US20170309135A1 - Secure point of sale terminal and associated methods - Google Patents
Secure point of sale terminal and associated methods Download PDFInfo
- Publication number
- US20170309135A1 US20170309135A1 US15/645,912 US201715645912A US2017309135A1 US 20170309135 A1 US20170309135 A1 US 20170309135A1 US 201715645912 A US201715645912 A US 201715645912A US 2017309135 A1 US2017309135 A1 US 2017309135A1
- Authority
- US
- United States
- Prior art keywords
- secure
- processor
- data
- multiplexer
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/0009—Details of the software in the checkout register, electronic cash register [ECR] or point of sale terminal [POS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
- G06Q20/202—Interconnection or interaction of plural electronic cash registers [ECR] or to host computer, e.g. network details, transfer of information from host to ECR or from ECR to ECR
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
- G06Q20/204—Point-of-sale [POS] network systems comprising interface for record bearing medium or carrier for electronic funds transfer or payment credit
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
- G06Q20/206—Point-of-sale [POS] network systems comprising security or operator identification provisions, e.g. password entry
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3823—Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/12—Cash registers electronically operated
- G07G1/14—Systems including one or more distant stations co-operating with a central processing unit
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q2220/00—Business processing using cryptography
Definitions
- Point-of-sale (POS) systems allow users, such as merchants, to offer customers flexibility in completing goods or services sales transactions.
- POS Point-of-sale
- Such systems may not provide a mechanism for secure transactions such as entering a PIN (personal identification number) associated with a credit, debit, EMV, and other payment cards, including cards having embedded integrated circuits for, among other things, authentication.
- PIN personal identification number
- a device comprising an input device with an input device user data connection to an input device controller.
- the device also comprises a multiplexer with a multiplexer control input port, a multiplexer data input port communicatively coupled to the input device controller, a first data output port, and a second data output port.
- the device also comprises a secure processor with: (i) a control output port communicatively coupled to the multiplexer control input port; and (ii) a secure processor data input port communicatively coupled to the first data output port.
- the device also comprises a second processor with a second processor data input port communicatively coupled to the second data output port.
- the multiplexer is configurable between a first state and a second state.
- the multiplexer data input port is communicatively coupled to the first data output port through the multiplexer when a current state of the multiplexer is the first state.
- the multiplexer data input port is communicatively coupled to the second data output port through the multiplexer when the current state of the multiplexer is the second state.
- the current state of the multiplexer is exclusively controlled by the secure processor via the control output port.
- an integrated circuit in another embodiment, comprises a multiplexer with a multiplexer control input port, a multiplexer data input port, a first data output port, and a second data output port.
- the integrated circuit also comprises an input pin communicatively coupled to the multiplexer data input port.
- the integrated circuit also comprises a multiplexer control circuit communicatively coupled to the multiplexer control input port.
- the integrated circuit also comprises an input device data processing circuit communicatively coupled to the first data output port.
- the integrated circuit also comprises an output pin communicatively coupled to the second data output port.
- the multiplexer is configurable between a first state and a second state via the multiplexer control circuit.
- the multiplexer data input is communicatively coupled to the first data output port through the multiplexer when the current state of the multiplexer is the first state.
- the multiplexer data input is communicatively coupled to the second data output port through the multiplexer when the current state of the multiplexer is the second state.
- a method comprises receiving secure data from a user via an input device.
- the method also comprises routing the secure data to a secure processor using a hardware multiplexer.
- the method also comprises processing the secure data using the secure processor.
- the method also comprises receiving non-secure data from the user via the input device.
- the method also comprises routing the non-secure data to a second processor using the hardware multiplexer.
- the method also comprises processing the non-secure data using the second processor.
- the method also comprises altering a routing state of the hardware multiplexer using the secure processor. The routing state of the hardware multiplexer is only controlled by the secure processor.
- another method comprises receiving secure data from a user via an input pin of an integrated circuit.
- the method also comprises routing the secure data to an input device data processing circuit using a hardware multiplexer.
- the method also comprises processing the secure data using the input device data processing circuit.
- the method also comprises receiving non-secure data from the user via the input pin.
- the method also comprises routing the non-secure data to an output pin of the integrated circuit using the hardware multiplexer.
- the method also comprises altering a routing state of the hardware multiplexer using the secure processor. The routing state of the hardware multiplexer is only be controlled by the secure processor.
- FIG. 1 illustrates two architectures for a client device in a secure POS platform that are in accordance with one or more example embodiments.
- FIG. 2 illustrates an example network architecture for a secure POS platform in accordance with one or more example embodiments.
- FIG. 3 illustrates an example component architecture for certain components of the secure POS platform shown in FIG. 2 in accordance with one or more example embodiments.
- FIG. 4 illustrates a diagram of an example computer system for certain components of the secure POS platform shown in FIG. 2 in accordance with one or more example embodiments.
- FIG. 5 illustrates a flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments.
- FIG. 6 illustrates a diagram of an example client device for a secure POS platform operating in a non-secure mode in accordance with one or more example embodiments.
- FIG. 7 illustrates a diagram of an example client device for a secure POS platform operating in a secure mode in accordance with one or more example embodiments.
- FIGS. 8A-8D illustrate diagrams of example device architectures for client devices for a secure POS platform in accordance with one or more example embodiments.
- FIG. 9 illustrates a flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments.
- FIG. 10 illustrates a ladder diagram of communications between a secure processor and application processor for conducting a secure transaction that is in accordance with one or more example embodiments.
- FIG. 11 illustrates another ladder diagram of communications between a secure processor, multiplexer, and second input device, for conducting a secure transaction that is in accordance with one or more example embodiments.
- FIG. 12 illustrates another ladder diagram of communications between a secure processor, application processor, and server, for conducting a secure transaction that is in accordance with one or more example embodiments.
- FIG. 13 illustrates another flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments.
- FIG. 14 illustrates another ladder diagram of communications for operating a secure POS platform in accordance with one or more example embodiments.
- FIG. 15 illustrates an upper view of an example cover for a POS or client device in accordance with one or more example embodiments.
- POS point-of-sale
- Certain embodiments of the systems and methods described herein may facilitate providing a secure POS platform to provide secure interactions with local services and/or third-party applications during one or more POS transactions (e.g., financial transactions, login sessions, etc.) at physical and/or remote locations. Further, certain embodiments of the systems and methods may also provide or otherwise facilitate secure communication with a user of the POS platform.
- POS transactions on a POS platform may influence the selection of data communication channels within the secure POS platform, where these data communication channels may be used to process the data associated with one or more POS transactions.
- a merchant may use a POS platform to complete a transaction with a customer who may have placed an order for goods or services (e.g., purchasing milk, etc.), where the merchant or the customer may swipe a credit card to complete the transaction.
- the POS platform may choose one or more data channels to access one or more processors within the POS platform to complete the transaction.
- a secure channel may be used; whereas if the transaction involves unsecure data, such as the entry of a quantity of milk to be purchased, a non-secure channel may be used.
- the one or more data channels can be used to process or otherwise complete the transaction.
- an ATM may include an account management system and may also include an application for ordering stamps or other applications that do not require the receipt of secure data from the user.
- a tablet computer may include core applications that are used to interact with financial institutions or ecommerce systems while other applications can be added to the device that do not require the use of secure information. Any of these and similar devices can benefit from some of the approaches described herein.
- secure POS platform 100 may include a number of hardware components including input device controller (IDC) 102 , multiplexer (MUX) 104 , secure processor (SP) 106 , and application processor (AP) 108 .
- IDC input device controller
- MUX multiplexer
- SP secure processor
- AP application processor
- TC touch controller
- the input device controller could be a controller for any number of input devices or user interfaces such as a keypad, audio interface, or wireless interface.
- TC touch controller
- the input device controller could be a controller for any number of input devices or user interfaces such as a keypad, audio interface, or wireless interface.
- the above are only examples of components that may be included in a secure POS platform, such as 100 , and other components may also be included.
- secure POS platform 100 can include one or more components, such as 102 , 104 , 106 , and 108 that are internal to associated client device 120 , which can be a merchant POS device.
- Client device 120 may be operated by a user 110 entering various information for a purchase transaction via an associated input device associated with the client device 120 to facilitate a purchase transaction.
- the input device could be a touch screen integrated with the client device 120 .
- the input device could be a multiuse input device such that it is used for both secure operations and normal (non-secure) operations.
- Secure POS platform 100 may evaluate whether the certain user inputs via the multiuse input device are associated with either secure operations or normal (non-secure) operations.
- An example of a secure operation is entering a PIN.
- An example of a non-secure operation is entering a quantity of an item to be purchased via the same touch screen.
- the hardware components may be interconnected to provide various functions in response to certain actions performed by user 110 with respect to client device 120 , such as inputting information via an associated input device or user interface.
- the hardware components can be implemented as individual integrated circuits (ICs) on a main board of client device 120 .
- MUX 104 and SP 106 could also be implemented on a single application specific integrated circuit (ASIC) while IDC 102 and AP 108 are kept as separate ICs.
- ASIC application specific integrated circuit
- the chip comprising MUX 104 and SP 106 could then be used as a “secure chip” in a chip set comprising the secure chip, IDC 102 , and AP 108 .
- IDC 102 and AP 108 could be commercially available ICs that are broadly available beyond the more limited market for specialized secure POS hardware.
- an application processor chip and peripheral controller chip could be standard devices for the control of peripherals and running applications generally, and do not need to be augmented in any manner to realize the security benefits of some of the approaches described herein.
- Any of the functions performed by SP 106 that are disclosed in this specification could be executed on the secure chip.
- tamper detection circuitry implemented on the secure chip could receive a tamper indication from a tamper sensor and clear a memory implemented on the secure chip to protect encryption keys or other secure information stored on the secure chip.
- AP 108 can be a standard processor used to implement an operating system for client device 120 .
- AP 108 can run the Android OSTM.
- the AP can maintain full control over the client device 102 while the device is running applications that don't require secure information.
- the main application run by the AP 108 could be the standard merchant-facing retail checkout application used to accept inputs regarding a customer's order and tally the total of a specific purchase transaction.
- the main application run by AP 108 could be a restaurant server's ordering application used to input orders taken by the server.
- AP 108 can operate with a cache and main memory that are physically separate from the memory used by SP 106 .
- This configuration provides certain benefits in that certain attacks may use a processor to write instructions to memory for later execution and exploitation of a secure program running on the same processor, or may use the processor to read and illicitly obtain data from the memory which was utilized and left over by a secure program using the same memory. These kinds of vulnerabilities can be avoided by not allowing the AP to have access to the same memory as the SP.
- MUX 104 is a hardware multiplexer that receives control inputs from SP 106 and routes data received from IDC 102 to one or more data channels based on those control inputs. The data could be routed through transistors that turn on or off in response to control signals.
- MUX 104 could be an IC with one or more control pins, one or more input pins and at least two output pins. In approaches where MUX 104 and SP 106 were implemented on a single chip, MUX 104 could be a block of analog circuitry on the secure chip controlled by a digital output from SP 106 . In such approaches, MUX 104 and SP 106 could exchange information via interconnects in the IC.
- a secure transaction process can be implemented using the hardware components shown in FIG. 1 .
- IDC 102 can transmit certain user inputs to MUX 104 .
- secure POS platform 100 detects or prompts user entry of secure data (e.g., a user entering PIN information) via the input device or user interface associated with client device 120 , the operation is treated as a secure transaction and/or operation.
- SP 106 can control the flow of secure data through MUX 104 .
- FIG. 1 illustrates another example schematic view of a secure POS platform which is illustrated by the region of FIG. 1 indicated by reference number 20 , which is in accordance with one or more example embodiments.
- entry of data that may be considered non-secure can be facilitated via the hardware components, such as 102 , 104 , 106 , and 108 of client device 120 , such that data passes from a peripheral to AP 108 .
- IDC 102 may communicate user inputs to MUX 104 , such as when user 110 interacts with an associated input device or user interface.
- MUX 104 can then pass the information received from this interaction to AP 108 .
- AP 108 may then perform transactions and/or operations that may be considered non-secure.
- entry of data that may be considered secure can be facilitated via the same hardware components, such as 102 , 104 , 106 , and 108 of client device 120 .
- the data from the peripheral will now be routed to SP 106 instead of AP 108 .
- MUX 104 will route input data from the peripheral to SP 106 .
- SP 106 may then perform operations on the data that may be considered secure.
- IDC 102 may be completely unaware as to which processor the input data is being routed to.
- the network architecture of the secure POS platform 200 may include one or more client devices 120 .
- Client devices 120 can communicate via a network with back end servers 140 , remote services servers 160 , and control servers 180 .
- Each of the components in network architecture 200 are discussed in more detail below.
- the one or more client devices 120 may be a merchant POS device, a laptop computer, a desktop computer, another device with computer functionalities, or any combination thereof and/or other types of devices associated with a merchant at various locations.
- a client device, such as 120 may be a POS terminal provided by First Data Corporation of Atlanta, Ga.
- Other examples of client device 120 may be purpose-built POS equipment, a self-service kiosk, a smart phone, a tablet, a wearable computer device, or an e-reader operating a mobile operating system, such as Android OSTM.
- An example hardware architecture of a particular client device that can be used in place of client device 120 is illustrated and described in FIG. 6 below.
- each client device 120 may communicate with one or more remote services servers 160 via a client API, which may be used to access the services and functionalities provided by the remote services servers 160 .
- Each of the client devices 120 may also communicate with the one or more remote services servers 160 via one or more networks 130 .
- the one or more remote services servers 160 may be one or more independent computer systems, such as the computer system 400 of FIG. 4 .
- the one or more remote services servers 160 may be a cloud-based computer system, where no on-premise servers are required, which may reduce relative cost and complexity of hardware, installation, and ongoing maintenance and administration.
- the network architecture of the secure POS platform 200 may also include one or more back-end servers 140 .
- the one or more back-end servers 140 may be coupled to the one or more remote services servers 160 via a respective or single back-end API 145 .
- the back-end API 145 may be an application programming interface for the one or more back-end servers 140 to supplement the services provided by the one or more remote services servers 160 .
- the one or more back-end servers 140 may communicate with the one or more remote services servers 160 via network 130 as well.
- the one or more back-end servers 140 , and/or the remote services servers 160 may be configured to handle financial transactions by authorizing or declining transactions.
- Each of the back-end servers 140 may be one or more independent computer systems, such as the computer system 400 of FIG. 4 , for performing back-end processes for purchase transactions.
- the secure POS platform 200 may also include one or more control servers 180 .
- Each of the control servers 180 may provide secure communication sessions between a customer support representative (e.g., user 190 ) and one or more client devices (e.g., client devices 120 ).
- the one or more control servers 180 may be one or more independent computer systems, such as the computer system 400 of FIG. 4 .
- the one or more networks 130 may be a system for communication. Each of the networks 130 may encompass a variety of mediums of communication, such as wired communication for one part and wireless communication for another part.
- the one or more networks 130 may be part of the Internet.
- a network such as 130
- the network 130 may include any suitable network for any suitable communication interface.
- the network channel may include an ad hoc network, a personal area network (PAN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), or one or more portions of the Internet or a combination of two or more of these networks.
- PAN personal area network
- LAN local area network
- WAN wide area network
- MAN metropolitan area network
- One or more portions of one or more of these networks may be wired or wireless.
- the network may be a wireless PAN (WPAN) (such as, for example, a BLUETOOTH WPAN), a WI-FI network, a WI-MAX network, a 3G or 4G network, a cellular telephone network (such as, for example, a Global System for Mobile Communications (GSM) network).
- WPAN wireless PAN
- WI-FI wireless Fidelity
- WI-MAX wireless fidelity
- 3G or 4G network such as, for example, a 3G or 4G network
- GSM Global System for Mobile Communications
- FIG. 3 there is shown a diagrammatic representation of an example internal architecture 300 of certain components of secure POS platform 200 shown in FIG. 2 in accordance with one or more embodiments of the disclosure.
- the example internal architecture 300 may interact with one or more users (e.g., user 110 ) operating one or more client devices (e.g., client device 120 ) communicating with one or more control servers (e.g., control server 180 ).
- users e.g., user 110
- client devices e.g., client device 120
- control servers e.g., control server 180
- the client device 120 may include a client operating system 214 , at least one point-of-sale application (e.g., POS application 216 ), and one or more applications (e.g., application(s) 218 ). Additionally, client device 120 may be configured to provide a number of services via internal modules. For example, client device 120 may include a PIN pad module 220 , support module 222 , a security module 224 , and/or screenshot module 226 .
- POS application 216 point-of-sale application
- applications e.g., application(s) 218
- client device 120 may be configured to provide a number of services via internal modules.
- client device 120 may include a PIN pad module 220 , support module 222 , a security module 224 , and/or screenshot module 226 .
- Each of the modules can operate individually and independently of other modules. Some or all of the modules can be combined as one module. A single module can also be divided into sub-modules, each performing a separate method operation or method operations of the single module.
- the modules can share access to a memory space. One module can access data accessed by or transformed by another module.
- the modules can be considered “coupled” to one another if they share a physical connection or a virtual connection, directly or indirectly, allowing data accessed or modified from one module to be accessed in another module.
- the SP 106 will include separate modules that do not share access to the same memory space as the modules operating on AP 108 .
- client device 120 will include two operating systems, one operating on SP 106 and one operating on AP 108 .
- the client device 120 may include additional, fewer, or different modules for various applications.
- Conventional components such as network interfaces, security functions, load balancers, failover servers, management and network operations consoles, and the like are not shown so as to not obscure the details of the system.
