POS systems that exchange data with back-office systems and online operations provide competitive advantages in customer service in everything from sales to returns. They also provide better data for business intelligence. These advantages though come at a risk. A security or privacy breach could damage a retailer’s reputation and severely impact the bottom line through reparation costs and fines. In fact, compared to direct theft from employees and customers, digital security may be the greater concern. For this reason, a great way for designers of POS systems to add value and differentiate their products is to offer strong security through advanced hardware and software solutions.
The Retail Weak Spot
Missing merchandise is a visible and trackable issue for retailers. Compromised customer data is a grayer area. Cash, credit and debit cards, inventory, and customer data all intersect at the point of sale, making the POS terminal a prime target. What’s more, security traditionally hasn’t been a top focus for POS technology. Goal number one had been to enable merchants to track what they sell, record the particulars of the sale, and often cross promote products. Securing customer data has often been an afterthought. At least until the Payment Card Industry Data Security Standard (PCI-DSS) came into play. PCI-DSS has done much to improve and encourage cybersecurity. For cyber thieves though, this has simply raised the ante. If there’s a weakness in the system, they will find it.
A good example is the recent report of a breach of 100 Subway sandwich shops and other U.S. retailers by two Romanian hackers. Remotely compromising Internet-connected, PCI-compliant POS devices, they obtained the data from more than 146,000 cards and have been linked to more than $10 million in fraud losses. The hackers testified that they remotely scanned the Internet to identify vulnerable U.S.-based POS systems using certain remote desktop software applications. They were then able to log on to the POS systems and in many cases crack the passwords, gain administrative access, and remotely install keyloggers or sniffers to record and store all card data keyed in or swiped at the POS.
John South, chief security officer at Heartland Payment Systems, a payments processor commenting on the breach, says there is a “greater level or protection afforded to merchants who adopt a technology that encrypts the card data … if the data cannot be decrypted at the merchant site, it is of little value to the attackers.” Encrypting data all the way from the card scanner through back-office systems is one of the best solutions, particularly for eliminating packet sniffers that, once installed on POS systems, log payment card data as it is sent to over the network.
Solutions Available from the Intel® Intelligent Systems Alliance
A number of POS systems available from members of the Intel® Intelligent Systems Alliance offer advanced security technology, including technologies to speed up encryption so that it doesn’t slow down transactions. The most progressive of these use 3rd generation Intel® Core™ processors. These processors incorporate Intel® vPro™ technology, a suite of hardware-based security and management capabilities that work below the OS, agents, and application software to prevent threats from attacking and digging in. Plus, they help protect data and machines.
3rd generation Intel® Core™ vPro™ processors include:
- Intel® OS Guard, which helps keep malware from rooting below the OS by blocking application access to critical OS vectors.
- Intel® Trusted Execution Technology (Intel® TXT), which verifies a known safe environment for a machine being launched.
- Intel® Advanced Encryption Standard – New Instructions (Intel® AES-NI), which works with Intel® Secure Key (a hardware-based random number generator) to help protect media, data and assets from loss.
- Intel Intel® Virtualization Technology (Intel® VT), which enhances and secures certain tasks in virtualized environments, when used, that further protect the POS.
- Intel® Active Management Technology (Intel® AMT), which enables remote diagnosis, security patch distribution, and repair.
Intel TXT is particularly helpful in securing systems. When POS systems with Intel TXT are powered on, the configuration in which they are launched is tracked and can be verified from a remote management console, ensuring that there has been no tampering of the POS system. In the event of an issue, “poison pill” capabilities in Intel vPro can be used either to remotely disable a system if it is physically stolen, or to disable a system on a policy if some aspect of the POS is compromised or tampered with.
Now I also mentioned encryption. Encrypted data is protected data. But, traditionally, real-time encryption came at a high performance cost. With Intel AES-NI, the processor, encryption and decryption runs up to 10X faster. This performance boost eliminates the performance penalty and enables ubiquitous encryption across POS devices based on 3rd generation Intel Core processors.
Naturally, to make use of this capability, you need an encryption solution. Fortunately, Alliance member McAfee can help there. The McAfee Endpoint Encryption solution encrypts data throughout the retail environment, including retail POS systems, network files and folders, removable media, and USB portable storage devices.
The big key for developers creating POS solutions for retailers is making sure that Intel vPro technology is activated. For that, you might want to check out this resource kit.
