How to achieve a secure point-of-sale design using Linux OS

How to achieve a secure point-of-sale design using Linux OS

As intelligence becomes more and more integrated into things that we interact with, a growing number of new opportunities are arising for secure transactions such as payment through our appliances, vehicles, and homes.

Linux Point of Sale (POS) Reader Solution

Devices that can accept payment demand stringent security and interoperability capabilities. NXP’s Linux Card Reader solution brings together a variety of technologies into one embedded system that is designed to meet these needs.

The Linux operating system is the most widely used OS for payment terminals. Due to the open source nature of this OS, it offers many benefits with regards to its extensive ecosystem support. However, some vulnerabilities still exist which must be mitigated for a secure design.

Payment Architectures

Payment terminal architectures can be categorized into three types:

The least complex payment devices support form factors such as secure pin pads, mobile point-of -sale (mPOS) devices that attach to a Smart Phone or a portable battery-powered point-of-sale device. These are commonly built on an MCU architecture, such as an Arm® Cortex-M CPU running at greater than 100MHz. The embedded memory for such devices varies based on the end device functionality, ranging from 256KB – 1M of embedded flash and up to 256KB of SRAM.

Figure 1 details the most complete representation of this MCU-based architecture with all device functionality supported.

Figure 1: MCU for payment

The human machine interface (HMI) functions include the pin pad, display, status LEDs and buzzer. There is connectivity via wired or wireless interfaces, system clocks and power, and the card reader interfaces. The card reader interfaces can include a magnetic stripe, contact cards and contactless cards, or smart phones using near field communications (NFC).

In some instances, the point-of-sale (POS) device may require high processing to run high-definition video and to display advertising – in this case, a split architecture can be deployed. This is essentially taking the MCU system architecture shown in Figure 1. and adding a high-end processor that would typically be found in a tablet or a smartphone as shown in Figure 2.

The applications processor will typically be running Android, which is built on top of the Linux OS.

Figure 2: Split Architecture Payment

The secure MCU in this architecture has the task of communicating with contact and contactless readers, as well as performing the bulk of the functionality to support the security of the end device. The high-end applications processor provides the multimedia functionality. For both of the previous architectures, the RTOS Card Reader solution provides the basis for a speedy design.

The third architecture addresses the most common POS form factors of table top and portable POS devices, based on applications processors running the Linux operating system. The functionality provided by this architecture can range, just as the microcontroller-based systems. These can support mPOS designs, and scale up to embedded systems that work with their own modems to complete payment transactions.

Arm Cortex-A® CPUs are needed to support the Linux operating system; they offer more expandability to the end user. This type of device allows merchant acquirer customizations and can work with payment network infrastructures that are already in place. Leveraging the Linux OS, this architecture provides a path to richer displays and more performance.

Addressing Security Standards

Due to the standards for securing consumer payment card transactions, not every embedded processor or configuration of Linux works in a payment device. Payment terminals must follow Payment Card Industry Pin Transaction Security standards (PCI PTS). With the PCI PTS guidelines, the embedded system is designed to meet the protection profile mandated for the end application of supporting payment.

The PCI PTS standard identifies the pin pad, card interfaces, and system integrity as functions that require the highest security protection. NXP’s Linux Card Reader solution implements a Trusted Execution Environment (TEE) which manages and protects sensitive user interfaces and their data.

NXP’s low energy i.MX6UL processor with Arm TrustZone® supports four processor states to logically isolate resources inside the system. There are user and privileged modes for the secure processor state and separate user/privileged modes for the normal processor state. These states are logically isolated from each other to reduce the attack surface for the Secure World services.

Software running in the Normal World does not have access to memory and protected peripherals in the Secure World. For the Linux Card Reader, all functions related to maintaining the security of the payment system are partitioned into the TEE as shown in the following diagram:

 

Figure 3: Trusted Execution for payment using Arm TrustZone

 

The TEE is made up of an application layer, which runs in Secure World-User Mode (top right of the diagram) and the TEE OS which is running in Secure World-Privileged Mode (bottom right of the diagram).  The components in the TEE OS are the peripheral drivers for the protected peripherals – these include components such as GPIO, LCD, and the Cryptographic Assurance and Acceleration Module (CAAM).  The TEE OS components are static as they are all loaded during boot time. Sitting above the TEE OS components are the trusted applications which are dynamically loaded as they are utilized. The trusted applications are logically isolated from one another as well as from Normal World.

For the payment use case, there are trusted applications for self-testing every 24 hours, taking in the user PIN and reading the payment cards. As we can see from the diagram, a TEE provides the framework for development of secure applications, but every device will require specific capabilities related to the services it provides.

To bolster security, the Linux Point-of-Sale Card Reader solution from NXP includes a security manager trusted application. The Inter-Security Domain Manager (ISDM) component learns the payment card transaction flows and protects against unintended operation. A decision tree based on a supervised learning phase during development is part of the trusted application which resides inside the TEE. This provides strong logical security protection necessary for supporting applications such as payment card readers.

The Linux Card Reader Solution brings together a secure and reliable system architecture along with certification reports to launch secure embedded designs. Additionally, there are components that ensure compliance to EMVCo standards. To learn more about this design, visit: www.nxp.com/sln-pos-lrdr.

 

Donnie Garcia
Donnie Garcia
Donnie Garcia began his semiconductor career as an applications engineer for 8- and 16-bit MCUs. He has helped define and design low-power MCUs for consumer and industrial applications and currently works as an applications and systems engineer for IoT and Security Solutions. Donnie has authored nearly 20 technical publications (webinars, whitepapers, articles, application notes, engineering bulletins). He spends his weekends enjoying the outdoors around Austin.

Comments are closed.

Buy now