Security (PCI PTS) to define the requirements for financial terminal