Q
Problem solve Get help with specific problems with your technologies, process and projects.

How do man-in-the-middle attacks on PIN pads expose credit card data?

Passive man-in-the-middle attacks on PIN pads can lead to attackers stealing credit card details. Expert Nick Lewis explains how companies can mitigate these attacks.

NCR Corp. researchers demonstrated how credit card chip-and-PIN protections could be bypassed with a passive man-in-the-middle...

attack on point-of-sale terminals and PIN pads, allowing card data to be used and modified elsewhere. How does this type of attack work, and what can be done to prevent PIN pads from exposing card data?

Nir Valtman and Patrick Watson, security researchers from payment technology firm NCR Corp., presented their findings on vulnerabilities in payment environments, like PIN pads, at Black Hat USA 2016. Their research showed that legacy systems and modern systems with legacy functionality are insecure and can be exploited by monitoring the network connections where credit card data passes unencrypted.

The specific details they presented are new, but this exploit is a variant of a well-known problem. An attacker that gets into a man-in-the-middle position can capture this data or make changes in the transaction flow to make the transaction look like it occurred offline.

The researchers' mitigation recommendations for these vulnerabilities include using strong encryption, using signed firmware and encrypting offline transaction data for PIN pads. While these are very good recommendations, it is unlikely legacy systems will be able to take advantage of them. The best case would be for businesses to upgrade their technology to take advantage of point-to-point encryption, but, given the cost, some businesses may choose to accept the risk of a security incident.

The risks are significant, but enterprises can take some steps to minimize them, such as not storing payment card numbers past transaction settlement, purging primary account numbers that are stored when operating offline after transactions are settled and implementing tokenization if the data is stored.

The Payment Card Industry (PCI) Standards Council has best practices for preventing card skimming that enterprises can put in place to protect their point-of-sale terminals. Enterprises should also be cautious of unusual prompts during payment entry and when using PIN pads in their security awareness training programs.

Next Steps

Find out how your company can benefit from using PCI Data Security Standard

Read about out-of-band security controls for credit card data protection in your enterprise

Learn if chip-and-PIN technology is effective for preventing credit card hacking

This was last published in January 2017

Dig Deeper on Data loss prevention technology

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise ensure that credit card details are kept secure during transactions on PIN pads?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close