There’s one way to be certain that POS data can’t get stolen – don’t have data at the POS in the first place. That’s the innovation that Intel launched Wednesday (Oct. 15). Intel Data Protection Technology For Transactions creates an encrypted tunnel thru which cardholder data travels, which means it never touches the merchant POS. That means, the bad guys can’t get it.
The protocol, code-named Baker Beach, “adds an extra layer of software to protect the payment process, complementing current retail investments in EMV authorization, tokenization and other data protection technologies,” Intel said. “The software resides and runs on the Intel chipset for enhanced security and helps close the gaps between data transmitted between POS devices and the data center” and adds “a secure pipeline through which transactions can request payment authorization and provides a common security management capability for retailers to utilize regardless of the original POS or peripheral vendor.”
The announcement was made in London at the Intel Internet of Things Europe event.
It will work with a wide range of POS devices as long as the unit uses an Intel Core second- or third-generation processors as well as succeeding Intel Core processor generations. “In addition, tablets with the Intel Atom processor code-named Bay Trail-T and future Intel Atom processors,” will also work, Intel said.
Intel’s position is that it’s approach is more secure because it is using a security co-processor that appears to the OS as a separate external device, according to Brad Corrion, an Intel platform architect. That makes the co-processor isolated from wherever malware is likely to be, he said, adding that it makes the co-processor a trusted execution environment. In other systems, there is far less isolation, raising the risk that the malware could contaminate the encryption process and potentially be able to access the sensitive data, Corrion said.
The company said that although the initial application is designed for POS and handling sensitive payment data, there’s no reason it couldn’t also be used for various non-payment data issues, “such as to secure the way airports handle passport and driver’s license identity information, or helping pharmacies protect customer information related to prescription refills.”
A system that can securely handle more data is crucial for the next-generation of payments and some security approaches today are depriving retailers of much of that data. Apple Pay, for example, delivers far fewer pieces of transaction data than the plastic cards it is sidestepping and it does so in the name of security.
Speaking to the Intel group, in a video commentary on the announcement, MPD CEO Karen Webster described the significance of POS breaches as not just financial but reputational for the merchants involved and citing consumer research that suggested that consumers don’t stop using the payments cards in their wallets after a breach but do change their merchant preferences, steering clear of those who are involved. She also pointed out the complexities associated with fighting cybercrime which has grown to become a huge global business. Making reference to the fact that no cardholder data at the POS could make for a frustrating experience for the cybercriminals, she suggested that the best way to “be sure that the bad guys have a bad day at the office” is to make sure that there’s not much for them to do when they get there.
Corrion argues that boosting encryption near the chip level, all of that transaction data—along with personally identifiable information and even sensitive financial data—can be securely retainer and therefore be available for analytics.
Also, by securing the data near the chip level, retailers could use remote access—which has been at the root of a huge number of retail data breaches—more securely as access to protected data would theoretically still be safe.
Intel said the package should ship the first half of 2015.