Several different types of electronic devices are usable to receive financial information and to engage in a financial transaction. Examples include Automatic Teller Machines (ATM), a Point-of-Sale (POS) terminals, unattended vending machines and ticket machines. A POS terminal, for example, is an electronic device used for processing sales transactions at a location of sale. A POS terminal typically has a mechanism for electronically reading in financial payment information (for example, a magnetic stripe reader or a smart card reader), a display, a keypad or touchscreen or other mechanism for receiving manually entered information from the user, and a communication mechanism for communicating electronically in a secure fashion with a remote financial institution. In one situation, a customer who wants to make a purchase swipes a credit card or debit card through the magnetic stripe reader on a POS terminal or inserts a smart card into a smart card reader slot on a POS terminal. The POS terminal is located at the point of sale such as in a retail establishment. The POS terminal combines the entered credit card or debit card information or smart card information with information on the amount of the transaction, and this information is sent in encrypted form from the POS terminal to a financial institution. The customer may authorize the transaction by signing a signature capture device or by providing a fingerprint or personal identification number. How the transaction takes place differs depending on the type of transaction, but in all cases sensitive financial information is entered into the POS terminal. This sensitive information in the POS terminal, if it were to fall into the wrong hands, could be used in unauthorized ways such as to steal money and/or merchandise. Great care is therefore expended in designing a POS terminal to ensure that the POS terminal cannot be used for illicit purposes and that the sensitive financial information and encryption keys stored in the POS terminal cannot be extracted by thieves.
One way that a POS terminal can be used to steal financial information is to load rogue software into the POS terminal. This software may be present without the merchant or customer knowing of its existence. In one attack, the rogue software causes an instruction to be displayed on the screen of the POS terminal prompting a customer to enter the customer's personal identification number (PIN). If the customer complies, then the rogue software receives the PIN from the keypad interface. The customer may not realize that the PIN has been stolen, and in some attacks the customer is able to conclude the intended transaction. Information presented to the user on the screen during the time the POS terminal is processing a transaction must therefore be trusted or must come from a trusted source.
Complicating this issue is the fact that displays on POS terminals are an increasingly valuable resource. Larger and larger displays are being used. Color Liquid Crystal Displays (LCDs) capable of displaying video are sometimes used. Accordingly, it may be desired to use this large color display for uses other than just the secure POS terminal financial transaction application. In one example, a display is usable in combination with a POS terminal to carry out financial sales transactions as described above. At other times, however, the same display is usable as part of a cash register. When being used as part of the cash register, the display is used to display a price or other transaction information to a customer. Alternatively, or in addition, advertising information may be displayed on the display. It is therefore desired that a third party (for example, an advertiser or the merchant) be allowed to display information on the display of the terminal without the display of that information causing a security risk.
Two architectures may be employed to realize a POS terminal that can display third party images and messages on a display: 1) a one-chip architecture, and 2) a two-chip architecture.
FIG. 1 (Prior Art) is a diagram that illustrates the one-chip architecture. A single microcontroller 1 handles both security functions (such as encryption key storage, PIN management, display control, keypad management) and also handles network communication and non-critical functions, such as printer management. The integrated circuit receives information via communication interface 2 from another source such as from an advertiser or a cash register functionality. The integrated circuit checks every image or frame of the incoming information to confirm authenticity, and only if an image or frame is authenticated does the integrated circuit output it via display control functionality 3 to the display 4. The semiconductor fabrication processes required to realize such a secure microcontroller are generally compatible with making security circuitry and FLASH memory, but these semiconductor processes are generally not compatible with making state-of-the-art high performance Central Processing Units (CPU), high-performance video decoders, or high-performance authentication circuitry. Accordingly, if the one-chip architecture is used in a low-cost application, then the microcontroller (that needs to handle security functions) does not generally have enough performance to decode and decompress, authenticate, and display high resolution video at a high frame rate.
FIG. 2 (Prior Art) is a diagram that illustrates the two-chip architecture. This approach splits the terminal into two portions: a non-secure portion and a secure portion. The non-secure portion is realized using an often expensive, complex, mass-produced, high-performance, general purpose microcontroller 4. Microcontroller 4 can be realized using semiconductor fabrication processes that lend themselves to making high performance Central Processing Units (CPU), high-performance video decoders, and high-performance authentication circuitry. The video could be authenticated statically, but this is too demanding even for the most powerful processors. This microcontroller is used to handle all non-security related functions such as network management, battery charging and monitoring, dialup modem control, printer management. The two-chip architecture allows the POS terminal manufacturer to select from among many general purpose microcontrollers available on the market. The choice of the non-secure microcontroller can be tailored depending on the targeted market and overall networking capabilities. The processing capability of the secure microcontroller does not need to scale with the complexity of the POS/ATM whereas the processing capability of the general purpose microcontroller does.
The secure portion of the two-chip architecture is realized using a relatively low-cost, smaller, and lower-volume microcontroller integrated circuit 5. Security functions include secure key storage, keypad management, LCD control, smart card control, and magnetic stripe reader circuitry. This low-cost microcontroller is realized using a semiconductor fabrication process more suitable for realizing security circuitry and FLASH memory.
Unfortunately, a decoded video stream that is decoded on the non-secure general purpose microcontroller 4 still passes through the secure microcontroller 5 on its way to the display. The secure microcontroller 5 should verify each image or frame before it is forwarded on to the display 6 via a display controller 7. This authentication also can take considerable processing power, especially in the situation of high resolution video. For performance reasons, the checking of each image or frame of decoded video on a low-cost implementation of the two-chip architecture is generally not possible.