back to article PCI Council wants upgradeable credit card readers ... next year

The Payment Card Industry Security Standards Council (PCI Council) has floated a new standard it hopes will reduce credit card fraud that starts at the point of sale, in part by allowing easier upgrades. The new version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements …

  1. Long John Brass

    Why not ask the l33t h4x0rs

    They seem to be able to upgrade this kind of kit at will :/

    1. Mark 85

      Re: Why not ask the l33t h4x0rs

      Maybe they did? I'm guessing there's more money to be made via black hat work than white hat work.

      As a side note, that "anti-tamper" part seems like it'll end up being an armored box which will cost a lot more than the plastic and sheet metal units around now. Retailers probably won't be lining up if they cost a lot more.

      As for the US, most places I've visited have some duct tape (gaffer's) over the slot for the chipped card with a sign that says it's not working..... yet. I'm betting there's a cost for that they don't want to pay.

      1. Charles 9

        Re: Why not ask the l33t h4x0rs

        Problem is, if a hack's traced back to them, THEY foot the bill.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why not ask the l33t h4x0rs

        Not really, they have anti-tamper at the moment. It doesn't mean you have to armour them. All it means is that they must detect tampering and kill the machine and data.

        It can be a PITA as they are quite sensitive, a smallish knock and they can go into tamper mode and you have to send the device back at a cost.

        I can only think McDonald's drive-thru had special terminals made without the sensitive anti-tampering on them as they get knocked around a lot.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why not ask the l33t h4x0rs

          McDonalds drive-thru terminals are stock - to make them "special" would cost hundreds of thousands in extra certification costs alone.

          AC as someone on the inside.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why not ask the l33t h4x0rs

            Maybe they have had a number of issues with the tamper alarm then?

            I see that they now sometimes put them in a holder outside the window, although the weather seems to stop them using it very much. they also have and arm attached to the PDQ so that the operator can hold it while the card is used, possible due to customers dropping it. Just theorising, they just seem to be more robust than our units.

  2. ecarlseen

    Costs are about to go up significantly.

    The tamper-resistance measures will both increase the manufacturing costs significantly, and make the devices more or less impossible to repair. It seems to me that a better solution would be to accelerate the move to NFC token-based payment methods (Apple Pay, etc.) where the amount of trust placed on the readers is substantially reduced or the NFC hardware can be integrated into the POS terminal and the reader eliminated completely. Most communication between POS terminal and card readers these days is *still* over RS232 serial (occasionally with USB emulation of RS232 serial), which is quite possibly the easiest standard on earth to intercept / tamper with.

    1. Steve Davies 3 Silver badge

      Re: Costs are about to go up significantly.

      Making the units tamper proof is a good move. Making them sealed units that are swappable seems to be the way to go. No in-situ firmware upgrades, just swap the old one out for a replacement and ship the old one back to the supplier who will refurb it and upgrade the firmware. An secure process to bring them online again is probably the missing link

      There is technology available to make this secure but any thing that is done is still vunerable to Insiders.

      The Hardware Security modules that are used to generate PINS etc are already designed to be tamper proof yet are able to have the keys updated if proper procedure is followed. These devices are kept in very secure places so tampering is generally not a problem.

    2. Anonymous Coward
      Anonymous Coward

      Re: Costs are about to go up significantly.

      " NFC hardware can be integrated into the POS terminal and the reader eliminated completely. Most communication between POS terminal and card readers these days is *still* over RS232 serial (occasionally with USB emulation of RS232 serial),"

      The move with POS has been taking the card system payments out of the POS completely. POS is insecure (see past ElReg articles). The whole point o fa non-integrated reader is that it can be made very secure, running minimal software (attack vectors) to an ever evolving security standard and built by specialists.

      POS is built by standard programmers who ar elooking to push more features into a dull product in a crowded marketplace and don't work to the highest security standards and many are inherently insecure.

      Also, there aren't many C&P devices that communicate directly with the POS anymore. Legacy, non-compliant stuff might but almost everyone else runs the readers direct over IP (cabled, bluetooth or wireless). The communication is then done directly to the PSP, with the POS triggering the communication and receiving the payment status.

  3. Christian Berger

    Why don't they simply have a socketed ROM?

    I mean that would solve the problems of firmware updates, you simply send in your device to the manufacturer, they will break the seal, change the ROM, seal it again and send it back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why don't they simply have a socketed ROM?

      Because your local criminal group could just break the seal change the ROM and then reseal it.

      1. Charles 9

        Re: Why don't they simply have a socketed ROM?

        The seals are tamper-evident and only held by the manufacturer. You'd need an insider to have an identical seal.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why don't they simply have a socketed ROM?

          "The seals are tamper-evident and only held by the manufacturer"

          No one would know if you used a different one. In many places the wording on the PDQ screen changes when rogue operators swap them out and no-one realises.

          Restaurant staff have more important things to worry about (like being able to afford next month's rent) than checking for fraudulent seals.

          1. Charles 9

            Re: Why don't they simply have a socketed ROM?

            "Restaurant staff have more important things to worry about (like being able to afford next month's rent) than checking for fraudulent seals."

