Securing terminals and automated systems
Automated systems and payment terminals meet the requirements for standardisation and security that are mainly established internationally by PCI-SSC for terminals (Payment Card Industry - Security Standards Council).
This organisation updates and disseminates its specifications over a cycle of 3 years, at the end of which a new version is applicable to manufacturers who wish to obtain the "PCI" certification for their new terminal models.
Starting from initial data-security requirements covered by PCI-DSS, PCI-SSC specifically defined two very important reference frameworks, one for payment applications PA-DSS, and the other for terminals and the protection of the confidential code PCI- PTS (Pin Transaction Security).
In Europe, CB actively participates in the EAST (European ATM Security Team) working group, which concentrates on attacks specific to ATMs.
Physical and logical protection
Each type of terminal automated system has its own security reference framework. Protection is firstly physical, with systems designed to make it extremely difficult to copy the magnetic strip (AFAS Anti Fishing-Anti Skimming standards from CB) particularly on ATMs and automated payment terminals, and to protect the entry of the confidential code (visual protection of the keyboard by a privacy shield).
It is then logical, in accordance with the PCI- PTS reference framework and with the demanding requirements for encryption protecting the confidential code when it is entered through the keyboard and throughout the dialogue between the card and the terminal.
Lastly, transactions on ATMs, automated payment terminals and particularly automatic fuel distributors are always subject to authorisation.
Payment terminals connected in IP mode are subject of specific security requirements for their communications with the acquisition systems. All sections between the terminal and the acquisition server must be encrypted according to a protocol using asymmetric cryptography and certificates.
The authentication of the server by the terminal must use a certificate issued by a Certification Authority authorized by CB.
The list of authorized Certification Authority is the following:
- PayCert – Certification Authority: STCA Certificates (Secure Transaction Certification Authority)