- the operating system 214 may be an operating system of the client device 120 , such as AndroidTM or iOSTM or any other operating system that may be suitable for a point-of-sale system.
- the operating system 214 may be an open or closed format.
- the POS application 216 may contain modules executable on the client device 120 to perform point-of-sale services (e.g., CloverTM, or any other POS services).
- the POS application(s) 216 may run on the AP 108 .
- the POS application 216 may include a timecards module, a self-serve module, a register module, a store inventory module, or any combination thereof.
- the one or more applications, such as 218 may include applications that may be built-in or may be provided by third-party applications.
- one or more applications 218 may include a register module, which may be configured to provide an interface for a merchant to facilitate sales transactions in a business.
- the register module may have bar code scanner functionality, check-out functionality, payment functionality, or any combination thereof. It is understood that the register module is one of many possible modules that may exist within one or more application(s) 218 executing on respective client devices 120 , and that other modules may be implemented.
- the application(s) 218 may run on the
- Client device(s) 120 may include applications that are built-in or provided by third-party entities.
- application(s) 218 may include a register module, which may be configured to provide an interface for an operator of the merchant/business to facilitate sales transactions.
- the register module may have bar code scanner functionality, check-out functionality, payment functionality, or any combination thereof.
- Application(s) 218 may also include screenshot module 226 , which may be configured to communicate with operating system 214 to request screenshots of client device(s) 120 .
- a screenshot may be a screen capture of client device(s) 120 at a certain instance.
- the captured screenshots may be sent to control server 180 for viewing by user 190 .
- An administrator or other users may choose the interval value to allow for continuous viewing of the screenshots.
- screenshot module 226 may capture a screenshot of client device(s) 120 .
- Screenshot module 226 may send the captured screenshots to control server 180 so user 190 may view actions taken at the client device(s) 120 by user 110 .
- the interval may be within a predetermined threshold time value.
- the predetermined threshold time value may be selected to allow consecutive viewing of the screenshots (similar to a video) by user 190 .
- the predetermined threshold may determine the number of screenshots taken each second resulting in continuous viewing by the user 190 .
- An interval value higher than the threshold may result in flickering while being viewed by the user 190 .
- An Interval value lower than the threshold may result in continuous viewing but may impact performance since more screenshots may be taken each second.
- the PIN pad module 220 may be configured to allow a user (e.g., user 110 ) to interact with a particular client device, such as 120 .
- PIN pad module 220 may allow customers to enter information associated with a transaction, such as a sales transaction.
- PIN pad module 220 may be configured to operate with either a touch screen or a physical PIN pad system, for example, the First Data® FD-40 device provided by First Data Corporation of Atlanta Ga., associated with client device 120 .
- PIN pad module 220 may be configured to operate in a secure or insecure mode.
- a secure mode may be a mode that may require heightened security when entering information (e.g., payment authentication information).
- PIN pad module 220 may be configured to operate in the same manner whether it is in secure or insecure mode while alternate modules in the device adjust their characteristics to reflect the current mode of device 120 .
- PIN pad module 220 may be configured to operate with operating system 214 in a secure mode even if operating system 214 is an open format (e.g., WindowsTM, and AndroidTM).
- the information may be related to a debit card or a credit card, or a gift card, or any other form of information related to a point-of-sale system.
- a customer e.g., user 110
- the customer may enter a code associated with the debit card in order to facilitate or otherwise complete the transaction.
- Support module 222 may be configured to provide a user (e.g., user 190 ) to control client device 120 for performing maintenance or guidance activities.
- user 190 may be at least one of a manager, a customer support personnel, or an administrator of the POS network, or any other person responsible for maintenance or guidance activities.
- customer support personnel e.g., user 190
- a merchant e.g., user 110
- may contact a customer service representative e.g., user 190 to report an issue with a client device (e.g., client device 120 ).
- Security module 224 may be configured to handle payment transaction information, including a PIN or a card number.
- security module 224 may operate in a secure mode and may comply with one or more industry standards for secure transactions.
- PCI Payment Card Industry
- PIN pad module 220 may operate a touch screen PIN pad that allows a user to enter the PIN of their debit card.
- Security module 224 may be configured to operate with one or more processing units to implement secure sales transactions.
- a client device such as 120
- Secure operations may be, for example, swiping a credit card, entering a PIN for a debit card, or any other operation related to executing a secure transaction.
- Insecure operations include any operation that may be related to using client device 120 without handling secure data. For example, during a sales transaction, if a customer swipes his or her credit card, security module 224 may select a secure processing unit to complete the transaction.
- the selection of the secure processor units may involve the security module initiating a transition in the control signal or signals that are provided to MUX 104 .
- a single processing unit may be divided into two areas, one secure and one insecure, or a plurality of processing units may be separated into secure or insecure processor groups.
- Security module 224 may be implemented independent of operating system 214 . For example, this may allow developers to work independently from the firmware of operating system 214 , which may allow for better code control. Security module 224 may also be implemented using a physically separate memory from the other modules. Security module 224 may execute its instructions using SP 106 and a physically separate memory from the memory used by AP 108 . As mentioned above, in certain approaches PIN pad module 220 , and other modules in device 120 , do not require information as to whether the device is operating in a secure or non-secure mode.
- Control server 180 may include operating system 230 , at least one point-of-sale application (e.g., POS application 232 ), and at least one application (e.g., application(s) 234 ). Additionally, control server 180 may be configured to provide a number of services via internal modules. For example, control server 180 may include control module 236 .
- the description of operating system 230 , the at least one point-of-sale application (e.g., POS application 232 ), and at least one application (e.g., application(s) 234 ) may be substantially similar to the description of operating system 214 , the at least one point-of-sale application (e.g., POS application 216 ), and the one or more applications (e.g., application(s) 218 ), respectively, of the client device 120 .
- the computer system 400 may include a processor 302 , a main memory 306 , a non-volatile memory 310 , and a network interface device 312 .
- Various common components e.g., cache memory
- the computer system 400 is intended to illustrate example sub-components of the secure POS platform depicted in FIGS. 2-3 .
- the computer system 400 may be of any applicable known or convenient type.
- the sub-components of the computer system 400 may be coupled together via a bus 330 or through some other known or convenient device.
- the computer system 400 may be an embedded computer system, a custom built device and/or platform, a system-on-chip (SOC), a single-board computer system (SBC) (such as, for example, a computer-on-module (COM) or system-on-module (SOM)), a desktop computer system, a laptop or notebook computer system, an interactive kiosk, a mainframe, a mesh of computer systems, a mobile telephone, a personal digital assistant (PDA), a wearable computer device, a server, or a combination of two or more of these systems or devices.
- SOC system-on-chip
- SBC single-board computer system
- COM computer-on-module
- SOM system-on-module
- the computer system 400 may include one or more computer systems 400 ; be unitary or distributed; span multiple locations; span multiple machines; or reside in a cloud, which may include one or more cloud components in one or more networks.
- one or more computer systems 400 may perform, without substantial spatial or temporal limitation, one or more steps of one or more methods described or illustrated herein.
- one or more computer systems 400 may perform in real time or in batch mode one or more operations of one or more methods described or illustrated herein.
- One or more computer systems 400 may perform at different times or at different locations one or more operations of one or more methods described or illustrated herein, where appropriate.
- the processor 302 may be, for example, a conventional microprocessor such as an IntelTM PentiumTM microprocessor or MotorolaTM Power IDCTM microprocessor.
- IntelTM PentiumTM microprocessor or MotorolaTM Power IDCTM microprocessor.
- machine-readable (storage) medium or “computer-readable (storage) medium” include any type of device that can store data or instructions for the processor.
- the processor 302 may include computer-executable instructions 304 .
- the main memory 306 may be coupled to the processor 302 by, for example, a bus 330 .
- the main memory 306 may include, by way of example but not limitation, random access memory (RAM), such as dynamic RAM (DRAM) and static RAM (SRAM).
- RAM random access memory
- DRAM dynamic RAM
- SRAM static RAM
- the main memory 306 may be local, remote, or distributed.
- the main memory 306 may include computer-executable instructions 308 .
- the bus 330 may also couple the processor 302 to the non-volatile memory 310 and drive unit 322 .
- the non-volatile memory 310 may often be a magnetic floppy or hard disk, a magnetic-optical disk, an optical disk, a read-only memory (ROM), such as a CD-ROM, EPROM, or EEPROM, a magnetic or optical card, or another form of storage for large amounts of data. Some of this data may often be written, by a direct memory access process, into memory during execution of software in the computer system 400 .
- the non-volatile storage may be local, remote, or distributed.
- the non-volatile memory 310 is optional because systems may be created with all applicable data available in memory.
- a typical computer system may usually include at least a processor 302 , a memory 306 , and a device (e.g., a bus 330 ) coupling the memory 306 to the processor 302 .
- the drive unit 322 may include a machine-readable (storage) medium 324 .
- the machine-readable (storage) medium 324 may include instructions 326 . Indeed, for large programs, it may not even be possible to store the entire program in the memory 306 . Nevertheless, it should be understood that for software to run, if necessary, it is moved to a computer-readable location appropriate for processing, and for illustrative purposes, that location is referred to as the memory 306 . Even when software is moved to the memory for execution, the processor 302 may typically make use of hardware registers to store values associated with the software, and local cache that, ideally, serves to speed up execution.
- a software program is assumed to be stored at any known or convenient location (from non-volatile storage to hardware registers) when the software program is referred to as “implemented in a computer-readable medium.”
- a processor 302 is considered to be “configured to execute a program” when at least one value associated with the program is stored in a register readable by the processor 302 .
- the bus 330 may also couple the processor 302 to the network interface device 312 to communicate via one or more networks 314 .
- the network interface device 312 may include one or more of a modem or network interface. It will be appreciated that a modem or network interface may be considered to be part of the computer system 400 .
- the interface may include an analog modem, an integrated services digital network (ISDN) modem, a cable modem, a token ring interface, a satellite transmission interface (e.g., “direct IDC”), or other interfaces for coupling a computer system to other computer systems.
- ISDN integrated services digital network
- the interface may include one or more input and/or output (I/O) devices (e.g., video display 316 , alpha-numeric input device 318 , cursor control device 320 , etc.).
- the I/O devices may include, by way of example but not limitation, a keyboard, a mouse or other pointing device, a gesture control and/or detection device, an eye movement control and/or detection device, disk drives, printers, a scanner, and other input and/or output devices, including a video display device 316 .
- the video display device 316 may include, by way of example but not limitation, a cathode ray tube (CRT), a liquid crystal display (LCD), or some other applicable known or convenient display device. For simplicity, it is assumed that controllers of any devices not depicted in the example of FIG. 4 reside in the interface.
- CTR cathode ray tube
- LCD liquid crystal display
- the computer system 400 may be controlled by operating system software that includes a file management system, such as a disk operating system.
- the file management system may typically be stored in the non-volatile memory and/or drive unit and causes the processor to execute the various acts required by the operating system to input and output data and to store data in the memory, including storing files on the non-volatile memory and/or drive unit.
- FIG. 5 is a flow diagram of a method 500 for operating a client device on a secure POS platform.
- Method 500 can begin with step 501 in which secure data is received from a user via an input device.
- An example of step 501 could be a user 110 entering sensitive payment information on the touch screen of a point of sale terminal. This data, which could be in the form of coordinates that describe a touch interaction with a touch display, would be received by a touch controller such as input device controller 102 .
- a user 110 could enter similar information via other means such as a voice activated interface or standard key pad.
- Method 500 continues with step 502 , in which the secure data is routed to a secure processor using a hardware multiplexer, and step 503 , in which the secure data is processed by the secure processor.
- the payment information received in step 501 could be routed to SP 106 by MUX 104 , and then processed by SP 106 .
- the mode in which client device 120 operates while routing data to SP 106 can be referred to as the secure mode.
- Method 500 also includes steps that describe how the device operates in the normal or non-secure mode.
- non-secure data is received from a user via an input device.
- An example of step 504 could be a user 110 entering a quantity of items to purchase using client device 120 .
- this data is routed to a second processor using the hardware multiplexer.
- the second processor could be AP 108 .
- the non-secure data is processed using the second processor.
- the non-secure mode and secure mode differ in terms of which processor data is routed to for processing.
- the routing state of MUX 104 sets which processor the data is routed to.
- the routing state of MUX 104 can only be controlled by SP 106 .
- SP 106 can conduct either of steps 507 and 508 in which the routing state of the hardware multiplexer is altered.
- SP 106 will generally alter the routing state prior to the receipt of information from the user input device in order to match the mode of operation to the type of information being received.
- FIGS. 6 and 7 illustrate a particular implementation of client device 120 described in FIG. 1 and include communication lines that have been annotated to illustrate the effect of the routing state of MUX 104 on the routing of data through the architecture.
- the particular implementation can be referred to separately as device 600 .
- device 600 In the state illustrated by FIG. 6 , device 600 is operating in non-secure mode. In the state illustrated by FIG. 7 , device 600 is operating in secure mode. Active data lines in each figure have been annotated with white arrows to show the direction of data flow. Active control lines in each figure have been annotated with white circles.
- Device 600 is capable of receiving user data from at least one input device.
- IDC 102 includes an input device user data connection to receive that data from an input device.
- IDC 102 is a touch screen controller which receives touch data from touch display 109 .
- Device 600 also includes a set of additional input devices with additional input device user data connections. Any input device that handles secure data can be substituted in place of these additional devices.
- an exemplary set includes a chip reader 604 , a near field communication (NFC) device 606 , a magnetic swipe reader (MSR) 608 , and a tamper sensor 610 .
- the chip readers 604 may be configured to check one or more embedded microchips in a credit card or debit card or any other card that may contain readable information.
- the NFC device 606 may be configured to activate the client device 120 by touch or by proximity through a touch sensitive handle on the client device 120 or by detecting an NFC device within certain proximity of client device 120 .
- Device 600 also includes computing device 630 which includes multiplexer 104 , SP 106 , and a second processor.
- the second processor is AP 108 .
- the multiplexer 104 includes a multiplexer control input port communicatively coupled to a control output port on SP 106 , a multiplexer data input port communicatively coupled to IDC 102 , a first data output port communicatively coupled to a secure processor data input port on SP 106 , and a second data output port communicatively coupled to a second processor data input port on AP 108 .
- SP 106 and AP 108 are connected by bus 640 .
- the elements of computing device 630 and the other components in device 600 are communicatively coupled in that information can be transmitted from one component and coherently received by the other component without intermittent alteration of that information.
- information is not altered by standard signal conditioning or the application of CODECs that preserve the actual informational content of the signal.
- port is used here as it is used by those of skill in the art in the field of electronic communication and can encompass the pins of an integrated circuit, a via within an integrated circuit, a connection on a printed circuit board, or any other node in a circuit schematic.
- the data lines that connect IDC 102 to MUX 104 , MUX 104 to SP 106 , and MUX 104 to AP 108 can comprise any communication interface such as I2C, SPI, USB, or equivalents along with any interrupts required by the peripheral controlled by IDC 102 .
- Bus 640 between SP 106 and AP 108 can include any communication interface such as I2C, SPI, USB, UART, or equivalents. The number of interrupts required on bus 640 will vary depending upon the application as will be apparent to those of ordinary skill upon obtaining an understanding of the following disclosure.
- MUX 104 is configurable between a first state and a second state.
- the first state corresponds to the secure mode of operation for device 600 and is illustrated in FIG. 7 .
- the second state corresponds to the non-secure mode of operation for device 600 and is illustrated in FIG. 6 .
- Examples of a secure operation may include entering a PIN used for cardholder verification, or entering a payment card number or verification code.
- Examples of non-secure transactions may include entering orders, entering a ZIP code, etc.
- the multiplexer data input port is communicatively coupled to the second data output port through the multiplexer. As seen in FIG. 6 , this causes data to flow from IDC 102 through MUX 104 to AP 108 .
- the multiplexer data input port is communicatively coupled to the first data output port. As seen in FIG. 7 , this will cause data to flow from IDC 102 through MUX 104 to SP 106 .
- the line connecting the control output port of SP 106 to the control input port of MUX 104 is emphasized using a white circle to note that the current state of MUX 104 is set by SP 106 .
- SP 106 has a direct connection to the set of second input devices in addition to that through IDC 102 and MUX 104 .
- this set includes reader 604 , NFC 606 , MSR 608 , and tamper sensor 610 .
- SP 106 is communicatively coupled with a second input device in this set of second input devices via a second input device user data connection and a second data input port on SP 106 .
- the connection is direct in that the devices are communicatively coupled with the secure processor 106 via the second input device user data connection and second data input port and not via MUX 104 .
- the second data input port could be a second input pin on the IC in addition to the first data input pin that leads to the data input of MUX 104 .
- the current state of MUX 104 is exclusively controlled by SP 106 via the control output port of SP 106 .
- SP 106 can implement the functionality of security module 224 .
- AP 108 can communicate with SP 106 along an inter-processor line which forms part of bus 640 .
- AP 108 can utilize this line to indirectly affect the current state of MUX 104 .
- AP 108 can inform SP 106 that a user has requested a screen on display 108 for the entry of secure information.
- SP 106 can choose to alter the routing state of MUX 104 and put device 600 into the secure mode of operation.
- AP 108 is only providing a request to transfer the state of MUX 104 and it does not control the state of MUX 104 directly. Also, once SP 106 takes control of MUX 104 , SP 106 can be placed into a state in which it will not respond to any interrupts from AP 108 or other devices and will only relinquish control of the device and change the state of MUX 104 back when its own internal logic determines that such a change is necessary. This architecture thereby provides a high degree of control to SP 106 at the expense of AP 108 . As a result, less secure programs can be installed on the device and run on AP 108 while a high level of security is still provided by SP 106 .
