Is Touchscreen the Weakest Link of Your POS Security?

August 10, 2023

Blog

Touchscreen displays are an integral part of every modern-day payment system and point of sale (POS) terminal. Touchscreens greatly enhance the aesthetic appeal of payment terminals, while offering a modern control modality familiar to users of cellphones, tablets, and touchscreen laptops. Despite these benefits, touchscreens add additional security vulnerabilities from determined card thieves that must be addressed.

Compliance to the Payment Card Industry Data Security Standard (PCI DSS) becomes key to designing secure hardware and software systems that help customers build robust and protected payment products without sacrificing usability or great looking industrial designs.

Touchscreens in POS Displays

For decades, consumers around the globe have paid for goods and services with credit cards on POS terminals. These terminals gradually added small low-cost displays to help provide the merchant and user with more feedback on the transition status. Buttons were added on the sides or bottom of the display that aligned with virtual buttons on the screen to allow the user to select merchant options such as selecting card type (e.g., credit vs debit), selecting a tip amount, and printed receipts. User input of card numbers and pin codes was performed via mechanical keypads. This describes most of the POS terminals that are still shipping today.

A trend in the payment industry is to replace small monochrome touchless displays and mechanical buttons with larger color touchscreens. These color displays are more attractive and appeal to merchants and consumers alike. Touchscreen displays also enable POS terminal vendors to remove both side/bottom display smart buttons and mechanical keypads. This improves the system reliability by eliminating moving parts that wear out over time (both the internal key press switch mechanism as well as the printing on the surface of the key). Touchscreens also help to eliminate the threat of water ingress into the terminal around each of the keys. Finally, color touchscreens assist the merchant with their branding and advertising efforts – trends that are increasing the size of modern touchscreen displays on payment terminals of all types.

Another trend involving larger size touchscreen displays in payment systems is the rise of electronic cash registers (ECRs), which are being added to complement the POS terminal. ECRs are used in traditional multi-lane retail environments as well as in self-checkout lanes. ECR systems help retail outlets track sales, minimize sales errors, track inventory data and simultaneously record the financial transaction into their systems. The ECR touchscreen displays provide a great amount of flexibility when entering details such as the type and quantity of produce and options like purchasing bags and selecting payment type. The ECR is usually not a secure payment device, so it is commonly combined with a POS terminal that processes payments via cards, phones, and smart watches.

Over time ECRs and POS terminals have begun fusing into a single touchscreen-based secure payment system. Touchscreen sizes of approximately 3.5” up to 42” have already become an integral part of modern-day ECR and POS terminals. User interaction, the arrival of contactless NFC technology, mobile phone connectivity, and consolidation of features into one system is leading to the rise of fixed-wall powered tablet/kiosk or battery-powered mobile-based POS terminals instead of separate ECR-POS systems. Portable POS terminals allow merchants to collect payments anywhere, both inside and outside of the store.

The fast-growing trend of contactless payments promoting ease of use and convenience led to the rise of unattended and self-serviced public payment terminals in vending machines, parking meters, automated fuel dispensers, and EV charging stations. Larger sized touchscreens not only enable merchants to display more product information about the items being purchased, but they also help generate additional revenue streams via product promotions and advertising.

POS Security and PCI Compliance

Securing user data like the primary account number (PAN), credit card credentials (number, expiration date, and CVV), and user PIN became the highest priority in designing payment systems. Magnetic stripe (swipe) card transactions had inherent security vulnerabilities and were more prone to failure as the stripes wore out over time and when exposed to magnetic fields. More secure card payment methods such as Dip (chip-and-PIN) and Tap (near-field communication: NFC) are available alternatives. These methods are complemented by alternative authentication mechanisms such as QR Code (on paper or phone), and biometrics (for example, finger, face, or eye). However, the introduction of touchscreens has a special new role to play on PIN entry systems security too, when they replace mechanical keypads.

Touch data/PIN transfer is vulnerable to tapping/man-in the middle attacks via touch sensor overlays, underlays, and even communication bus probe attacks between the touch IC and the secure host MPU as seen above. Firmware on the touch controller is vulnerable to hacking to get inserted as backdoor to extract card details. The configuration of the touch controller is susceptible to modifications that can open vulnerabilities on systems that have previously passed security certification testing.

