Should PIN Pads Be Hardened? This Reader Says They Should Be Dumped
Written by Frank HayesIs it even worth hardening PIN pads against hacking? After last week’s story on Verifone’s device-breach problems, one StorefrontBacktalk reader commented: “Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked magstripes down to Chip-and-PIN. But it’s still the same can and the same road, so why do we think the same problems won’t keep chasing us?” His conclusion: Make payment cards much smarter and eliminate the PIN pad entirely.
That’s a great idea for large chains. But smaller merchants will have to buy in, too—and they’re the reason every attempt to improve payment cards so far has failed.
But back to our anonymous-by-request reader (who happens to be a senior IT exec at a major chain, someone whose thoughts we have learned over the years to trust): “The unreasonable but secure answer is to stop doing the same thing. We need to stop trying to keep identities and account numbers secret, and stop asking merchants to carry secrets worthy of bank vault protection. Instead, we need 100 percent on-card security, including the user interface, to protect transaction authorizations. This will remove the merchants from ever handling the customer’s secrets,” he wrote.
“Smart cards are already capable of doing encryption. Add a 10-key pad to each customer’s card, and a small screen to display the amount to authorize, and each customer is now carrying their own full PIN pad for about $5 to $10 per card. This is equipment given them by their bank, which they can trust. It’s not on a network, not upgradable, [is] sealed hardware and cannot be hacked remotely. The banks then have true end-to-end encryption all the way from their own tiny PIN pads to their own mainframes, and not the hop-to-hop-to-hop that exists today (that is mislabeled E2E by every vendor selling the stuff),” he added.
This type of super-smartcard would make PIN pads unnecessary and remove lots of breach opportunities. Merchants would still have to block man-in-the-middle attacks at the POS, but that would be much easier without a standalone device sitting on the counter that’s just begging to be attacked.
“Industry security experts are beginning to agree that zero-trust is the future of security, and that all network endpoints are inherently untrustworthy,” this reader concluded. “Let’s stop pretending that shared PIN pads on a network are a good idea. If we’re going to do something unreasonable, let’s at least do something different.”
Yes, this does sound like a much more secure POS future. It’s a great idea. Better still, the technology is already available. And if it’s a little pricey today, that cost would drop dramatically once the number of cards scaled up.
The problem is getting to that future from where we are now. The most obvious barrier: magstripe.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