- FIGS. 6 and 7 provides an additional benefit besides security in that IDC 102 can operate without regard to the state of computing device 630 .
- a state machine that describes IDC 102 does not require information regarding whether or not device 600 is operating in the secure mode or the non-secure mode or information regarding the routing state of MUX 104 .
- FIG. 6 when the device is operating in the non-secure mode, data will be passed through MUX 104 to AP 108 .
- FIG. 7 when the device is operating in the secure mode, data will be passed through MUX 104 to SP 106 .
- IDC 102 will not need to know which processor is actually receiving the data it sends to computing device 630 .
- steps 502 and 505 can both be preceded by identical pre-processing steps in which the data is pre-processed using IDC 102 in the same manner regardless of the state of MUX 104 .
- IDC 102 can also be an off the shelf user input device controller such as a standard touch display controller.
- FIG. 6 and FIG. 7 include emphasized data lines that continue through the processors to display 109 .
- data travels from SP 106 through inter-processor communication line 640 to AP 108 and then on through a display signal connection line to display 109 .
- data travels from AP 108 through the display connection line to display 109 .
- AP 108 is the sole processor that display 109 needs to interact with.
- SP 106 is controlling display 109 via a channel that comprises the inter-processor communication line 640 and display signal connection line.
- SP 106 may apply one or more security algorithms (e.g., encryption) to protect subsequent outputs from the SP 106 . Indeed, this may be one of the main components of the processing steps conducted by SP 106 .
- Conducting encryption using SP 106 can provide device 600 with certain advantageous characteristics in that the crypto keys used to encrypt the information can be solely accessible to SP 106 and therefore isolated from AP 108 .
- the encryption can be conducted by an encryption module instantiated by SP 106 and a memory to which SP 106 has access.
- the encryption module can encrypt a quantum of data received from IDC 120 to create an encrypted quantum of data that is stored in that memory.
- the encryption module can also encrypt a quantum of data received from another input to the device such as MSR 608 or other input devices.
- the secure data entered on device 600 can be encrypted in real time as it is received or in bulk when the data is ready for transmission.
- SP 106 will have access to a network connection in order to send off secure data for verification. For example, SP 106 will be able to encrypt credit card information in order to receive an authorization for a charge against a credit card account.
- the transferred data can be sent through AP 108 and then on to a network connection.
- the encrypted quanta of data can be sent along an inter-processor line on bus 640 . Since the data is in encrypted form, it is safe to be handled by AP 108 , and the actual network connection does not need to interface with SP 106 . However, in certain approaches SP 106 will have an isolated network connection to send out authorization information and receive confirmation of authorization.
- SP 106 can conduct numerous additional secure features in addition to handling secure data and controlling when the state of MUX 104 should be altered.
- SP 106 can run tamper sensors, such as tamper sensor 610 , to determine when a physical attack has taken place on a device and destroy any sensitive information upon detection of an attack.
- SP 106 can also run code to conduct contact and contactless payments, and perform crypto operations required by the kernels of such payments, protect private keys used in the payment processing infrastructure.
- SP 106 and AP 108 can vary in terms of the isolation between the devices. As will be described below, SP 106 and AP 108 can be implemented on the same physical processor. However, in certain embodiments, SP 106 and AP 108 can be independent microcontrollers. SP 106 and AP 108 can also be independently associated with first and second memories that are distinct and separate hardware components. The first memory can be associated with the operation of SP 106 and the second memory can be associated with the operation of AP 108 . To ensure the security of SP 106 , AP 108 may be incapable of addressing the first memory. As such, attacks that attempt to illicitly enter instructions for execution by SP 106 or access data utilized by SP 106 using AP 108 will not by physically possible.
- the independent microcontrollers may include multiple processing cores but the overall device will still be referred to herein as a processor.
- One or more of the components in computing device 630 may exist on the same chip or a combination of the components may be on the chip, examples of which can be discussed with reference to FIGS. 8A-8D .
- MUX 104 and SP 106 could be implemented on a single integrated circuit while AP 108 and IDC 102 were left as stand-alone devices.
- MUX 104 could be a block of circuitry on the IC
- SP 106 could include an encryption circuit configured to conduct the encryption operations for SP 106 .
- the control output port of SP 106 and the control input of MUX 104 would be connected via interconnects in that single integrated circuit.
- the multiplexer data input port would be communicatively coupled to an input pin on the IC and the second multiplexer data output port (i.e., the one that is communicatively coupled to AP 108 ) would be communicatively coupled to an output pin on the IC.
- the pins on the IC could be solder bumps, copper posts, or any other IC packaging connection technology.
- SP 106 and AP 108 may coexist on one multi-core processor, while MUX 104 may be a standalone device.
- One or more devices such IDC 102 , chip reader 604 , NFC 606 , MSR 608 and tamper switch 610 may be accessible from the TrustZoneTM of one of the cores of the multi-core processor. In order to access one or more of these device, an application may need to go through the TrustZoneTM of the dedicate core.
- one core of a multi-core processor may be designated to function as SP 106 and another core to function as AP 108 , while both of these cores may be connected directly to the MUX 104 .
- the IDC 102 may be connected to MUX 104 . In that scenario, the IDC 102 may be isolated from both SP 106 and the AP 108 .
- the TrustZoneTM portion of the SP 106 core may determine whether the data passing through MUX 104 may go through SP 106 core or AP 108 .
- a multi-core processor may not contain the TrustZoneTM technology but instead rely on the physical security on the chip, such as, a secure mesh that protects the cores from tampering. It is understood that a multi-core processor may include any number of cores and not limited by the examples of FIGS. 8A-8D .
- the IDC 102 may be connected directly to a TrustZoneTM area of a processor or a core of a multi-core processor.
- the core that includes the TrustZoneTM may be always dedicated as a secure core that handles secure and normal (non-secure) transactions.
- a MUX 104 may not be necessary to have a MUX 104 included in the processing device 630 .
- the TrustZoneTM may decide whether to switch between secure and non-secure transactions based on the touches received from user 110 on client device 120 .
- Client device 120 can alternate between secure mode and the non-secure mode in various ways. After transitioning into secure mode, secure transactions can be conducted by SP 106 including reading data from display 109 , reader 604 , NFC 606 , or MSR 608 , encrypting that data, transmitting the data for authorization at a remote server, instantiating a virtual keypad on display 109 , and other secure actions. After the secure transactions have been conducted, SP 106 will then relinquish control of client device 120 and then alter the state of client device 120 back to the non-secure mode.
- SP 106 alters the state of MUX 104 to alternate the device between a secure mode and a non-secure mode. As mentioned previously, SP 106 has exclusive control over the state of MUX 104 . However, given the particular architecture of the client device as described herein, there is no need for an additional interrupt line or special secure firmware on IDC 102 or AP 108 in order to enforce the secure mode of operation. Bus 640 will include a data line on which AP 108 can indicate that user inputs on IDC 102 are requesting a secure mode, and SP 106 can react to this information, but the manner in which access to the data from IDC 102 is provided is not burned into device 120 . Instead, a dynamic runtime decision is made to decide which processor gets access to the input device.
- SP 106 can accommodate requests from any application running on AP 108 in a flexible manner.
- SP 106 can react directly to data received on a second input device without immediately interfering with the operation of AP 108 . In specific approaches, this will also cause an interrupt to be sent on bus 640 , but in these cases the interrupt will transfer from SP 106 to AP 108 .
- FIG. 9 illustrates a set of methods 900 that can be conducted by a client device 120 in the form of a POS terminal having the architecture of device 600 .
- device 600 can be a POS terminal with a touch display in place of display 109
- IDC 102 may be a touch screen controller configured to receive touch input from user 110 (e.g., a merchant or customer) operating client device 600 .
- a start transaction (“TX”) message is sent from AP 108 to SP 106 using an inter-processor line on bus 640 .
- the start transaction message can be provided by the AP 108 in response to receiving an input from a user.
- the input could indicate that the user wants to initiate a payment transaction, in which case SP 106 would administrate the entire payment transaction. However, the input could also indicate that the user would like to enter a secure piece of information, in which case SP 106 would only administrate the entry of that secure piece of information.
- AP 108 could then retain control of the device for the other steps in the payment flow besides the receipt of the secure information.
- the term “transaction” is referring to a secure transaction between the user of the device and the device itself, not a payment transaction that is being conducted using the device.
- the input can be the selection of a button on the screen that indicates the user would like to enter a credit card number manually, enter a PIN number, enter a CVV number, or any other secure information.
- the specific example of a manual credit card number entry button 902 is provided in FIG. 9 .
- step 903 the touch display is used to instantiate a secure interface.
- the routing state of MUX 104 can be altered as in step 507 of FIG. 5 under the control of SP 106 .
- the secure interface will provide the user with the ability to view or enter secure information.
- the secure interface could be a virtual keypad 904 , an account selection interface, or an account information interface.
- Step 903 can be a sub-part of a larger process in which the SP 106 controls display 109 via the channel that includes the inter-processor line and the display drive line mentioned above. This channel can also include AP 108 .
- SP 106 controls display 109 in this step, and the data received in the secure mode is sent to SP 106 , no programs associated with AP 108 will have access to the touch data entered on the keypad 904 .
- SP 106 will retain control of display 109 as the secure information is being entered so that it can display wild card characters while the user is entering the secure information.
- FIG. 10 provides a ladder diagram showing the communication between SP 106 and AP 108 during the execution of step 903 in approaches where the control channel includes AP 108 .
- SP 106 may send a message to AP 108 instructing it to display a virtual keypad.
- the AP 108 may carry out the instruction by communicating with display 109 of client device 120 and may respond (acknowledgement “Ack”) to the SP 106 when the action is completed.
- SP 106 may receive one or more button touches on the touch screen and may convert one or more of the button touches to wild card characters (e.g., #, *, etc.).
- the AP 108 may respond to the SP 106 when the instructions are completed and the user 110 is presented with the characters (e.g., #, *, etc.). This process continues until user 110 presses a completion button, such as, “enter,” “OK,” etc.
- a completion button such as, “enter,” “OK,” etc.
- SP 106 can retain control of display 109 for a period of time while the secure data is processed. For example, SP 106 could retain control of the display while a PIN entered by the user is encrypted and transferred off of client device 120 for authorization as in step 905 , when control is relinquished.
- the display could show a transaction processing screen to a user, and allow the user to exit secure mode by pressing a cancel button on the screen.
- step 903 in FIG. 9 Alternative or additional secure transactions can be conducted in place of step 903 in FIG. 9 .
- the display of the virtual keypad could be combined with encryption of the received data and transmission of that data for authorization from a remote server.
- One of the secure transactions could be the activation and communication with one of the input devices in FIG. 6 besides display 109 . This communication could be conducted independent of AP 108 .
- FIGS. 11 and 12 include ladder diagrams that show exemplary additional secure transactions that can be conducted along with step 903 .
- the ladder diagrams show the exchange of information between the AP 108 , SP 106 , MUX 104 , and other devices during the execution of these secure transactions.
- Both FIGS. 11 and 12 involve transactions where AP 108 initiates a request for the secure mode by sending a start transaction message to SP 106 .
- the ladder diagrams differ in terms of what additional secure transactions are illustrated along with the receipt of secure data in secure mode.
- the secure mode is activated and SP 106 takes control of display 109 .
- SP 106 also activates reader 604 , 606 , or 608 (Readers “ON”) in order to receive additional secure data via a second input device besides display 109 .
- the additional secure data can be provided directly from readers 604 , 606 , or 608 to SP 106 such that it is not routed through MUX 104 .
- the data can be received via a second data input port on SP 106 that is communicatively coupled with a user data connection providing data from the reader.
- SP 106 can then process the additional secure data by, for example, encrypting the secure data.
- the encrypted secure data can then be sent on to a remote server for authorization.
- SP 106 can send off the information via AP 108 as the data is in encrypted format.
- the secure mode is activated and SP 106 instructs AP 108 to display an account selection screen and PIN entry screen to receive secure information from a user in the form of a PIN and account.
- the SP 106 can then instruct 108 to establish a network connection with a server 1200 in order to authorize the transaction by providing server 1200 with the secure data in encrypted form.
- Device 600 will exit the secure mode under the control of SP 106 when SP 106 relinquishes control of display 109 as in step 806 .
- Control can be relinquished before or after additional secure transactions are conducted. For example, as in the ladder diagram in FIG. 11 , control can be relinquished prior to encrypting the data for transmission. As long as display 109 is not being used to input secure information, SP 106 can relinquish control of the display to AP 108 . Once control is relinquished, SP 106 will alter the routing state of MUX 104 as in step 508 .
- SP 106 will force the device into the secure mode without receiving a prompt from AP 108 .
- SP 106 could receive a direct communication from a second input device such as reader 604 , NFC 606 , MSR 608 , or tamper sensor 610 as in step 1301 .
- a user of client device 120 may initiate a secure transaction without first prompting the device using IDC 120 and instead using a second user input device.
- a secure transaction and/or operation is performed by a merchant (e.g., user 110 ), such as, card swipe, insertion of a payment card, etc.
- the appropriate system e.g., chip reader 604 , or NFC 606 , or MSR 608 , or tamper switch 610
- this kind of secure transaction could be initiated via the unprompted introduction of an NFC device into close proximity with the POS terminal.
- SP 106 could issue a hardware interrupt to AP 108 to initiate a secure transaction and put the device into secure mode.
- the SP 106 may be able to determine whether to instantiate a virtual keypad, account selection, or account information screen on the display of the device. If SP 106 determines that the entry of secure information is required, the routing state of MUX 104 could be altered to protect the secure information.
- SP 106 could receive a tamper indication in step 1301 and transfer the device into secure mode in 1302 to lock out the device. At that point, SP 106 could continue a secure transaction such as erasing any crypto keys stored on the device. After the secure transaction or transactions were complete, SP 106 could relinquish control in step 1303 and the device could return to non-secure mode.
- FIG. 14 illustrates another flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments.
- the description is provided with reference to AP 108 conducting the transaction; however, in certain approaches SP 106 will be able to conduct these operations directly.
- the AP 108 may send secure information to the server.
- the secure information may be a result of the secure transaction conducted using SP 106 .
- a certificate may need to be exchanged before the AP 108 may communicate with the server.
- the certificate may need to be signed by an authority associated with First Data Corporation of Atlanta Georgia, such as root certification authority (e.g., CloverTM).
- the certificate may be captured in one or more secure areas of the AP 108 .
- the AP 108 contains a secure area, such as, TrustZone (TZTM)
- the TZTM may contain an encrypted key (or private key) that may be unique for the AP 108 processor.
- the certificate will be stored in a memory that is only accessible to SP 106 .
- the AP 108 may look up the flash to determine whether a private key exists. If one exists, the key may be used with the TZTM. However, if a key is not found, the flash may report that a block location is empty and that a key needs to be created. The TZTM may encrypt the key and send it to the AP 108 that sends a request to the flash memory to save the key at the block location.
- the AP 108 may have a persistent identity that may be presented to the server.
- the persistent identity may be due to maintaining the same private key over factory resets and/or power failures.
- the private key may be written to a non-volatile flash area that may survive resets and/or power failures.
- the private key may be saved in a TZTM area during initial installation of a client device 120 at a user premises. It is understood that TZTM is a system for securing peripherals such as memory, crypto blocks, keyboard and displays to ensure they can be protected from software attacks.
- the SP 106 and the AP 108 may have a persistent identity to present to a server that may provide services or data to the SP 106 or AP 108 .
- the persistent identity may be in the form of a digital public-key certificate (such as an X. 509 certificate).
- the SP 106 and AP 108 may authenticate themselves to a server using either transport-level security (e.g., SSL/TLS) or message-level security (e.g., RSA signature over a message).
- transport-level security e.g., SSL/TLS
- message-level security e.g., RSA signature over a message.
- the private key component may be protected by the SP 106 secure cryptographic device such that tampering with the device may erase the private key, or a master symmetric key. This may provide strong, cryptographic, persistent device-to-server authentication in such a way that devices may not be cloned and communications remain private and authentic.
- This persistent, cryptographic identity may be used by SP 106 to obtain financial encryption keys remotely from the server, for example a triple DES key for use with the derived unique key per transaction (DUKPT) key management scheme, which is a standard in the electronic transactions industry.
- the persistent identity of the SP 106 and the AP 108 may help prevent against security attacks where a component of the client device 120 may have been compromised or hacked because the persistent identity may be encrypted and communicated between components within the client device 120 and/or outside the client device 120 .
- the identity may not match which may render the client device 120 as compromised and may be inoperable.
- the SP 106 may implement a persistent identity by having a discrete battery for maintaining the private key or master symmetric key.
- the SP 106 and the AP 108 may have persistent identities that work as a pair.
- each pair of SP 106 and AP 108 may be bonded by the pair of keys that define their persistent identity. In that sense, mixing various SP 106 and AP 108 that may not have been bonded together as a pair, may render the client device 120 inoperable. Therefore, only bonded pairs of SP 106 and AP 108 may function together in a client device 120 .
- a remote key injection may be implemented on the SP 106 and/or the AP 108 .
- the SP 106 and/or the AP 108 may be placed in a secure room, containing a certificate authority.
- the certificate authority may sign a certificate signing request from the SP 106 or AP 108 , thus providing the device with its persistent identity.
- a key may be injected in the SP 106 and/or the AP 108 .
- a process for injecting keys is typically done inside of a key injection room with an injection device.
- a key may be generated by placing the SP 106 and/or the AP 108 in a secure room and injecting the key into the SP 106 and/or the AP 108 by a key injection device.