Additionally, outdoor touchscreen design requirements include technology to deal with extreme environmental noise, active NFC interference, extreme emission standards, an extended temperature range, thick glove detection, and extreme moisture immunity including highly conductive cleaning fluids that can otherwise cause false touchscreen events. Unauthenticated configuration and software update vulnerabilities could also lead to Denial-of-Service attacks in combination with ransom attacks, where the whole network could be down if the terminals are connected to a central update system (for example, an EV charger network with integrated payment terminals). This creates additional challenges and opportunities for the touchscreen payment system developer.

PCI Compliance to the Rescue

Created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB), the Payment Card Industry Security Standards Council (PCI SSC) has developed and managed the globally renowned PCI DSS to protect card holders' data. Payment brands and acquirers have a responsibility for creating PCI-compliant products to secure the storage, transmission, and processing of user data. Depending on the payment application type, PCI compliance requirements may differ, which can drive the hardware/software/system-level design considerations.

Most POS terminal vendors are now industry-compliant with PCI Data Security Standards. The PCI security mechanism seeks isolation of the PIN from the PAN and other cardholder data. This ensures the security and integrity of the PIN entry through software applications and requires active monitoring of such software and encryption of the user data using a secure key. Access control should be implemented to authenticate the device user or owner. Failure alarms are recommended to warn against tampering, hacking, or functional failures.  

If a payment system uses a separate payment module that is pre-certified for the PCI DSS for secure card transactions using a card reader with mechanical keypad, then the touchscreen is not transporting any secure information on the communication lines. PCI PIN Transaction Security (PTS) certification of the touchscreen is only needed when the touchscreen is used for entry of credit card and/or pin code data (so called PoG, or PIN on Glass). In this case, shielding the touch controller’s communication interface, or encrypting the touch message data, is required. Encryption offers POS terminal vendors the opportunity to move the touch controller IC to a simple, cost-effective, single-layer flex printed circuit (FPC) tail connected to the touch sensor. This configuration allows the touch sensor vendor to design, test, and ship the complete touch system to the POS terminal vendor, thereby reducing cost and simplifying the supply chain.

General PCI Certification Requirements

PCI compliance guidelines relevant for touchscreen displays are governed by PCI-PTS. PIN transaction security requirements can be generally summarized as:

• Measures are built into the system to shut down in case of physical or software tampering
• Confidential user data must be transferred (always encrypted) and should only be maintained as long as necessary
• Software update or boot up should only take place if software integrity can be verified
• Only authenticated users can update the software
• Key should be stored in a protected area and secure mechanisms should be created to protect initial key loading in production
• Device should perform self-tests and report abnormalities

For easy compliance with the latest PCI requirements, the following features could be built into ttouch controller products at the system level:

• Daily reboot schedule
• 15-minute timeout on manual key entry
• Advanced Encryption Standard (AES) PIN encryption with ISO format 4
• Stricter use of encryption keys for the intended purpose, with a separation between customer and manufacturer key hierarchies
• PAN encryption
• TR-34 Remote Key Loading (RKL) protocol

A PCI lab validates the touchscreen display to check that it can meet the safety requirements of the PIN Transaction Security standard. This validation includes the following tests:

• Assessing the vulnerability of the PIN entry security by hacking
• Assessing access to sensitive data through tampering and examining the response mechanism utilized in the system
• Validation of the techniques and documentation of the key management in production

Getting to the Point, Quickly

Payment terminal design requires knowledge of how to implement a complete system solution and robust security standards. Solutions like Microchip’s maXTouch® controller portfolio can address complex system problems with integrated analog front-end and proprietary firmware that can be configured for secure encrypted communication for any end user application.

A dedicated support team, like Microchip Technology’s touch controller experts, can guide customers through their system level design and support them in the software/driver integration process, product testing, and debugging.

Reference

• https://ww1.microchip.com/downloads/aemDocuments/documents/HMID/ApplicationNotes/ApplicationNotes/DS00004863A.pdf