Using Intel® Virtualization Technology to Secure a POS
At a National Retail Federation Convention (NRF), Intel demonstrated a retail POS reference design called the Secure Point of Sale Demo that improves the security of POS credit card transactions while potentially reducing enterprise PCI DSS compliance costs. This demo POS uses a commercially available self-service checkout system, but upgrades it to an Intel® Core™ i5 processor and Green Hills Software’s INTEGRITY* real time operating system (RTOS). This combination is used to run a Windows OS image and the POS applications in a virtual machine (VM).
Because the INTEGRITY OS is enabled with Intel® Virtualization Technology for Directed I/O (Intel® VT-d), Windows and PCI peripherals, such as integrated USB controllers, can be directly assigned to VM partitions. With Windows safely separated in a VM, Intel created a payment pathway as an RTOS application. Together, the Intel® VT and INTEGRITY software capabilities protect anything within the payment pathway, preventing any potential malicious applications based on the Windows OS from observing sensitive data.
In order to maintain software integrity over time, the platform uses Intel TXT at boot to confirm that the INTEGRITY RTOS, the payment pathway, and the virtualization infrastructure have not been modified or altered. This ensures that payments can safely be accepted on the platform. In addition, the platform can be remotely managed via Intel AMT to further reduce lifetime support costs at the point of sale.
Intel® Intelligent Systems Alliance Products for Secure POS Systems
Examples of boards based on 3rd generation Intel Core processors suitable for building POS systems and taking advantage of Intel vPro technology’s and Intel VT’s security features abound among Alliance members. I’ll just point out a few.
Portwell recently released the PCOM-B219VG, a Type 6 COM Express Compact (95mm x 95mm) module using the mobile Intel® QM77 Express chipset (4.1W). With the processor’s integrated Intel® HD 4000/2500, the module supports three independent displays, DP (DisplayPort), HDMI and DVI with no need for an external graphics card. This enables a small form factor, as well as BOM savings.
Norco offers a POS motherboard, the POS-7933 (see Figure 1), based on the Intel® Q77 Express chipset and available with 3rd generation Intel® Core™ i7-3770 and i5-3550S processors. The board provides 4x SATA interfaces, 1x Gigabit Ethernet ports, 10x serial ports, 1x parallel port and 6x USB ports for data communications (USB 3.0 supported). It also supports line-out, line-in, mic-in and CD-in audio functions. An onboard 1xPCI slot and 1xMini-PCIe slot provide flexible peripheral expansion. Obviously, in addition to security, you can connect a lot to this board.
Figure 1. Norco POS-7933 POS motherboard.
For those looking for a ready-to-go POS solution that simply needs software to package it for retail customers, NEXCOM makes an innovative high-end solution that combines both the touch-screen POS terminal and server in one unit. The NEXCOM NPT 5850 (see Figure 2) uses 3rd generation Intel® Core™ processors to offer best-in-class computing and graphics processing capabilities, security, and modular expansion options (e.g., magnetic stripe reader, fingerprint reader and VFD customer display connected via a VGA connector). This full-functioned POS system is ideal for payment processing, as well as a data acquisition server.
Figure 2. NEXCOM NPT 5850 POS System.
Centrally Managing Security
For retailers with multiple locations, IT security management can seem overwhelming. Central management can reduce this complexity and the costs. One solution is McAfee ePolicy Orchestrator (McAfee ePO) Deep Command software (see Figure 3). Designed to unify the management of POS systems, networks, and data and compliance solutions, the software increases overall visibility across security management activities to improve protection and efficiency.
McAfee ePO Deep Command employs Intel AMT to remotely manage computer-based systems and reduce the number of expensive onsite visits required to address security incidents or fix equipment. Security administrators can remotely deploy, manage and update security and device software on disabled and even powered-off retail systems.
Figure 3. McAfee ePolicy Orchestrator and its management points in a POS system using Intel AMT and McAfee security products.
In a world full of threats, security is a complicated topic. I’ve covered a lot of ground here, but there’s much more that can be said. I’d be interested in hearing your thoughts on the solutions I’ve talked about and others you know about as well.
For more on securing intelligent POS systems, see intel.com/p/en_US/embedded/innovation/security.
To learn more about bringing intelligence to POS and other retail devices, see intel.com/go/embedded-retail
Portwell is a Premier member of the Intel® Intelligent Systems Alliance. McAfee, Microsoft, NEXCOM and Norco are Associate members of the Alliance. Green Hills Software is an Affiliate member of the Alliance.
Roving Reporter (Intel Contractor), Intel® Intelligent Systems Alliance
Associate Editor, Embedded Innovator magazine