- bonding of the SP 106 and the AP 108 may be performed at the same time as signing the public key certificates.
- the purpose is to provide additional security against tampering and component swapping between devices.
- SP 106 may be in direct communication with a tamper sensor 610 that may be activated in case of a determination of tampering, such as unauthorized attempt to access the client device 120 .
- the tamper sensor can be connected to several tamper detection points including a detection point on a tamper resistant cover for client device 120 .
- the tamper resistant cover may be in keeping with the cover in FIG. 15 which shows an upper view of an exemplary cover for client device 120 .
- Cover 1502 may obscure or otherwise protect certain areas of an associated printed circuit board 1504 of a POS device or client device, such as client device 120 , which may be the target of third-party tampering.
- the cover 1502 can include any number of other physical security devices, techniques, and/or technologies to prevent, inhibit, or otherwise deter third-party tampering.
- the cover 1502 may be a relatively rigid structure with a predefined shape or configuration mounted to one or more areas of the printed circuit board 1504 .
- the cover 1502 may be mounted to the printed circuit board 1504 by way of any number of physical connectors, soldering, adhesives, etc.
- the cover 1502 can include one or more physical security devices, techniques, and/or technologies.
- the cover 1502 may include special traces that may be molded on or in the plastic.
- the cover 1502 may contain one or more break channels embedded on the cover 1502 to deter tampering if the cover is attempted to be removed. For example, if an attempt was made to remove the cover 1502 , one or more break channels may disconnect the cover 1502 from the printed circuit board 1504 rendering the associated client device 120 or POS device inoperable by way of one or more signals generated by the client device 120 or POS device, and sent by the client device 120 or POS device to a remote server, such as a CloverTM server operated by First Data Corporation of Atlanta, Ga.
- a remote server such as a CloverTM server operated by First Data Corporation of Atlanta, Ga.
- the cover 1502 may be a laser direct structuring (LDS) or other printed circuit with traces that may have certain predefined heat tolerance and/or resistance, flexibility, and/or strength characteristics.
- LDS laser direct structuring
- the cover 1502 may have a predefined heat tolerance that may be relatively higher than the heat tolerance of one or more components of the client device 120 or POS device that are being obscured or otherwise protected by the cover 1502 .
- Having a relatively higher heat tolerance than one or more components of the client device 120 or POS device may provide additional security against third-party tampering since exposing the cover 1502 to a temperature above the heat tolerance of one or more components of the client device 120 or POS device may render the one or more components inoperable and ultimately cause failure of or otherwise render inoperable certain functionality or features of the client device 120 or POS device.
- the cover 1502 may have a relatively low flexibility tolerance to prevent flexing the cover 1502 beyond a predefined point of breakage. That is, the cover 1502 may break rather than flex, when the cover 1502 is flexed beyond a certain point.
- Breaking the cover 1502 may render the client device 120 or POS device inoperable by way of the client device 120 or POS device generating one or more signals, and sending the signals to a remote server, such as a CloverTM server operated by First Data Corporation of Atlanta, Ga.
- a remote server such as a CloverTM server operated by First Data Corporation of Atlanta, Ga.
- the cover 1502 may include one or more zones that may each have one or more respective layers of physical security. In some embodiments, the cover 1502 may have a relatively high strength factor that prevents, inhibits, or deters drilling or other applying other forces to the cover 1502 to attempt to access the one or more components of the client device 120 or POS device.
- the cover 1502 may be divided into two zones (e.g., zones 1520 and 1530 ). The division of the zones may be based on what components of the printed circuit board 1504 are covered by that zone. Further, the zones may contain various layers of physical security, again, based on what components of the printed circuit board 1504 are covered by that zone.
- zone 1520 may cover the IDC 102 , the SP 106 , the NFC 606 , the MSR 608 , and the chip readers 604 .
- the IDC 102 , the SP 106 , the NFC 606 , the MSR 608 , and the chip readers 604 may be considered as sensitive components that may require additional security protection against tampering.
- zone 1520 may contain one or more layers of security to prevent against malicious access.
- Zone 1530 may cover AP 108 , memory 306 , and the LCD device driver. Since these components may not contain sensitive data where a malicious access may not severely impact the client device 120 , the zone 1530 may contain less layers of security than the zone 1520 . It is understood that the above is only an example of division between two zones and that other divisions between one or more zones may be implemented based on the security need for the client device 120 .
- These computer-executable program instructions may be loaded onto a special-purpose computer or other particular machine, a processor, or other programmable data processing apparatus to produce a particular machine, such that the instructions that execute on the computer, processor, or other programmable data processing apparatus create means for implementing one or more functions specified in the flow diagram block or blocks.
- These computer program instructions may also be stored in a computer-readable storage media or memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage media produce an article of manufacture including instruction means that implement one or more functions specified in the flow diagram block or blocks.
- certain implementations may provide for a computer program product, comprising a computer-readable storage medium having a computer-readable program code or program instructions implemented therein, said computer-readable program code adapted to be executed to implement one or more functions specified in the flow diagram block or blocks.
- the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational elements or steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions that execute on the computer or other programmable apparatus provide elements or steps for implementing the functions specified in the flow diagram block or blocks.
Abstract
Description
- This application is a continuation of U.S. application Ser. No. 14/877,909, filed Oct. 7, 2015, which claims the benefit of U.S. Provisional Application No. 62/072,420, filed Oct. 29, 2014, and U.S. Provisional Application No. 62/074,061, filed Nov. 2, 2014, all of which are incorporated by reference in their entirety herein for all purposes.
- Point-of-sale (POS) systems allow users, such as merchants, to offer customers flexibility in completing goods or services sales transactions. However, such systems may not provide a mechanism for secure transactions such as entering a PIN (personal identification number) associated with a credit, debit, EMV, and other payment cards, including cards having embedded integrated circuits for, among other things, authentication. The relative lack of security may lead to identity theft or fraudulent transactions, and ultimately a relatively poor consumer and/or merchant experience.
- Point of sale terminals need to have a secure operating environment that guarantee unscrupulous people cannot steal sensitive data or hijack the payment processing capabilities of the device. Unfortunately, this results in POS terminals that are closed systems, and have very limited applications that can be used to customize and augment the terminal functionality. In addition, the terminal needs a dedicated PIN pad that needs to be physically protected to meet strict security requirements and needs physical and logical security to isolate sensitive data from the regular operating environment.
- In one embodiment, a device is provided. The device comprises an input device with an input device user data connection to an input device controller. The device also comprises a multiplexer with a multiplexer control input port, a multiplexer data input port communicatively coupled to the input device controller, a first data output port, and a second data output port. The device also comprises a secure processor with: (i) a control output port communicatively coupled to the multiplexer control input port; and (ii) a secure processor data input port communicatively coupled to the first data output port. The device also comprises a second processor with a second processor data input port communicatively coupled to the second data output port. The multiplexer is configurable between a first state and a second state. The multiplexer data input port is communicatively coupled to the first data output port through the multiplexer when a current state of the multiplexer is the first state. The multiplexer data input port is communicatively coupled to the second data output port through the multiplexer when the current state of the multiplexer is the second state. The current state of the multiplexer is exclusively controlled by the secure processor via the control output port.
- In another embodiment, an integrated circuit is provided. The integrated circuit comprises a multiplexer with a multiplexer control input port, a multiplexer data input port, a first data output port, and a second data output port. The integrated circuit also comprises an input pin communicatively coupled to the multiplexer data input port. The integrated circuit also comprises a multiplexer control circuit communicatively coupled to the multiplexer control input port. The integrated circuit also comprises an input device data processing circuit communicatively coupled to the first data output port. The integrated circuit also comprises an output pin communicatively coupled to the second data output port. The multiplexer is configurable between a first state and a second state via the multiplexer control circuit. The multiplexer data input is communicatively coupled to the first data output port through the multiplexer when the current state of the multiplexer is the first state. The multiplexer data input is communicatively coupled to the second data output port through the multiplexer when the current state of the multiplexer is the second state.
- In another embodiment, a method is provided. The method comprises receiving secure data from a user via an input device. The method also comprises routing the secure data to a secure processor using a hardware multiplexer. The method also comprises processing the secure data using the secure processor. The method also comprises receiving non-secure data from the user via the input device. The method also comprises routing the non-secure data to a second processor using the hardware multiplexer. The method also comprises processing the non-secure data using the second processor. The method also comprises altering a routing state of the hardware multiplexer using the secure processor. The routing state of the hardware multiplexer is only controlled by the secure processor.
- In another embodiment, another method is provided. The method comprises receiving secure data from a user via an input pin of an integrated circuit. The method also comprises routing the secure data to an input device data processing circuit using a hardware multiplexer. The method also comprises processing the secure data using the input device data processing circuit. The method also comprises receiving non-secure data from the user via the input pin. The method also comprises routing the non-secure data to an output pin of the integrated circuit using the hardware multiplexer. The method also comprises altering a routing state of the hardware multiplexer using the secure processor. The routing state of the hardware multiplexer is only be controlled by the secure processor.
-
FIG. 1 illustrates two architectures for a client device in a secure POS platform that are in accordance with one or more example embodiments. -
FIG. 2 illustrates an example network architecture for a secure POS platform in accordance with one or more example embodiments. -
FIG. 3 illustrates an example component architecture for certain components of the secure POS platform shown inFIG. 2 in accordance with one or more example embodiments. -
FIG. 4 illustrates a diagram of an example computer system for certain components of the secure POS platform shown inFIG. 2 in accordance with one or more example embodiments. -
FIG. 5 illustrates a flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments. -
FIG. 6 illustrates a diagram of an example client device for a secure POS platform operating in a non-secure mode in accordance with one or more example embodiments. -
FIG. 7 illustrates a diagram of an example client device for a secure POS platform operating in a secure mode in accordance with one or more example embodiments. -
FIGS. 8A-8D illustrate diagrams of example device architectures for client devices for a secure POS platform in accordance with one or more example embodiments. -
FIG. 9 illustrates a flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments. -
FIG. 10 illustrates a ladder diagram of communications between a secure processor and application processor for conducting a secure transaction that is in accordance with one or more example embodiments. -
FIG. 11 illustrates another ladder diagram of communications between a secure processor, multiplexer, and second input device, for conducting a secure transaction that is in accordance with one or more example embodiments. -
FIG. 12 illustrates another ladder diagram of communications between a secure processor, application processor, and server, for conducting a secure transaction that is in accordance with one or more example embodiments. -
FIG. 13 illustrates another flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments. -
FIG. 14 illustrates another ladder diagram of communications for operating a secure POS platform in accordance with one or more example embodiments. -
FIG. 15 illustrates an upper view of an example cover for a POS or client device in accordance with one or more example embodiments. - Reference now will be made in detail to embodiments of the disclosed invention, one or more examples of which are illustrated in the accompanying drawings. Each example is provided by way of explanation of the present technology, not as a limitation of the present technology. In fact, it will be apparent to those skilled in the art that modifications and variations can be made in the present technology without departing from the scope thereof. For instance, features illustrated or described as part of one embodiment may be used with another embodiment to yield a still further embodiment. Thus, it is intended that the present subject matter covers all such modifications and variations within the scope of the appended claims and their equivalents.
- Described herein are systems and methods for providing secure POS (point-of-sale) platforms and associated methods. Certain embodiments of the systems and methods described herein may facilitate providing a secure POS platform to provide secure interactions with local services and/or third-party applications during one or more POS transactions (e.g., financial transactions, login sessions, etc.) at physical and/or remote locations. Further, certain embodiments of the systems and methods may also provide or otherwise facilitate secure communication with a user of the POS platform.
- POS transactions on a POS platform may influence the selection of data communication channels within the secure POS platform, where these data communication channels may be used to process the data associated with one or more POS transactions. For example, a merchant may use a POS platform to complete a transaction with a customer who may have placed an order for goods or services (e.g., purchasing milk, etc.), where the merchant or the customer may swipe a credit card to complete the transaction. Based upon the type of transaction, the POS platform may choose one or more data channels to access one or more processors within the POS platform to complete the transaction. For example, if the transaction involves secure data, such as credit card information or a personal identification number (PIN) a secure channel may be used; whereas if the transaction involves unsecure data, such as the entry of a quantity of milk to be purchased, a non-secure channel may be used. The one or more data channels can be used to process or otherwise complete the transaction.
- Although a bulk of the disclosure is directed to a POS platform used to facilitate a financial transaction between an owner of the terminal and another party, the approaches described herein are more broadly applicable to any device that is used to handle both secure and non-secure data. For example, an ATM may include an account management system and may also include an application for ordering stamps or other applications that do not require the receipt of secure data from the user. As another example, a tablet computer may include core applications that are used to interact with financial institutions or ecommerce systems while other applications can be added to the device that do not require the use of secure information. Any of these and similar devices can benefit from some of the approaches described herein.