            Except if the hack is traced back to them and their seals are found to be wrong, THEY get the blame AND the bill. Forget next month's rent at that point...

        2. SImon Hobson Bronze badge

          Re: Why don't they simply have a socketed ROM?

          You'd need an insider to have an identical seal.

          You'd need a quick call to Taiwan* to have an identical seal.

          There, fixed it for you. Thing is, things like seals and stuff - the fakers can have the fakes out before the genuine ones are in use if they have any incentive to do so.

          * Or wherever the favoured "we make anything you want, no questions asked" places are these days.

  4. Ken Moorhouse Silver badge

    Upgradeable by whom?

    We have already seen hackers talk their way into bank branches themselves and replace equipment under the noses of bank staff.

    Anecdote concerning the Paying-In machines where you get a scanned copy of the lodged receipts:-

    Once I got a receipt which showed it was issued by a branch other than the one printed on the receipt. The credit failed to appear on my balance the following day either. Complained to the bank who sorted it out, but let's face it:-

    For every security measure put in place, there is a possible counter-measure available. It is a case of reducing the probability that such a vulnerability is exploited. No system is flaw-proof.

  5. allthecoolshortnamesweretaken

    Sometimes I think that we are working? moving? steadily towards the point where the safest and most convenient method of payment will be *drumroll* cash. Again.

    1. Baldy50

      Although there is still a degree of counterfeiting of bank notes the amount of money generated from digital crimes is far greater, if everybody started using cash for most transactions again more fake bills would be produced as it would become more profitable again.

      I do mainly use cash and will drive reasonable distances to use cash, if you have an account just for online purchases with only enough in it for the purchase in question you feel safer than giving out your current account information.

      We've discussed a similar issue before and the use of a special card just for using online, if you could top it up anywhere ATM's, shops, garages etc like a gas or electricity card I'd use one.

  6. Anonymous Coward
    Anonymous Coward

    Firmware upgrades

    The issue is, will this require re-certifying and by which organisations.

    At the moment the terminal manufacturer makes a terminal, your PSP has to create software for that terminal, this then needs to be certified for use for every merchant services company that you may wish to use.

    This all takes a long time (18months~2 years is quite normal) and restricts your choice quite a lot. If you had to recertify for every firmware update then it would be pointless. Hopefully the update would be to the core terminal firmware that doesn't interact with the PSP layer.

  7. stuw

    Disposable credit cards

    @Baldy50 - like paysafecard, 3v vouchercards, (other competitors may exist) or (adding slightly more complexity) bitcoin wallets?

    1. Charles 9

      Re: Disposable credit cards

      Many places won't take ephemeral cards because they know they can be easily associated with money laundering. Even gift cards are iffy, as online retailers like Amazon and PayPal have in the past rejected their use in online transactions. The retailers want to see REAL cards, with a real name, real mailing address, and usually something backing it up like a bank or an employer.

  8. Karlis 1

    Fuzznugets!

    Ah, throwing technology at the wall to solve:

    * Slow deployment of Chip&Pin due to resistance from retailers because of fees.

    * "Securing" end terminals when all the recent major breaches have targeted insecure back offices of large companies non-compliant with even tenth of existing PCI standards.

    * "Hardening" POS devices when the common way to skim the card at the restaurant is to snap a photo of it.

    I'm not impressed. As much as I'd like to be a leet hax0r breaking into the shops at night with a drill bit to replace the firmware on the two dented card readers I'll stick to sending funny cat videos to corporate office beancounters staff. Actually enforcing PCI DSS and having consequences for ignoring it would be far far bigger result than preventing me to target a grocery store where customers have maybe $10 left on their accounts to nick.

    1. Charles 9

      Re: Fuzznugets!

      "Actually enforcing PCI DSS and having consequences for ignoring it would be far far bigger result than preventing me to target a grocery store where customers have maybe $10 left on their accounts to nick."

      As I understand it, there ARE consequences in place since the beginning of this year. If there's a hack traced to you and you're not EMV compliant, YOU get to foot the bill. Many that don't use it are either in the middle of the lengthy software certification process or are gambling: putting off the upfront costs in hopes they don't get stung.

      1. Gene Cash Silver badge

        Re: Fuzznugets!

        > YOU get to foot the bill

        At the moment, that doesn't seem to be a deterrent. It seems to me that most companies look at the costs and decide security isn't important enough to pay for. And I don't see any of them really getting fined or having any reputation issues, so they keep going.

        1. Charles 9

          Re: Fuzznugets!

          "At the moment, that doesn't seem to be a deterrent. It seems to me that most companies look at the costs and decide security isn't important enough to pay for."

          In other words, they're gambling they don't get hit and pay a LOT more than the compliance costs as a result. That kind of attitude makes the problem intractable. The only way to make them take notice is to make the threat existential. Only problem is that these companies keep tens of thousands of vulnerable, innocent people employed in a shrinking job market.

    2. Charles 9

      Re: Fuzznugets!

      ""Securing" end terminals when all the recent major breaches have targeted insecure back offices of large companies non-compliant with even tenth of existing PCI standards."

      Part of the reason for the push to EMV is to defuse this problem. EMV transactions use one-time codes, meaning if the numbers are nicked, they're still useless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like