In recent years, retail environments have evolved into elaborate point-of-sale (POS) facilities providing a wide variety of customer services, such as fuel dispensing, car washing, ATM access, money order access, and credit/debit card transactions. Additionally, it has become desirable to offer advertisements and additional sales to customers from third party venders at the retail environments. However, there has not been an ideal system or method available to retailers providing these additional capabilities without raising a significant risk of unauthorized access.
In a traditional retail environment, card data supplied from a customer purchasing products or services is transmitted in an unprotected form from the input system to the POS system, and from the POS system to a network host which performs authentication of the card data. This design allows unauthorized parties to easily intercept customer card data by tampering with the transmission line, especially if the transmission line is Ethernet or a satellite link.
As unauthorized access has become an increasing problem, a number of government and industry agencies have begun proposing stricter guidelines and requirements for retail environment security. One type of enhanced security restriction is the physical requirement that displays within retail environments should directly interface with a secure module in order to allow the secure module to control the PIN entry device (PED). Another security requirement is that the PED must control the prompts that request the entry of PINS and clear-text data. Further, the PED must set a direct interface between the PED keypad and the secure module when a prompt requests the entry of a PIN or other clear-text data. Once the direct interface is set, these PEDs must either (1) be able to cryptographically authenticate all prompts that request the entry of PINs and clear-text data originating from the POS terminal before being displayed or (2) store the prompts in the PED to prevent them from being modified. The idea behind these requirements is that they would synchronize the display on the screen to the state of the PED, thus preventing attacks such as where the PED is in a clear-text data entry mode while the PED displays a command requesting the entry of secure information. In these situations, the customer would enter his or her PIN at a time when the PED would not encrypt the data, thus leading to potential PIN exposure to unauthorized parties.
These requirements leave solution providers with two undesirable options. In the first, the retail environment must have two displays—one for the normal retail environment interface/video that is not “secured,” and another display which would be directly connected to the PED and would only perform PIN/secure prompt functions. This solution is undesirable because it is likely to cause customer confusion and could lead to the multiple screens becoming out of sync. The second solution is to redesign the existing retail environments with a secure chip controlling the display. A major downside to this solution is the loss of enhanced video display support because the video accelerator required for the enhanced video display would not be a secure chip. Additionally, software for the new platform would require an expensive and time-consuming redesign, adding significant cost and complexity to the system while simultaneously reducing the functionality available to and required by customers.
A PED that functions to receive both PINs and clear-text data can be configured to encrypt PIN information, and pass clear-text data in clear-text form. A PED of such type can provide a customer with a single interface for entering alpha-numeric information regardless of the security policy associated with information.