- POS Platform Overview
- As shown in
FIG. 1 ,secure POS platform 100 may include a number of hardware components including input device controller (IDC) 102, multiplexer (MUX) 104, secure processor (SP) 106, and application processor (AP) 108. Throughout this specification, a touch screen will be used as an exemplary input device such that the input device controller may be referred to as a touch controller (TC). However, as mentioned previously, the input device controller could be a controller for any number of input devices or user interfaces such as a keypad, audio interface, or wireless interface. The above are only examples of components that may be included in a secure POS platform, such as 100, and other components may also be included. - Referring to
FIG. 1 , there is shown an example schematic view of asecure POS platform 100 in accordance with one or more example embodiments. InFIG. 1 ,secure POS platform 100 can include one or more components, such as 102, 104, 106, and 108 that are internal to associatedclient device 120, which can be a merchant POS device.Client device 120 may be operated by auser 110 entering various information for a purchase transaction via an associated input device associated with theclient device 120 to facilitate a purchase transaction. The input device could be a touch screen integrated with theclient device 120. The input device could be a multiuse input device such that it is used for both secure operations and normal (non-secure) operations.Secure POS platform 100 may evaluate whether the certain user inputs via the multiuse input device are associated with either secure operations or normal (non-secure) operations. An example of a secure operation is entering a PIN. An example of a non-secure operation is entering a quantity of an item to be purchased via the same touch screen. - The hardware components, such as 102, 104, and 106, may be interconnected to provide various functions in response to certain actions performed by
user 110 with respect toclient device 120, such as inputting information via an associated input device or user interface. The hardware components can be implemented as individual integrated circuits (ICs) on a main board ofclient device 120. However,MUX 104 andSP 106 could also be implemented on a single application specific integrated circuit (ASIC) whileIDC 102 andAP 108 are kept as separate ICs. Thechip comprising MUX 104 andSP 106 could then be used as a “secure chip” in a chip set comprising the secure chip,IDC 102, andAP 108. As will be described later, integratingMUX 104 andSP 106 onto a single chip provides certain benefits in thatIDC 102 andAP 108 could be commercially available ICs that are broadly available beyond the more limited market for specialized secure POS hardware. In other words, an application processor chip and peripheral controller chip could be standard devices for the control of peripherals and running applications generally, and do not need to be augmented in any manner to realize the security benefits of some of the approaches described herein. Any of the functions performed bySP 106 that are disclosed in this specification could be executed on the secure chip. For example, tamper detection circuitry implemented on the secure chip could receive a tamper indication from a tamper sensor and clear a memory implemented on the secure chip to protect encryption keys or other secure information stored on the secure chip. -
AP 108 can be a standard processor used to implement an operating system forclient device 120. For example,AP 108 can run the Android OS™. In general, the AP can maintain full control over theclient device 102 while the device is running applications that don't require secure information. For example, the main application run by theAP 108 could be the standard merchant-facing retail checkout application used to accept inputs regarding a customer's order and tally the total of a specific purchase transaction. As another example, the main application run byAP 108 could be a restaurant server's ordering application used to input orders taken by the server.AP 108 can operate with a cache and main memory that are physically separate from the memory used bySP 106. This configuration provides certain benefits in that certain attacks may use a processor to write instructions to memory for later execution and exploitation of a secure program running on the same processor, or may use the processor to read and illicitly obtain data from the memory which was utilized and left over by a secure program using the same memory. These kinds of vulnerabilities can be avoided by not allowing the AP to have access to the same memory as the SP. -
MUX 104 is a hardware multiplexer that receives control inputs fromSP 106 and routes data received fromIDC 102 to one or more data channels based on those control inputs. The data could be routed through transistors that turn on or off in response to control signals.MUX 104 could be an IC with one or more control pins, one or more input pins and at least two output pins. In approaches whereMUX 104 andSP 106 were implemented on a single chip,MUX 104 could be a block of analog circuitry on the secure chip controlled by a digital output fromSP 106. In such approaches,MUX 104 andSP 106 could exchange information via interconnects in the IC. - In one embodiment, illustrated by the region of
FIG. 1 indicated byreference number 10, a secure transaction process can be implemented using the hardware components shown inFIG. 1 . For example, whenuser 110 interacts with an input device or user interface associated withclient device 120,IDC 102 can transmit certain user inputs toMUX 104. In certain instances, whensecure POS platform 100 detects or prompts user entry of secure data (e.g., a user entering PIN information) via the input device or user interface associated withclient device 120, the operation is treated as a secure transaction and/or operation. In this instance,SP 106 can control the flow of secure data throughMUX 104. -
FIG. 1 illustrates another example schematic view of a secure POS platform which is illustrated by the region ofFIG. 1 indicated byreference number 20, which is in accordance with one or more example embodiments. In the embodiment shown 20, entry of data that may be considered non-secure (normal mode) can be facilitated via the hardware components, such as 102, 104, 106, and 108 ofclient device 120, such that data passes from a peripheral toAP 108. For example,IDC 102 may communicate user inputs to MUX 104, such as whenuser 110 interacts with an associated input device or user interface.MUX 104 can then pass the information received from this interaction toAP 108.AP 108 may then perform transactions and/or operations that may be considered non-secure. In addition, entry of data that may be considered secure can be facilitated via the same hardware components, such as 102, 104, 106, and 108 ofclient device 120. However, the data from the peripheral will now be routed toSP 106 instead ofAP 108. For example, under the control ofSP 106,MUX 104 will route input data from the peripheral toSP 106.SP 106 may then perform operations on the data that may be considered secure.IDC 102 may be completely unaware as to which processor the input data is being routed to. - Example Network Architecture
- Referring now to
FIG. 2 , there is shown an example network architecture of asecure POS platform 200 according to certain embodiments of the disclosure. The network architecture of thesecure POS platform 200 may include one ormore client devices 120.Client devices 120 can communicate via a network withback end servers 140,remote services servers 160, and controlservers 180. Each of the components innetwork architecture 200 are discussed in more detail below. - The one or
more client devices 120 may be a merchant POS device, a laptop computer, a desktop computer, another device with computer functionalities, or any combination thereof and/or other types of devices associated with a merchant at various locations. For example, a client device, such as 120 may be a POS terminal provided by First Data Corporation of Atlanta, Ga. Other examples ofclient device 120 may be purpose-built POS equipment, a self-service kiosk, a smart phone, a tablet, a wearable computer device, or an e-reader operating a mobile operating system, such as Android OS™. An example hardware architecture of a particular client device that can be used in place ofclient device 120 is illustrated and described inFIG. 6 below. - In
FIG. 2 , eachclient device 120 may communicate with one or moreremote services servers 160 via a client API, which may be used to access the services and functionalities provided by theremote services servers 160. Each of theclient devices 120 may also communicate with the one or moreremote services servers 160 via one ormore networks 130. The one or moreremote services servers 160 may be one or more independent computer systems, such as thecomputer system 400 ofFIG. 4 . In some embodiments, the one or moreremote services servers 160 may be a cloud-based computer system, where no on-premise servers are required, which may reduce relative cost and complexity of hardware, installation, and ongoing maintenance and administration. - The network architecture of the
secure POS platform 200 may also include one or more back-end servers 140. The one or more back-end servers 140 may be coupled to the one or moreremote services servers 160 via a respective or single back-end API 145. The back-end API 145 may be an application programming interface for the one or more back-end servers 140 to supplement the services provided by the one or moreremote services servers 160. The one or more back-end servers 140 may communicate with the one or moreremote services servers 160 vianetwork 130 as well. The one or more back-end servers 140, and/or theremote services servers 160 may be configured to handle financial transactions by authorizing or declining transactions. Each of the back-end servers 140 may be one or more independent computer systems, such as thecomputer system 400 ofFIG. 4 , for performing back-end processes for purchase transactions. - The
secure POS platform 200 may also include one ormore control servers 180. Each of thecontrol servers 180 may provide secure communication sessions between a customer support representative (e.g., user 190) and one or more client devices (e.g., client devices 120). The one ormore control servers 180 may be one or more independent computer systems, such as thecomputer system 400 ofFIG. 4 . - The one or
more networks 130 may be a system for communication. Each of thenetworks 130 may encompass a variety of mediums of communication, such as wired communication for one part and wireless communication for another part. The one ormore networks 130 may be part of the Internet. - For example, a network, such as 130, may include an Ethernet or other wire-based network or a wireless NIC (WNIC) or wireless adapter for communicating with a wireless network, such as a WI-FI network. The
network 130 may include any suitable network for any suitable communication interface. As an example and not by way of limitation, the network channel may include an ad hoc network, a personal area network (PAN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), or one or more portions of the Internet or a combination of two or more of these networks. One or more portions of one or more of these networks may be wired or wireless. As another example, the network may be a wireless PAN (WPAN) (such as, for example, a BLUETOOTH WPAN), a WI-FI network, a WI-MAX network, a 3G or 4G network, a cellular telephone network (such as, for example, a Global System for Mobile Communications (GSM) network). - In one embodiment, the one or
more networks 130 may use standard communications technologies and/or protocols. Thus, eachnetwork 130 may include links using technologies such as Ethernet, 802.11, worldwide interoperability for microwave access (WiMAX), 3G, 4G, CDMA, digital subscriber line (DSL), etc. Similarly, the networking protocols used on the network may include multiprotocol label switching (MPLS), the transmission control protocol/Internet protocol (TCP/IP), the User Datagram Protocol (UDP), the hypertext transport protocol (HTTP), the simple mail transfer protocol (SMTP), and the file transfer protocol (FTP). The data exchanged over the network may be represented using technologies and/or formats including the hypertext markup language (HTML) and the extensible markup language (XML). In addition, all or some of links may be encrypted using conventional encryption technologies such as secure sockets layer (SSL), transport layer security (TLS), and Internet Protocol security (IPsec). - Example Architecture for Secure POS Platform Components
- Turning to
FIG. 3 , there is shown a diagrammatic representation of an exampleinternal architecture 300 of certain components ofsecure POS platform 200 shown inFIG. 2 in accordance with one or more embodiments of the disclosure. The exampleinternal architecture 300 may interact with one or more users (e.g., user 110) operating one or more client devices (e.g., client device 120) communicating with one or more control servers (e.g., control server 180). - The
client device 120 may include aclient operating system 214, at least one point-of-sale application (e.g., POS application 216), and one or more applications (e.g., application(s) 218). Additionally,client device 120 may be configured to provide a number of services via internal modules. For example,client device 120 may include aPIN pad module 220,support module 222, asecurity module 224, and/orscreenshot module 226. - Each of the modules can operate individually and independently of other modules. Some or all of the modules can be combined as one module. A single module can also be divided into sub-modules, each performing a separate method operation or method operations of the single module. The modules can share access to a memory space. One module can access data accessed by or transformed by another module. The modules can be considered “coupled” to one another if they share a physical connection or a virtual connection, directly or indirectly, allowing data accessed or modified from one module to be accessed in another module. In some approaches, the
SP 106 will include separate modules that do not share access to the same memory space as the modules operating onAP 108. In addition, in certainapproaches client device 120 will include two operating systems, one operating onSP 106 and one operating onAP 108. - The
client device 120 may include additional, fewer, or different modules for various applications. Conventional components such as network interfaces, security functions, load balancers, failover servers, management and network operations consoles, and the like are not shown so as to not obscure the details of the system. - The
operating system 214 may be an operating system of theclient device 120, such as Android™ or iOS™ or any other operating system that may be suitable for a point-of-sale system. Theoperating system 214 may be an open or closed format. - The
POS application 216 may contain modules executable on theclient device 120 to perform point-of-sale services (e.g., Clover™, or any other POS services). The POS application(s) 216 may run on theAP 108. ThePOS application 216 may include a timecards module, a self-serve module, a register module, a store inventory module, or any combination thereof. The one or more applications, such as 218, may include applications that may be built-in or may be provided by third-party applications. For example, one ormore applications 218 may include a register module, which may be configured to provide an interface for a merchant to facilitate sales transactions in a business. The register module may have bar code scanner functionality, check-out functionality, payment functionality, or any combination thereof. It is understood that the register module is one of many possible modules that may exist within one or more application(s) 218 executing onrespective client devices 120, and that other modules may be implemented. The application(s) 218 may run on theAP 108. - Client device(s) 120 may include applications that are built-in or provided by third-party entities. For example, application(s) 218 may include a register module, which may be configured to provide an interface for an operator of the merchant/business to facilitate sales transactions. The register module may have bar code scanner functionality, check-out functionality, payment functionality, or any combination thereof. Application(s) 218 may also include
screenshot module 226, which may be configured to communicate withoperating system 214 to request screenshots of client device(s) 120. A screenshot may be a screen capture of client device(s) 120 at a certain instance. The captured screenshots may be sent to controlserver 180 for viewing byuser 190. An administrator or other users may choose the interval value to allow for continuous viewing of the screenshots. For example, every 1 millisecond,screenshot module 226 may capture a screenshot of client device(s) 120.Screenshot module 226 may send the captured screenshots to controlserver 180 souser 190 may view actions taken at the client device(s) 120 byuser 110. The interval may be within a predetermined threshold time value. The predetermined threshold time value may be selected to allow consecutive viewing of the screenshots (similar to a video) byuser 190. The predetermined threshold may determine the number of screenshots taken each second resulting in continuous viewing by theuser 190. An interval value higher than the threshold may result in flickering while being viewed by theuser 190. An Interval value lower than the threshold may result in continuous viewing but may impact performance since more screenshots may be taken each second. - The
PIN pad module 220 may be configured to allow a user (e.g., user 110) to interact with a particular client device, such as 120.PIN pad module 220 may allow customers to enter information associated with a transaction, such as a sales transaction.PIN pad module 220 may be configured to operate with either a touch screen or a physical PIN pad system, for example, the First Data® FD-40 device provided by First Data Corporation of Atlanta Ga., associated withclient device 120.PIN pad module 220 may be configured to operate in a secure or insecure mode. A secure mode may be a mode that may require heightened security when entering information (e.g., payment authentication information). In other approaches,PIN pad module 220 may be configured to operate in the same manner whether it is in secure or insecure mode while alternate modules in the device adjust their characteristics to reflect the current mode ofdevice 120. -
PIN pad module 220 may be configured to operate withoperating system 214 in a secure mode even ifoperating system 214 is an open format (e.g., Windows™, and Android™). The information may be related to a debit card or a credit card, or a gift card, or any other form of information related to a point-of-sale system. For example, a customer (e.g., user 110) may be purchasing a product from a business using a debit card. The customer may enter a code associated with the debit card in order to facilitate or otherwise complete the transaction. -
Support module 222 may be configured to provide a user (e.g., user 190) to controlclient device 120 for performing maintenance or guidance activities. For example,user 190 may be at least one of a manager, a customer support personnel, or an administrator of the POS network, or any other person responsible for maintenance or guidance activities. For example, customer support personnel (e.g., user 190) may take control ofclient device 120 to assist the merchant (e.g., user 110) in debugging/resolving one or more issues withclient device 120 or to answer questions about that device. It may also be used by a manager who may provide guidance and support for an employee atclient device 120. For example, a merchant (e.g., user 110) may contact a customer service representative (e.g., user 190) to report an issue with a client device (e.g., client device 120). -
Security module 224 may be configured to handle payment transaction information, including a PIN or a card number. In one example embodiment,security module 224 may operate in a secure mode and may comply with one or more industry standards for secure transactions. For example, Payment Card Industry (PCI) as a governing body for payment security may provide one or more guidelines and/or rules to follow when implementing a secure sales transaction. For example, operating a physical PIN pad may allow for better control for implementing secure sales transaction. However, operating a touch screen PIN pad may present challenges. In one embodiment,PIN pad module 220 may operate a touch screen PIN pad that allows a user to enter the PIN of their debit card.Security module 224 may be configured to operate with one or more processing units to implement secure sales transactions. For example, a client device, such as 120, may be configured to operate using a processing unit that may be dedicated for secure operations and an insecure processing unit dedicated for insecure operations. Secure operations may be, for example, swiping a credit card, entering a PIN for a debit card, or any other operation related to executing a secure transaction. Insecure operations include any operation that may be related to usingclient device 120 without handling secure data. For example, during a sales transaction, if a customer swipes his or her credit card,security module 224 may select a secure processing unit to complete the transaction. In a particular class of implementations, the selection of the secure processor units may involve the security module initiating a transition in the control signal or signals that are provided toMUX 104. Although the above example is presented with two processing units, other combinations of secure and insecure processors may be envisioned. For example, a single processing unit may be divided into two areas, one secure and one insecure, or a plurality of processing units may be separated into secure or insecure processor groups. -
Security module 224 may be implemented independent ofoperating system 214. For example, this may allow developers to work independently from the firmware ofoperating system 214, which may allow for better code control.Security module 224 may also be implemented using a physically separate memory from the other modules.Security module 224 may execute itsinstructions using SP 106 and a physically separate memory from the memory used byAP 108. As mentioned above, in certain approachesPIN pad module 220, and other modules indevice 120, do not require information as to whether the device is operating in a secure or non-secure mode. -
Control server 180 may includeoperating system 230, at least one point-of-sale application (e.g., POS application 232), and at least one application (e.g., application(s) 234). Additionally,control server 180 may be configured to provide a number of services via internal modules. For example,control server 180 may includecontrol module 236. The description ofoperating system 230, the at least one point-of-sale application (e.g., POS application 232), and at least one application (e.g., application(s) 234) may be substantially similar to the description ofoperating system 214, the at least one point-of-sale application (e.g., POS application 216), and the one or more applications (e.g., application(s) 218), respectively, of theclient device 120. - Example Computing Device Architechtures
- In the example of
FIG. 4 , thecomputer system 400 may include aprocessor 302, amain memory 306, anon-volatile memory 310, and anetwork interface device 312. Various common components (e.g., cache memory) are omitted for illustrative simplicity. Thecomputer system 400 is intended to illustrate example sub-components of the secure POS platform depicted inFIGS. 2-3 . Thecomputer system 400 may be of any applicable known or convenient type. The sub-components of thecomputer system 400 may be coupled together via abus 330 or through some other known or convenient device. - This disclosure contemplates the
computer system 400 taking any suitable physical form. As an example and not by way of limitation, thecomputer system 400 may be an embedded computer system, a custom built device and/or platform, a system-on-chip (SOC), a single-board computer system (SBC) (such as, for example, a computer-on-module (COM) or system-on-module (SOM)), a desktop computer system, a laptop or notebook computer system, an interactive kiosk, a mainframe, a mesh of computer systems, a mobile telephone, a personal digital assistant (PDA), a wearable computer device, a server, or a combination of two or more of these systems or devices. Where appropriate, thecomputer system 400 may include one ormore computer systems 400; be unitary or distributed; span multiple locations; span multiple machines; or reside in a cloud, which may include one or more cloud components in one or more networks. Where appropriate, one ormore computer systems 400 may perform, without substantial spatial or temporal limitation, one or more steps of one or more methods described or illustrated herein. As an example and not by way of limitation, one ormore computer systems 400 may perform in real time or in batch mode one or more operations of one or more methods described or illustrated herein. One ormore computer systems 400 may perform at different times or at different locations one or more operations of one or more methods described or illustrated herein, where appropriate. - The
processor 302 may be, for example, a conventional microprocessor such as an Intel™ Pentium™ microprocessor or Motorola™ Power IDCTM microprocessor. One of skill in the relevant art may recognize that the terms “machine-readable (storage) medium” or “computer-readable (storage) medium” include any type of device that can store data or instructions for the processor. Theprocessor 302 may include computer-executable instructions 304. - The
main memory 306 may be coupled to theprocessor 302 by, for example, abus 330. Themain memory 306 may include, by way of example but not limitation, random access memory (RAM), such as dynamic RAM (DRAM) and static RAM (SRAM). Themain memory 306 may be local, remote, or distributed. Themain memory 306 may include computer-executable instructions 308. - The
bus 330 may also couple theprocessor 302 to thenon-volatile memory 310 and driveunit 322. Thenon-volatile memory 310 may often be a magnetic floppy or hard disk, a magnetic-optical disk, an optical disk, a read-only memory (ROM), such as a CD-ROM, EPROM, or EEPROM, a magnetic or optical card, or another form of storage for large amounts of data. Some of this data may often be written, by a direct memory access process, into memory during execution of software in thecomputer system 400. The non-volatile storage may be local, remote, or distributed. Thenon-volatile memory 310 is optional because systems may be created with all applicable data available in memory. A typical computer system may usually include at least aprocessor 302, amemory 306, and a device (e.g., a bus 330) coupling thememory 306 to theprocessor 302. - Software may typically be stored in the
non-volatile memory 310 and/or thedrive unit 322. Thedrive unit 322 may include a machine-readable (storage) medium 324. The machine-readable (storage) medium 324 may include instructions 326. Indeed, for large programs, it may not even be possible to store the entire program in thememory 306. Nevertheless, it should be understood that for software to run, if necessary, it is moved to a computer-readable location appropriate for processing, and for illustrative purposes, that location is referred to as thememory 306. Even when software is moved to the memory for execution, theprocessor 302 may typically make use of hardware registers to store values associated with the software, and local cache that, ideally, serves to speed up execution. As used herein, a software program is assumed to be stored at any known or convenient location (from non-volatile storage to hardware registers) when the software program is referred to as “implemented in a computer-readable medium.” Aprocessor 302 is considered to be “configured to execute a program” when at least one value associated with the program is stored in a register readable by theprocessor 302. - The
bus 330 may also couple theprocessor 302 to thenetwork interface device 312 to communicate via one ormore networks 314. Thenetwork interface device 312 may include one or more of a modem or network interface. It will be appreciated that a modem or network interface may be considered to be part of thecomputer system 400. The interface may include an analog modem, an integrated services digital network (ISDN) modem, a cable modem, a token ring interface, a satellite transmission interface (e.g., “direct IDC”), or other interfaces for coupling a computer system to other computer systems. The interface may include one or more input and/or output (I/O) devices (e.g.,video display 316, alpha-numeric input device 318,cursor control device 320, etc.). The I/O devices may include, by way of example but not limitation, a keyboard, a mouse or other pointing device, a gesture control and/or detection device, an eye movement control and/or detection device, disk drives, printers, a scanner, and other input and/or output devices, including avideo display device 316. Thevideo display device 316 may include, by way of example but not limitation, a cathode ray tube (CRT), a liquid crystal display (LCD), or some other applicable known or convenient display device. For simplicity, it is assumed that controllers of any devices not depicted in the example ofFIG. 4 reside in the interface. - In operation, the
computer system 400 may be controlled by operating system software that includes a file management system, such as a disk operating system. The file management system may typically be stored in the non-volatile memory and/or drive unit and causes the processor to execute the various acts required by the operating system to input and output data and to store data in the memory, including storing files on the non-volatile memory and/or drive unit. - Some portions of the detailed description may be presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated (e.g., by signal generation device 328). It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
- Example Architecture for Client Device
-
FIG. 5 is a flow diagram of amethod 500 for operating a client device on a secure POS platform.Method 500 can begin withstep 501 in which secure data is received from a user via an input device. An example ofstep 501 could be auser 110 entering sensitive payment information on the touch screen of a point of sale terminal. This data, which could be in the form of coordinates that describe a touch interaction with a touch display, would be received by a touch controller such asinput device controller 102. As another example ofstep 501, auser 110 could enter similar information via other means such as a voice activated interface or standard key pad.Method 500 continues withstep 502, in which the secure data is routed to a secure processor using a hardware multiplexer, and step 503, in which the secure data is processed by the secure processor. As an example based onFIG. 1 , the payment information received instep 501 could be routed toSP 106 byMUX 104, and then processed bySP 106. The mode in whichclient device 120 operates while routing data toSP 106 can be referred to as the secure mode. -
Method 500 also includes steps that describe how the device operates in the normal or non-secure mode. Instep 504, non-secure data is received from a user via an input device. An example ofstep 504 could be auser 110 entering a quantity of items to purchase usingclient device 120. Instep 505, this data is routed to a second processor using the hardware multiplexer. The second processor could beAP 108. In step 506, the non-secure data is processed using the second processor. - The non-secure mode and secure mode differ in terms of which processor data is routed to for processing. With reference to the system in
FIG. 1 , the routing state ofMUX 104 sets which processor the data is routed to. In turn, the routing state ofMUX 104 can only be controlled bySP 106. As such, whenclient device 120 is switched to operate in either mode,SP 106 can conduct either ofsteps SP 106 will generally alter the routing state prior to the receipt of information from the user input device in order to match the mode of operation to the type of information being received. -
FIGS. 6 and 7 illustrate a particular implementation ofclient device 120 described inFIG. 1 and include communication lines that have been annotated to illustrate the effect of the routing state ofMUX 104 on the routing of data through the architecture. The particular implementation can be referred to separately asdevice 600. In the state illustrated byFIG. 6 ,device 600 is operating in non-secure mode. In the state illustrated byFIG. 7 ,device 600 is operating in secure mode. Active data lines in each figure have been annotated with white arrows to show the direction of data flow. Active control lines in each figure have been annotated with white circles. -
Device 600 is capable of receiving user data from at least one input device.IDC 102 includes an input device user data connection to receive that data from an input device. As illustrated,IDC 102 is a touch screen controller which receives touch data fromtouch display 109.Device 600 also includes a set of additional input devices with additional input device user data connections. Any input device that handles secure data can be substituted in place of these additional devices. However, an exemplary set includes achip reader 604, a near field communication (NFC)device 606, a magnetic swipe reader (MSR) 608, and atamper sensor 610. Thechip readers 604 may be configured to check one or more embedded microchips in a credit card or debit card or any other card that may contain readable information. TheNFC device 606 may be configured to activate theclient device 120 by touch or by proximity through a touch sensitive handle on theclient device 120 or by detecting an NFC device within certain proximity ofclient device 120. -
Device 600 also includescomputing device 630 which includesmultiplexer 104,SP 106, and a second processor. In the illustrated example, the second processor isAP 108. Themultiplexer 104 includes a multiplexer control input port communicatively coupled to a control output port onSP 106, a multiplexer data input port communicatively coupled toIDC 102, a first data output port communicatively coupled to a secure processor data input port onSP 106, and a second data output port communicatively coupled to a second processor data input port onAP 108.SP 106 andAP 108 are connected bybus 640. The elements ofcomputing device 630 and the other components indevice 600 are communicatively coupled in that information can be transmitted from one component and coherently received by the other component without intermittent alteration of that information. For the avoidance of doubt, information is not altered by standard signal conditioning or the application of CODECs that preserve the actual informational content of the signal. The term port is used here as it is used by those of skill in the art in the field of electronic communication and can encompass the pins of an integrated circuit, a via within an integrated circuit, a connection on a printed circuit board, or any other node in a circuit schematic. - The data lines that connect
IDC 102 to MUX 104,MUX 104 toSP 106, andMUX 104 toAP 108 can comprise any communication interface such as I2C, SPI, USB, or equivalents along with any interrupts required by the peripheral controlled byIDC 102.Bus 640 betweenSP 106 andAP 108 can include any communication interface such as I2C, SPI, USB, UART, or equivalents. The number of interrupts required onbus 640 will vary depending upon the application as will be apparent to those of ordinary skill upon obtaining an understanding of the following disclosure. -
MUX 104 is configurable between a first state and a second state. The first state corresponds to the secure mode of operation fordevice 600 and is illustrated inFIG. 7 . The second state corresponds to the non-secure mode of operation fordevice 600 and is illustrated inFIG. 6 . Examples of a secure operation may include entering a PIN used for cardholder verification, or entering a payment card number or verification code. Examples of non-secure transactions may include entering orders, entering a ZIP code, etc. When the current state of the multiplexer is the second state, the multiplexer data input port is communicatively coupled to the second data output port through the multiplexer. As seen inFIG. 6 , this causes data to flow fromIDC 102 throughMUX 104 toAP 108. When the current state of the multiplexer is in the first state, the multiplexer data input port is communicatively coupled to the first data output port. As seen inFIG. 7 , this will cause data to flow fromIDC 102 throughMUX 104 toSP 106. In both figures, the line connecting the control output port ofSP 106 to the control input port ofMUX 104 is emphasized using a white circle to note that the current state ofMUX 104 is set bySP 106. -
SP 106 has a direct connection to the set of second input devices in addition to that throughIDC 102 andMUX 104. As illustrated, this set includesreader 604,NFC 606,MSR 608, andtamper sensor 610.SP 106 is communicatively coupled with a second input device in this set of second input devices via a second input device user data connection and a second data input port onSP 106. The connection is direct in that the devices are communicatively coupled with thesecure processor 106 via the second input device user data connection and second data input port and not viaMUX 104. In approaches in whichSP 106 andMUX 104 are implemented on a single IC, the second data input port could be a second input pin on the IC in addition to the first data input pin that leads to the data input ofMUX 104. - The current state of
MUX 104 is exclusively controlled bySP 106 via the control output port ofSP 106. In this regard, and with reference toFIG. 3 ,SP 106 can implement the functionality ofsecurity module 224.AP 108 can communicate withSP 106 along an inter-processor line which forms part ofbus 640.AP 108 can utilize this line to indirectly affect the current state ofMUX 104. For example,AP 108 can informSP 106 that a user has requested a screen ondisplay 108 for the entry of secure information. In response,SP 106 can choose to alter the routing state ofMUX 104 and putdevice 600 into the secure mode of operation. In this example,AP 108 is only providing a request to transfer the state ofMUX 104 and it does not control the state ofMUX 104 directly. Also, onceSP 106 takes control ofMUX 104,SP 106 can be placed into a state in which it will not respond to any interrupts fromAP 108 or other devices and will only relinquish control of the device and change the state ofMUX 104 back when its own internal logic determines that such a change is necessary. This architecture thereby provides a high degree of control toSP 106 at the expense ofAP 108. As a result, less secure programs can be installed on the device and run onAP 108 while a high level of security is still provided bySP 106. - The architecture illustrated in
FIGS. 6 and 7 provides an additional benefit besides security in thatIDC 102 can operate without regard to the state ofcomputing device 630. In other words, a state machine that describesIDC 102 does not require information regarding whether or notdevice 600 is operating in the secure mode or the non-secure mode or information regarding the routing state ofMUX 104. As shown inFIG. 6 , when the device is operating in the non-secure mode, data will be passed throughMUX 104 toAP 108. As shown inFIG. 7 , when the device is operating in the secure mode, data will be passed throughMUX 104 toSP 106. As long asSP 106 is configured to respond to data fromIDC 102 in the same way thatAP 108 does,IDC 102 will not need to know which processor is actually receiving the data it sends tocomputing device 630. As a result, steps 502 and 505 can both be preceded by identical pre-processing steps in which the data is pre-processed usingIDC 102 in the same manner regardless of the state ofMUX 104. Also, sinceAP 108 can be a standard applications processor,IDC 102 can also be an off the shelf user input device controller such as a standard touch display controller. -
FIG. 6 andFIG. 7 include emphasized data lines that continue through the processors to display 109. In the secure mode ofFIG. 7 , data travels fromSP 106 throughinter-processor communication line 640 toAP 108 and then on through a display signal connection line to display 109. In the non-secure mode ofFIG. 6 , data travels fromAP 108 through the display connection line to display 109. As a result, in either mode ofoperation AP 108 is the sole processor that display 109 needs to interact with. However, in the secure mode,SP 106 is controllingdisplay 109 via a channel that comprises theinter-processor communication line 640 and display signal connection line. -
SP 106 may apply one or more security algorithms (e.g., encryption) to protect subsequent outputs from theSP 106. Indeed, this may be one of the main components of the processing steps conducted bySP 106. Conductingencryption using SP 106 can providedevice 600 with certain advantageous characteristics in that the crypto keys used to encrypt the information can be solely accessible toSP 106 and therefore isolated fromAP 108. - The encryption can be conducted by an encryption module instantiated by
SP 106 and a memory to whichSP 106 has access. The encryption module can encrypt a quantum of data received fromIDC 120 to create an encrypted quantum of data that is stored in that memory. The encryption module can also encrypt a quantum of data received from another input to the device such asMSR 608 or other input devices. The secure data entered ondevice 600 can be encrypted in real time as it is received or in bulk when the data is ready for transmission.SP 106 will have access to a network connection in order to send off secure data for verification. For example,SP 106 will be able to encrypt credit card information in order to receive an authorization for a charge against a credit card account. - The transferred data can be sent through
AP 108 and then on to a network connection. In these situations, the encrypted quanta of data can be sent along an inter-processor line onbus 640. Since the data is in encrypted form, it is safe to be handled byAP 108, and the actual network connection does not need to interface withSP 106. However, incertain approaches SP 106 will have an isolated network connection to send out authorization information and receive confirmation of authorization. - In a POS application,
SP 106 can conduct numerous additional secure features in addition to handling secure data and controlling when the state ofMUX 104 should be altered. For example,SP 106 can run tamper sensors, such astamper sensor 610, to determine when a physical attack has taken place on a device and destroy any sensitive information upon detection of an attack.SP 106 can also run code to conduct contact and contactless payments, and perform crypto operations required by the kernels of such payments, protect private keys used in the payment processing infrastructure. - The actual hardware implementation of
SP 106 andAP 108 can vary in terms of the isolation between the devices. As will be described below,SP 106 andAP 108 can be implemented on the same physical processor. However, in certain embodiments,SP 106 andAP 108 can be independent microcontrollers.SP 106 andAP 108 can also be independently associated with first and second memories that are distinct and separate hardware components. The first memory can be associated with the operation ofSP 106 and the second memory can be associated with the operation ofAP 108. To ensure the security ofSP 106,AP 108 may be incapable of addressing the first memory. As such, attacks that attempt to illicitly enter instructions for execution bySP 106 or access data utilized bySP 106 usingAP 108 will not by physically possible. The independent microcontrollers may include multiple processing cores but the overall device will still be referred to herein as a processor. - One or more of the components in
computing device 630 may exist on the same chip or a combination of the components may be on the chip, examples of which can be discussed with reference toFIGS. 8A-8D . For example,MUX 104 andSP 106 could be implemented on a single integrated circuit whileAP 108 andIDC 102 were left as stand-alone devices. In that IC,MUX 104 could be a block of circuitry on the IC, andSP 106 could include an encryption circuit configured to conduct the encryption operations forSP 106. In these approaches, the control output port ofSP 106 and the control input ofMUX 104 would be connected via interconnects in that single integrated circuit. In addition, the multiplexer data input port would be communicatively coupled to an input pin on the IC and the second multiplexer data output port (i.e., the one that is communicatively coupled to AP 108) would be communicatively coupled to an output pin on the IC. The pins on the IC could be solder bumps, copper posts, or any other IC packaging connection technology. As another example, and referring toFIGS. 8A-8D ,SP 106 andAP 108 may coexist on one multi-core processor, whileMUX 104 may be a standalone device. One or more devicessuch IDC 102,chip reader 604,NFC 606,MSR 608 andtamper switch 610 may be accessible from the TrustZone™ of one of the cores of the multi-core processor. In order to access one or more of these device, an application may need to go through the TrustZone™ of the dedicate core. - In another embodiment, one core of a multi-core processor may be designated to function as
SP 106 and another core to function asAP 108, while both of these cores may be connected directly to theMUX 104. Further, theIDC 102 may be connected to MUX 104. In that scenario, theIDC 102 may be isolated from bothSP 106 and theAP 108. In one embodiment the TrustZone™ portion of theSP 106 core may determine whether the data passing throughMUX 104 may go throughSP 106 core orAP 108. - In another embodiment, a multi-core processor may not contain the TrustZone™ technology but instead rely on the physical security on the chip, such as, a secure mesh that protects the cores from tampering. It is understood that a multi-core processor may include any number of cores and not limited by the examples of
FIGS. 8A-8D . - In one embodiment, the
IDC 102 may be connected directly to a TrustZone™ area of a processor or a core of a multi-core processor. In this scenario, the core that includes the TrustZone™ may be always dedicated as a secure core that handles secure and normal (non-secure) transactions. - In one embodiment, it may not be necessary to have a
MUX 104 included in theprocessing device 630. For example, in scenarios where a core of a multi-core processor is dedicated to be a secure microcontroller with a TrustZone™, and aIDC 102 may be connected through the TrustZone™, the TrustZone™ may decide whether to switch between secure and non-secure transactions based on the touches received fromuser 110 onclient device 120. - Example Mode Transitions and Transaction Processing
-
Client device 120 can alternate between secure mode and the non-secure mode in various ways. After transitioning into secure mode, secure transactions can be conducted bySP 106 including reading data fromdisplay 109,reader 604,NFC 606, orMSR 608, encrypting that data, transmitting the data for authorization at a remote server, instantiating a virtual keypad ondisplay 109, and other secure actions. After the secure transactions have been conducted,SP 106 will then relinquish control ofclient device 120 and then alter the state ofclient device 120 back to the non-secure mode. -
SP 106 alters the state ofMUX 104 to alternate the device between a secure mode and a non-secure mode. As mentioned previously,SP 106 has exclusive control over the state ofMUX 104. However, given the particular architecture of the client device as described herein, there is no need for an additional interrupt line or special secure firmware onIDC 102 orAP 108 in order to enforce the secure mode of operation.Bus 640 will include a data line on whichAP 108 can indicate that user inputs onIDC 102 are requesting a secure mode, andSP 106 can react to this information, but the manner in which access to the data fromIDC 102 is provided is not burned intodevice 120. Instead, a dynamic runtime decision is made to decide which processor gets access to the input device. The decision is made entirely bySP 106, but can accommodate requests from any application running onAP 108 in a flexible manner. In addition,SP 106 can react directly to data received on a second input device without immediately interfering with the operation ofAP 108. In specific approaches, this will also cause an interrupt to be sent onbus 640, but in these cases the interrupt will transfer fromSP 106 toAP 108. - A set of methods in which a transition is made from the non-secure mode to the secure mode in response to a message sent by
AP 108 can be described with reference toFIGS. 9-11 .FIG. 9 illustrates a set ofmethods 900 that can be conducted by aclient device 120 in the form of a POS terminal having the architecture ofdevice 600. In these examples,device 600 can be a POS terminal with a touch display in place ofdisplay 109, andIDC 102 may be a touch screen controller configured to receive touch input from user 110 (e.g., a merchant or customer) operatingclient device 600. - In
step 901, a start transaction (“TX”) message is sent fromAP 108 toSP 106 using an inter-processor line onbus 640. The start transaction message can be provided by theAP 108 in response to receiving an input from a user. The input could indicate that the user wants to initiate a payment transaction, in whichcase SP 106 would administrate the entire payment transaction. However, the input could also indicate that the user would like to enter a secure piece of information, in whichcase SP 106 would only administrate the entry of that secure piece of information. In the context of a secure piece of information being entered as part of an overall payment flow,AP 108 could then retain control of the device for the other steps in the payment flow besides the receipt of the secure information. In this sense the term “transaction” is referring to a secure transaction between the user of the device and the device itself, not a payment transaction that is being conducted using the device. In keeping with this later case, the input can be the selection of a button on the screen that indicates the user would like to enter a credit card number manually, enter a PIN number, enter a CVV number, or any other secure information. The specific example of a manual credit cardnumber entry button 902 is provided inFIG. 9 . - In
step 903, the touch display is used to instantiate a secure interface. Prior to step 903, but after receiving the start transaction message, the routing state ofMUX 104 can be altered as instep 507 ofFIG. 5 under the control ofSP 106. The secure interface will provide the user with the ability to view or enter secure information. For example, the secure interface could be avirtual keypad 904, an account selection interface, or an account information interface. Step 903 can be a sub-part of a larger process in which theSP 106 controls display 109 via the channel that includes the inter-processor line and the display drive line mentioned above. This channel can also includeAP 108. AsSP 106 controls display 109 in this step, and the data received in the secure mode is sent toSP 106, no programs associated withAP 108 will have access to the touch data entered on thekeypad 904. In specific approaches,SP 106 will retain control ofdisplay 109 as the secure information is being entered so that it can display wild card characters while the user is entering the secure information. -
FIG. 10 provides a ladder diagram showing the communication betweenSP 106 andAP 108 during the execution ofstep 903 in approaches where the control channel includesAP 108. In one embodiment, while auser 110 is entering secure information ondisplay 109,SP 106 may send a message toAP 108 instructing it to display a virtual keypad. TheAP 108 may carry out the instruction by communicating withdisplay 109 ofclient device 120 and may respond (acknowledgement “Ack”) to theSP 106 when the action is completed.SP 106 may receive one or more button touches on the touch screen and may convert one or more of the button touches to wild card characters (e.g., #, *, etc.). TheAP 108 may respond to theSP 106 when the instructions are completed and theuser 110 is presented with the characters (e.g., #, *, etc.). This process continues untiluser 110 presses a completion button, such as, “enter,” “OK,” etc. - After the secure data is entered,
SP 106 can retain control ofdisplay 109 for a period of time while the secure data is processed. For example,SP 106 could retain control of the display while a PIN entered by the user is encrypted and transferred off ofclient device 120 for authorization as instep 905, when control is relinquished. The display could show a transaction processing screen to a user, and allow the user to exit secure mode by pressing a cancel button on the screen. - Alternative or additional secure transactions can be conducted in place of
step 903 inFIG. 9 . For example, the display of the virtual keypad could be combined with encryption of the received data and transmission of that data for authorization from a remote server. One of the secure transactions could be the activation and communication with one of the input devices inFIG. 6 besidesdisplay 109. This communication could be conducted independent ofAP 108. -
FIGS. 11 and 12 include ladder diagrams that show exemplary additional secure transactions that can be conducted along withstep 903. The ladder diagrams show the exchange of information between theAP 108,SP 106,MUX 104, and other devices during the execution of these secure transactions. BothFIGS. 11 and 12 involve transactions whereAP 108 initiates a request for the secure mode by sending a start transaction message toSP 106. However, the ladder diagrams differ in terms of what additional secure transactions are illustrated along with the receipt of secure data in secure mode. - In
FIG. 11 , the secure mode is activated andSP 106 takes control ofdisplay 109. However,SP 106 also activatesreader display 109. The additional secure data can be provided directly fromreaders SP 106 such that it is not routed throughMUX 104. The data can be received via a second data input port onSP 106 that is communicatively coupled with a user data connection providing data from the reader.SP 106 can then process the additional secure data by, for example, encrypting the secure data. The encrypted secure data can then be sent on to a remote server for authorization. As mentioned previously,SP 106 can send off the information viaAP 108 as the data is in encrypted format. InFIG. 12 , the secure mode is activated andSP 106 instructsAP 108 to display an account selection screen and PIN entry screen to receive secure information from a user in the form of a PIN and account. As illustrated inFIG. 12 , theSP 106 can then instruct 108 to establish a network connection with aserver 1200 in order to authorize the transaction by providingserver 1200 with the secure data in encrypted form. -
Device 600 will exit the secure mode under the control ofSP 106 whenSP 106 relinquishes control ofdisplay 109 as in step 806. Control can be relinquished before or after additional secure transactions are conducted. For example, as in the ladder diagram inFIG. 11 , control can be relinquished prior to encrypting the data for transmission. As long asdisplay 109 is not being used to input secure information,SP 106 can relinquish control of the display toAP 108. Once control is relinquished,SP 106 will alter the routing state ofMUX 104 as instep 508. - In some approaches,
SP 106 will force the device into the secure mode without receiving a prompt fromAP 108. As illustrated inflow chart 1300 ofFIG. 13 ,SP 106 could receive a direct communication from a second input device such asreader 604,NFC 606,MSR 608, ortamper sensor 610 as instep 1301. Instep 1301, a user ofclient device 120 may initiate a secure transaction without first prompting thedevice using IDC 120 and instead using a second user input device. For example, if a secure transaction and/or operation is performed by a merchant (e.g., user 110), such as, card swipe, insertion of a payment card, etc., the appropriate system (e.g.,chip reader 604, orNFC 606, orMSR 608, or tamper switch 610) may be triggered. With specific reference to a POS terminal with a touch display and NFC reader, this kind of secure transaction could be initiated via the unprompted introduction of an NFC device into close proximity with the POS terminal. - In
step 1302,SP 106 could issue a hardware interrupt toAP 108 to initiate a secure transaction and put the device into secure mode. Continuing the above example, depending on the token used to provide the direct input (e.g., debit card, credit card, or chip card) theSP 106 may be able to determine whether to instantiate a virtual keypad, account selection, or account information screen on the display of the device. IfSP 106 determines that the entry of secure information is required, the routing state ofMUX 104 could be altered to protect the secure information. As another example,SP 106 could receive a tamper indication instep 1301 and transfer the device into secure mode in 1302 to lock out the device. At that point,SP 106 could continue a secure transaction such as erasing any crypto keys stored on the device. After the secure transaction or transactions were complete,SP 106 could relinquish control instep 1303 and the device could return to non-secure mode. - Exemplary Encryption Methods
-
FIG. 14 illustrates another flow diagram of an example method for operating a secure POS platform in accordance with one or more example embodiments. The description is provided with reference toAP 108 conducting the transaction; however, incertain approaches SP 106 will be able to conduct these operations directly. In one embodiment, theAP 108 may send secure information to the server. The secure information may be a result of the secure transaction conducted usingSP 106. A certificate may need to be exchanged before theAP 108 may communicate with the server. The certificate may need to be signed by an authority associated with First Data Corporation of Atlanta Georgia, such as root certification authority (e.g., Clover™). The certificate may be captured in one or more secure areas of theAP 108. For example, if theAP 108 contains a secure area, such as, TrustZone (TZ™), the TZ™ may contain an encrypted key (or private key) that may be unique for theAP 108 processor. In other approaches, the certificate will be stored in a memory that is only accessible toSP 106. - In one embodiment, the
AP 108 may look up the flash to determine whether a private key exists. If one exists, the key may be used with the TZ™. However, if a key is not found, the flash may report that a block location is empty and that a key needs to be created. The TZ™ may encrypt the key and send it to theAP 108 that sends a request to the flash memory to save the key at the block location. - In one embodiment, the
AP 108 may have a persistent identity that may be presented to the server. The persistent identity may be due to maintaining the same private key over factory resets and/or power failures. - In order for the private key to service reset or power failures, the private key may be written to a non-volatile flash area that may survive resets and/or power failures. The private key may be saved in a TZ™ area during initial installation of a
client device 120 at a user premises. It is understood that TZ™ is a system for securing peripherals such as memory, crypto blocks, keyboard and displays to ensure they can be protected from software attacks. - In one embodiment, the
SP 106 and theAP 108 may have a persistent identity to present to a server that may provide services or data to theSP 106 orAP 108. The persistent identity may be in the form of a digital public-key certificate (such as an X.509 certificate). TheSP 106 andAP 108 may authenticate themselves to a server using either transport-level security (e.g., SSL/TLS) or message-level security (e.g., RSA signature over a message). The private key component may be protected by theSP 106 secure cryptographic device such that tampering with the device may erase the private key, or a master symmetric key. This may provide strong, cryptographic, persistent device-to-server authentication in such a way that devices may not be cloned and communications remain private and authentic. - This persistent, cryptographic identity may be used by
SP 106 to obtain financial encryption keys remotely from the server, for example a triple DES key for use with the derived unique key per transaction (DUKPT) key management scheme, which is a standard in the electronic transactions industry. The persistent identity of theSP 106 and theAP 108 may help prevent against security attacks where a component of theclient device 120 may have been compromised or hacked because the persistent identity may be encrypted and communicated between components within theclient device 120 and/or outside theclient device 120. In case of a malicious substitution of either theSP 106 or theAP 108 with other components, or a tamper event of the original components, the identity may not match which may render theclient device 120 as compromised and may be inoperable. In one embodiment theSP 106 may implement a persistent identity by having a discrete battery for maintaining the private key or master symmetric key. - In one embodiment, the
SP 106 and theAP 108 may have persistent identities that work as a pair. For example, each pair ofSP 106 andAP 108 may be bonded by the pair of keys that define their persistent identity. In that sense, mixingvarious SP 106 andAP 108 that may not have been bonded together as a pair, may render theclient device 120 inoperable. Therefore, only bonded pairs ofSP 106 andAP 108 may function together in aclient device 120. - In one embodiment, a remote key injection may be implemented on the
SP 106 and/or theAP 108. For example, theSP 106 and/or theAP 108 may be placed in a secure room, containing a certificate authority. The certificate authority may sign a certificate signing request from theSP 106 orAP 108, thus providing the device with its persistent identity. - In one embodiment, a key may be injected in the
SP 106 and/or theAP 108. During manufacturing of semiconductor components, a process for injecting keys is typically done inside of a key injection room with an injection device. A key may be generated by placing theSP 106 and/or theAP 108 in a secure room and injecting the key into theSP 106 and/or theAP 108 by a key injection device. - In one embodiment, bonding of the
SP 106 and theAP 108 may be performed at the same time as signing the public key certificates. The purpose is to provide additional security against tampering and component swapping between devices. - Exemplary Physical Security Measures
- As stated previously
SP 106 may be in direct communication with atamper sensor 610 that may be activated in case of a determination of tampering, such as unauthorized attempt to access theclient device 120. The tamper sensor can be connected to several tamper detection points including a detection point on a tamper resistant cover forclient device 120. The tamper resistant cover may be in keeping with the cover inFIG. 15 which shows an upper view of an exemplary cover forclient device 120. -
Cover 1502 may obscure or otherwise protect certain areas of an associated printedcircuit board 1504 of a POS device or client device, such asclient device 120, which may be the target of third-party tampering. Thecover 1502 can include any number of other physical security devices, techniques, and/or technologies to prevent, inhibit, or otherwise deter third-party tampering. - As shown in
FIG. 15 , thecover 1502 may be a relatively rigid structure with a predefined shape or configuration mounted to one or more areas of the printedcircuit board 1504. Thecover 1502 may be mounted to the printedcircuit board 1504 by way of any number of physical connectors, soldering, adhesives, etc. - Further, the
cover 1502 can include one or more physical security devices, techniques, and/or technologies. In one embodiment, thecover 1502 may include special traces that may be molded on or in the plastic. In one embodiment, thecover 1502 may contain one or more break channels embedded on thecover 1502 to deter tampering if the cover is attempted to be removed. For example, if an attempt was made to remove thecover 1502, one or more break channels may disconnect thecover 1502 from the printedcircuit board 1504 rendering the associatedclient device 120 or POS device inoperable by way of one or more signals generated by theclient device 120 or POS device, and sent by theclient device 120 or POS device to a remote server, such as a Clover™ server operated by First Data Corporation of Atlanta, Ga. In one embodiment, thecover 1502 may be a laser direct structuring (LDS) or other printed circuit with traces that may have certain predefined heat tolerance and/or resistance, flexibility, and/or strength characteristics. For example, thecover 1502 may have a predefined heat tolerance that may be relatively higher than the heat tolerance of one or more components of theclient device 120 or POS device that are being obscured or otherwise protected by thecover 1502. Having a relatively higher heat tolerance than one or more components of theclient device 120 or POS device may provide additional security against third-party tampering since exposing thecover 1502 to a temperature above the heat tolerance of one or more components of theclient device 120 or POS device may render the one or more components inoperable and ultimately cause failure of or otherwise render inoperable certain functionality or features of theclient device 120 or POS device. Similarly, thecover 1502 may have a relatively low flexibility tolerance to prevent flexing thecover 1502 beyond a predefined point of breakage. That is, thecover 1502 may break rather than flex, when thecover 1502 is flexed beyond a certain point. Breaking thecover 1502 may render theclient device 120 or POS device inoperable by way of theclient device 120 or POS device generating one or more signals, and sending the signals to a remote server, such as a Clover™ server operated by First Data Corporation of Atlanta, Ga. - In another embodiment, the
cover 1502 may include one or more zones that may each have one or more respective layers of physical security. In some embodiments, thecover 1502 may have a relatively high strength factor that prevents, inhibits, or deters drilling or other applying other forces to thecover 1502 to attempt to access the one or more components of theclient device 120 or POS device. - For example, the
cover 1502 may be divided into two zones (e.g.,zones 1520 and 1530). The division of the zones may be based on what components of the printedcircuit board 1504 are covered by that zone. Further, the zones may contain various layers of physical security, again, based on what components of the printedcircuit board 1504 are covered by that zone. For example,zone 1520 may cover theIDC 102, theSP 106, theNFC 606, theMSR 608, and thechip readers 604. TheIDC 102, theSP 106, theNFC 606, theMSR 608, and thechip readers 604 may be considered as sensitive components that may require additional security protection against tampering. A malicious access to one or more of these components may expose sensitive information and may provide access to secure data. Therefore,zone 1520 may contain one or more layers of security to prevent against malicious access.Zone 1530 may coverAP 108,memory 306, and the LCD device driver. Since these components may not contain sensitive data where a malicious access may not severely impact theclient device 120, thezone 1530 may contain less layers of security than thezone 1520. It is understood that the above is only an example of division between two zones and that other divisions between one or more zones may be implemented based on the security need for theclient device 120. - The operations and processes described and shown above may be carried out or performed in any suitable order as desired in various implementations. Additionally, in certain implementations, at least a portion of the operations may be carried out in parallel.
- These computer-executable program instructions may be loaded onto a special-purpose computer or other particular machine, a processor, or other programmable data processing apparatus to produce a particular machine, such that the instructions that execute on the computer, processor, or other programmable data processing apparatus create means for implementing one or more functions specified in the flow diagram block or blocks. These computer program instructions may also be stored in a computer-readable storage media or memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage media produce an article of manufacture including instruction means that implement one or more functions specified in the flow diagram block or blocks. As an example, certain implementations may provide for a computer program product, comprising a computer-readable storage medium having a computer-readable program code or program instructions implemented therein, said computer-readable program code adapted to be executed to implement one or more functions specified in the flow diagram block or blocks. The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational elements or steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions that execute on the computer or other programmable apparatus provide elements or steps for implementing the functions specified in the flow diagram block or blocks.
- Many modifications and other implementations of the disclosure set forth herein will be apparent having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the disclosure is not to be limited to the specific implementations disclosed and that modifications and other implementations are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
- While the specification has been described in detail with respect to specific embodiments of the invention, it will be appreciated that those skilled in the art, upon attaining an understanding of the foregoing, may readily conceive of alterations to, variations of, and equivalents to these embodiments. For example, although a majority of the application was directed specifically to devices with touch screens, the methods devices and systems disclosed above can be utilized on any terminal that receives secure information and non-secure information. These and other modifications and variations to the present invention may be practiced by those skilled in the art, without departing from the scope of the present invention, which is more particularly set forth in the appended claims.
Claims (27)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/645,912 US9792783B1 (en) | 2014-10-29 | 2017-07-10 | Secure point of sale terminal and associated methods |
US15/782,294 US10713904B2 (en) | 2014-10-29 | 2017-10-12 | Secure point of sale terminal and associated methods |
US16/892,053 US11393300B2 (en) | 2014-10-29 | 2020-06-03 | Secure point of sale terminal and associated methods |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462072420P | 2014-10-29 | 2014-10-29 | |
US201462074061P | 2014-11-02 | 2014-11-02 | |
US14/877,909 US9704355B2 (en) | 2014-10-29 | 2015-10-07 | Secure point of sale terminal and associated methods |
US15/645,912 US9792783B1 (en) | 2014-10-29 | 2017-07-10 | Secure point of sale terminal and associated methods |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/877,909 Continuation US9704355B2 (en) | 2014-10-29 | 2015-10-07 | Secure point of sale terminal and associated methods |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/782,294 Continuation US10713904B2 (en) | 2014-10-29 | 2017-10-12 | Secure point of sale terminal and associated methods |
Publications (2)
Publication Number | Publication Date |
---|---|
US9792783B1 US9792783B1 (en) | 2017-10-17 |
US20170309135A1 true US20170309135A1 (en) | 2017-10-26 |
Family
ID=55853067
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/877,909 Active US9704355B2 (en) | 2014-10-29 | 2015-10-07 | Secure point of sale terminal and associated methods |
US15/645,912 Active US9792783B1 (en) | 2014-10-29 | 2017-07-10 | Secure point of sale terminal and associated methods |
US15/782,294 Active 2036-09-08 US10713904B2 (en) | 2014-10-29 | 2017-10-12 | Secure point of sale terminal and associated methods |
US16/892,053 Active 2036-07-28 US11393300B2 (en) | 2014-10-29 | 2020-06-03 | Secure point of sale terminal and associated methods |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/877,909 Active US9704355B2 (en) | 2014-10-29 | 2015-10-07 | Secure point of sale terminal and associated methods |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/782,294 Active 2036-09-08 US10713904B2 (en) | 2014-10-29 | 2017-10-12 | Secure point of sale terminal and associated methods |
US16/892,053 Active 2036-07-28 US11393300B2 (en) | 2014-10-29 | 2020-06-03 | Secure point of sale terminal and associated methods |
Country Status (1)
Country | Link |
---|---|
US (4) | US9704355B2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10726681B1 (en) * | 2019-07-26 | 2020-07-28 | Clover Network, Inc. | Advanced hardware system for self service checkout kiosk |
US11080674B1 (en) * | 2014-09-19 | 2021-08-03 | Square, Inc. | Point of sale system |
US20220164782A1 (en) * | 2017-10-30 | 2022-05-26 | Block, Inc. | Controlling access to output device between two processors |
US11711205B2 (en) | 2018-03-21 | 2023-07-25 | Clover Network, Llc. | Unified secure device provisioning |
Families Citing this family (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8612352B2 (en) | 2010-10-13 | 2013-12-17 | Square, Inc. | Decoding systems with a decoding engine running on a mobile device and coupled to a payment system that includes identifying information of second parties qualified to conduct business with the payment system |
US10182328B1 (en) | 2015-05-23 | 2019-01-15 | Square, Inc. | Point of sale (POS) device responsive to detected interference with antenna |
US10116667B2 (en) * | 2016-01-26 | 2018-10-30 | Bank Of America Corporation | System for conversion of an instrument from a non-secured instrument to a secured instrument in a process data network |
US10142347B2 (en) | 2016-02-10 | 2018-11-27 | Bank Of America Corporation | System for centralized control of secure access to process data network |
US10438209B2 (en) | 2016-02-10 | 2019-10-08 | Bank Of America Corporation | System for secure routing of data to various networks from a process data network |
US10129238B2 (en) | 2016-02-10 | 2018-11-13 | Bank Of America Corporation | System for control of secure access and communication with different process data networks with separate security features |
US11374935B2 (en) | 2016-02-11 | 2022-06-28 | Bank Of America Corporation | Block chain alias person-to-person resource allocation |
US10026118B2 (en) | 2016-02-22 | 2018-07-17 | Bank Of America Corporation | System for allowing external validation of data in a process data network |
US10135870B2 (en) | 2016-02-22 | 2018-11-20 | Bank Of America Corporation | System for external validation of secure process transactions |
US10387878B2 (en) | 2016-02-22 | 2019-08-20 | Bank Of America Corporation | System for tracking transfer of resources in a process data network |
US10636033B2 (en) | 2016-02-22 | 2020-04-28 | Bank Of America Corporation | System for routing of process authorizations and settlement to a user in a process data network |
US10475030B2 (en) | 2016-02-22 | 2019-11-12 | Bank Of America Corporation | System for implementing a distributed ledger across multiple network nodes |
US10440101B2 (en) | 2016-02-22 | 2019-10-08 | Bank Of America Corporation | System for external validation of private-to-public transition protocols |
US10318938B2 (en) | 2016-02-22 | 2019-06-11 | Bank Of America Corporation | System for routing of process authorization and settlement to a user in process data network based on specified parameters |
US10607285B2 (en) | 2016-02-22 | 2020-03-31 | Bank Of America Corporation | System for managing serializability of resource transfers in a process data network |
US10140470B2 (en) | 2016-02-22 | 2018-11-27 | Bank Of America Corporation | System for external validation of distributed resource status |
US10142312B2 (en) | 2016-02-22 | 2018-11-27 | Bank Of America Corporation | System for establishing secure access for users in a process data network |
US10762504B2 (en) | 2016-02-22 | 2020-09-01 | Bank Of America Corporation | System for external secure access to process data network |
US10679215B2 (en) | 2016-02-22 | 2020-06-09 | Bank Of America Corporation | System for control of device identity and usage in a process data network |
US10496989B2 (en) | 2016-02-22 | 2019-12-03 | Bank Of America Corporation | System to enable contactless access to a transaction terminal using a process data network |
US10178105B2 (en) | 2016-02-22 | 2019-01-08 | Bank Of America Corporation | System for providing levels of security access to a process data network |
CN107562689A (en) * | 2016-07-01 | 2018-01-09 | 华为技术有限公司 | A kind of system level chip and terminal |
US20180039985A1 (en) * | 2016-08-03 | 2018-02-08 | Ciphertronics, Inc. | Apparatus and related method for device communication management for transmission of sensitive data |
US10402796B2 (en) | 2016-08-29 | 2019-09-03 | Bank Of America Corporation | Application life-cycle transition record recreation system |
US11093940B2 (en) * | 2016-10-13 | 2021-08-17 | Mastercard International Incorporated | Systems and methods for authenticating a user using private network credentials |
US10373080B2 (en) * | 2016-10-28 | 2019-08-06 | NoStatik Media S.A. | Distributing a user interface for accessing files |
US10679201B2 (en) * | 2016-11-04 | 2020-06-09 | Nxp B.V. | Personal point of sale (pPOS) device that provides for card present E-commerce transaction |
USD844046S1 (en) * | 2017-01-13 | 2019-03-26 | Clover Network, Inc. | Terminal |
US11631077B2 (en) | 2017-01-17 | 2023-04-18 | HashLynx Inc. | System for facilitating secure electronic communications between entities and processing resource transfers |
US11514418B2 (en) * | 2017-03-19 | 2022-11-29 | Nxp B.V. | Personal point of sale (pPOS) device with a local and/or remote payment kernel that provides for card present e-commerce transaction |
USD829274S1 (en) * | 2017-04-10 | 2018-09-25 | Pax Computer Technology (Shenzhen) Co., Ltd. | Payment terminal |
CN107145213B (en) * | 2017-04-21 | 2020-05-19 | 苏州浪潮智能科技有限公司 | Device and method for multiplexing PCH MEdebug and USB port |
US10579566B2 (en) | 2017-04-28 | 2020-03-03 | Square, Inc. | Point of sale device with switchable internal connection roles |
US10733589B2 (en) | 2017-04-28 | 2020-08-04 | Square, Inc. | Point of sale device power management and under voltage protection |
US10438198B1 (en) | 2017-05-19 | 2019-10-08 | Wells Fargo Bank, N.A. | Derived unique token per transaction |
US10657512B2 (en) | 2017-09-07 | 2020-05-19 | Clover Network, Inc. | Multi-use near field communication front end on a point of sale system |
US10332093B2 (en) * | 2017-09-07 | 2019-06-25 | Clover Network, Inc. | Multi-use near field communication front end on a point of sale system |
USD844696S1 (en) * | 2017-09-28 | 2019-04-02 | Clover Network, Inc. | Tablet with card reader |
US10970698B1 (en) * | 2017-12-08 | 2021-04-06 | Square, Inc. | Reader detection signal bypassing secure processor |
US11620623B2 (en) | 2018-05-31 | 2023-04-04 | Nxp B.V. | Merchant transaction mirroring for personal point of sale (pPOS) for card present e-commerce and in vehicle transaction |
US10929545B2 (en) | 2018-07-31 | 2021-02-23 | Bank Of America Corporation | System for providing access to data stored in a distributed trust computing network |
US11238425B2 (en) * | 2018-11-26 | 2022-02-01 | Ncr Corporation | API server and method of usage thereof |
US11212090B1 (en) | 2019-02-27 | 2021-12-28 | Wells Fargo Bank, N.A. | Derived unique random key per transaction |
USD907038S1 (en) | 2019-04-17 | 2021-01-05 | Clover Network, Inc. | Tablet |
US11366935B2 (en) * | 2019-07-31 | 2022-06-21 | Elo Touch Solutions, Inc. | Multi-use payment device |
US20210279703A1 (en) * | 2020-03-06 | 2021-09-09 | Fiserv, Inc. | Point of sale device with secure connection between security meshes |
US11645427B2 (en) | 2020-11-29 | 2023-05-09 | Bank Of America Corporation | Detecting unauthorized activity related to a device by monitoring signals transmitted by the device |
WO2023076933A1 (en) * | 2021-10-27 | 2023-05-04 | Verifone, Inc. | Systems and methods for pairing site controller to point-of-sale devices |
US20230316254A1 (en) * | 2022-03-29 | 2023-10-05 | Shopify Inc. | Method and system for customer responsive point of sale device |
Family Cites Families (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5768386A (en) | 1996-05-31 | 1998-06-16 | Transaction Technology, Inc. | Method and system for encrypting input from a touch screen |
US6317835B1 (en) | 1998-12-23 | 2001-11-13 | Radiant Systems, Inc. | Method and system for entry of encrypted and non-encrypted information on a touch screen |
US7698160B2 (en) | 1999-05-07 | 2010-04-13 | Virtualagility, Inc | System for performing collaborative tasks |
US6827260B2 (en) | 1999-08-09 | 2004-12-07 | First Data Corporation | Systems and methods for utilizing a point-of-sale system |
US6630928B1 (en) | 1999-10-01 | 2003-10-07 | Hewlett-Packard Development Company, L.P. | Method and apparatus for touch screen data entry |
US6715078B1 (en) | 2000-03-28 | 2004-03-30 | Ncr Corporation | Methods and apparatus for secure personal identification number and data encryption |
US6662253B1 (en) | 2000-09-13 | 2003-12-09 | Stmicroelectronics, Inc. | Shared peripheral architecture |
US20020091826A1 (en) | 2000-10-13 | 2002-07-11 | Guillaume Comeau | Method and apparatus for interprocessor communication and peripheral sharing |
US6968453B2 (en) | 2001-01-17 | 2005-11-22 | International Business Machines Corporation | Secure integrated device with secure, dynamically-selectable capabilities |
US7007025B1 (en) | 2001-06-08 | 2006-02-28 | Xsides Corporation | Method and system for maintaining secure data input and output |
JP2003114864A (en) | 2001-10-04 | 2003-04-18 | Hitachi Ltd | Data transfer control circuit |
US20030135418A1 (en) | 2002-01-11 | 2003-07-17 | Swetank Shekhar | Point-of-sale (POS) systems that use a peripheral device for point-of-sale applications and methods of operating the same |
US6931470B2 (en) | 2002-02-11 | 2005-08-16 | Motorola, Inc. | Dual access serial peripheral interface |
FR2860896A1 (en) | 2003-10-14 | 2005-04-15 | St Microelectronics Sa | METHOD FOR ARBITRING ACCESS TO A SHARED RESOURCE |
US7464412B2 (en) | 2003-10-24 | 2008-12-09 | Microsoft Corporation | Providing secure input to a system with a high-assurance execution environment |
EP1544704A1 (en) * | 2003-12-19 | 2005-06-22 | STMicroelectronics Limited | Monolithic semiconductor integrated circuit and method for selective memory encryption and decryption |
US20070226795A1 (en) | 2006-02-09 | 2007-09-27 | Texas Instruments Incorporated | Virtual cores and hardware-supported hypervisor integrated circuits, systems, methods and processes of manufacture |
US7512723B2 (en) | 2006-12-29 | 2009-03-31 | Freescale Semiconductor, Inc. | Queued interface devices, multi-core peripheral systems, and methods for sharing a peripheral in a multi-core system |
US8261064B2 (en) | 2007-02-27 | 2012-09-04 | L-3 Communications Corporation | Integrated secure and non-secure display for a handheld communications device |
US8150039B2 (en) * | 2008-04-15 | 2012-04-03 | Apple Inc. | Single security model in booting a computing device |
US9614951B2 (en) * | 2008-11-21 | 2017-04-04 | Nokia Technologies Oy | Method, apparatus and computer program product for analyzing data associated with proximate devices |
US8793758B2 (en) * | 2009-01-28 | 2014-07-29 | Headwater Partners I Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US8456429B2 (en) | 2009-07-30 | 2013-06-04 | Ncr Corporation | Encrypting touch-sensitive display |
US20110307318A1 (en) | 2010-06-11 | 2011-12-15 | Jeffrey Laporte | Mobile retail loyalty network |
KR101340746B1 (en) | 2011-04-18 | 2013-12-12 | 주식회사 팬택 | Electronic device, method and apparatus for securing of user input data of electric device, and communication system using thereof |
US9183373B2 (en) | 2011-05-27 | 2015-11-10 | Qualcomm Incorporated | Secure input via a touchscreen |
US20120305648A1 (en) * | 2011-06-03 | 2012-12-06 | Liquid Payment Solutions Pte Ltd | Hybrid Mobile Phone/Pin Entry Device, System, Method and Article |
WO2013081406A1 (en) | 2011-12-02 | 2013-06-06 | Samsung Electronics Co., Ltd. | Method and apparatus for securing touch input |
KR101805476B1 (en) | 2011-12-29 | 2018-01-10 | 인텔 코포레이션 | Virtual point of sale |
US9256734B2 (en) | 2012-04-27 | 2016-02-09 | Broadcom Corporation | Security controlled multi-processor system |
US20130290637A1 (en) | 2012-04-30 | 2013-10-31 | Broadcom Corporation | Per processor bus access control in a multi-processor cpu |
US9436940B2 (en) * | 2012-07-09 | 2016-09-06 | Maxim Integrated Products, Inc. | Embedded secure element for authentication, storage and transaction within a mobile terminal |
JP5966827B2 (en) | 2012-09-28 | 2016-08-10 | ブラザー工業株式会社 | Communication device |
US9495524B2 (en) * | 2012-10-01 | 2016-11-15 | Nxp B.V. | Secure user authentication using a master secure element |
US8934837B2 (en) | 2013-01-03 | 2015-01-13 | Blackberry Limited | Mobile wireless communications device including NFC antenna matching control circuit and associated methods |
EP2981939B1 (en) * | 2013-04-05 | 2020-06-17 | Visa International Service Association | Systems, methods and devices for transacting |
US9033228B2 (en) | 2013-06-26 | 2015-05-19 | Ebay Inc. | Point-of-sale systems |
US9135472B2 (en) | 2013-10-31 | 2015-09-15 | Square, Inc. | Systems and methods for secure processing with embedded cryptographic unit |
US20150161579A1 (en) * | 2013-12-11 | 2015-06-11 | Verifone, Inc. | Point of sale system |
US9665861B2 (en) | 2014-01-10 | 2017-05-30 | Elo Touch Solutions, Inc. | Multi-mode point-of-sale device |
US9129274B1 (en) | 2014-06-11 | 2015-09-08 | Square, Inc. | Controlling access based on display orientation |
CN107005569B (en) * | 2014-10-31 | 2021-09-07 | 康维达无线有限责任公司 | End-to-end service layer authentication |
US9965116B1 (en) | 2015-07-14 | 2018-05-08 | Square, Inc. | Tactile overlay for touchscreen device |
KR101799875B1 (en) | 2016-01-28 | 2017-11-22 | 임병학 | Pos terminal |
-
2015
- 2015-10-07 US US14/877,909 patent/US9704355B2/en active Active
-
2017
- 2017-07-10 US US15/645,912 patent/US9792783B1/en active Active
- 2017-10-12 US US15/782,294 patent/US10713904B2/en active Active
-
2020
- 2020-06-03 US US16/892,053 patent/US11393300B2/en active Active
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11080674B1 (en) * | 2014-09-19 | 2021-08-03 | Square, Inc. | Point of sale system |
US20220164782A1 (en) * | 2017-10-30 | 2022-05-26 | Block, Inc. | Controlling access to output device between two processors |
US11711205B2 (en) | 2018-03-21 | 2023-07-25 | Clover Network, Llc. | Unified secure device provisioning |
US10726681B1 (en) * | 2019-07-26 | 2020-07-28 | Clover Network, Inc. | Advanced hardware system for self service checkout kiosk |
CN112309056A (en) * | 2019-07-26 | 2021-02-02 | 克拉华网络公司 | Advanced hardware system for self-service checkout kiosk |
US20210225135A1 (en) * | 2019-07-26 | 2021-07-22 | Clover Network, Inc. | Advanced Hardware System for Self Service Checkout Kiosk |
US11094175B2 (en) * | 2019-07-26 | 2021-08-17 | Clover Network, Inc. | Advanced hardware system for self service checkout kiosk |
US11721181B2 (en) * | 2019-07-26 | 2023-08-08 | Clover Network, Llc. | Advanced hardware system for self service checkout kiosk |
Also Published As
Publication number | Publication date |
---|---|
US20180033255A1 (en) | 2018-02-01 |
US9792783B1 (en) | 2017-10-17 |
US20160125376A1 (en) | 2016-05-05 |
US10713904B2 (en) | 2020-07-14 |
US20200294370A1 (en) | 2020-09-17 |
US11393300B2 (en) | 2022-07-19 |
US9704355B2 (en) | 2017-07-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11393300B2 (en) | Secure point of sale terminal and associated methods | |
US20230281612A1 (en) | Virtual pos terminal method and apparatus | |
US20210365938A1 (en) | Authentication system and method for server-based payments | |
US11379831B2 (en) | Establishment of a secure session between a card reader and a mobile device | |
JP6665217B2 (en) | Establish a secure session between the card reader and mobile device | |
US8605044B2 (en) | Trusted display based on display device emulation | |
US10438187B2 (en) | Establishment of a secure session between a card reader and a mobile device | |
CN110249586B (en) | Method for securely storing sensitive data on a smart card and smart card | |
US20160189135A1 (en) | Virtual chip card payment | |
WO2016069775A1 (en) | Secure extensible point of sale platform | |
US20110178903A1 (en) | Personal identification number changing system and method | |
US20120095919A1 (en) | Systems and methods for authenticating aspects of an online transaction using a secure peripheral device having a message display and/or user input | |
AU2019204157A1 (en) | Method, system and device for e-commerce payment intelligent access control | |
JP5776023B1 (en) | Information processing apparatus and information processing method | |
US20170039557A1 (en) | Virtual point of sale | |
JP5736549B1 (en) | Information processing apparatus and information processing method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CLOVER NETWORK, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BEATTY, JOHN DANIEL;MISHRA, ABHINAYAK;REEL/FRAME:042985/0543 Effective date: 20151007 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: CLOVER NETWORK, LLC, CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:CLOVER NETWORK, INC.;REEL/FRAME:057747/0462 Effective date: 20210831 |