How to Stop Physical Tampering of Mobile POS Systems

August 14, 2018

Dany Nativel By: Dany Nativel
Sr. Business Manager, Embedded Security, Maxim Integrated


It sounded like a scene from a movie: hackers gained access to a database filled with personal information about a casino’s high-roller patrons…from the casino’s lobby aquarium. The cybercriminals found their way in via the aquarium’s smart thermometer.

This scenario actually happened. Unfortunately, for businesses and consumers alike, there are many more examples like this, demonstrating how smart things aren’t, well, very smart. More of our electronic products are getting connected, which means that more of our sensitive information could be vulnerable to cyberattacks. At the same time, these devices are also becoming increasingly compact, leaving less board space for all of the desired functions.

What can designers do to safeguard their small, smart, connected products?

First and foremost, they should consider the security requirements of their end application. Let’s take mobile point-of-sale (mPOS) terminals as an example. mPOS systems should process financial transactions between the customer and the business without any unwarranted intervention in between. The devices should be safeguarded from hacking, skimming, spoofing, and similar attacks. There are guidelines in place from the global Payment Card Industry (PCI) Security Standards Council. The council, through its PIN Transaction Security (PTS) standard, PCI-PTS, requires vendors to adopt robust security controls for their payment systems and to validate their documentation of policies and procedures related to device management.

Mobile payment terminalThe MAX32558 secure microcontroller can protect mobile payment terminals from physical tampering.

How can designers meet their application’s security requirements?

Secure microcontrollers provide a robust means for designers to implement security without having to be cryptography experts. As you’re evaluating secure microcontrollers, look for features such as:

  • Secure key storage, as private keys are essential for the secure authentication process, ensuring validity of clients and servers before any data is exchanged
  • Secure bootloader, which helps prohibit unauthorized system reprogramming or reconfiguration while also allowing seamless and secure over-the-air (OTA) firmware upgrades
  • Cryptographic engines, which run security algorithms for authentication, encryption, and decryption
  • Active tamper detection, which detects tamper attempts in real time and erases the secret key

Tiny Secure Micro Stops Tamper Attempts in Their Tracks

Given the limited real estate on mPOS systems as well as many other internet of things (IoT) devices, designers often struggle to fit an additional microcontroller onto an already crowded PCB. Some opt to use smartcard-based secure ICs, which provide the tiny form factor needed. The options available, though, sometimes force the use of non-standard serial links. What’s more, smartcard-based secure ICs on the market do not detect physical tampering. Secrets are stored inside these chips, and the devices are designed such that it is hard to gain access to the key. But there is no active tamper detection.  

Maxim recently unveiled a new secure microcontroller that integrates secure key storage with active tamper detection, secure boot/bootloader, and cryptographic engines in a 4.3mm x 4.3mm wafer-level package (WLP). The MAX32558 is a DeepCover® Arm® Cortex®-M3 flash-based secure microcontroller for application areas such as computing, consumer, industrial, and IoT. Compared to a typical secure authenticator, the IC provides 30x more GPIO in the same footprint and it is also 50% smaller than the closest competitor’s device. The MAX32558 is designed to address PCI-PTS security requirements, provides a number of analog interfaces (magnetic stripe reader, secure keypad controller, pre-certified Europay, Mastercard and Visa (EMV)-L1 stack for smartcard interface), and supports multiple communication channels (USB, SPI, UART, I2C).

As a longstanding developer of security technologies, we also provide expertise to help streamline the certification process for our customers. Some of our customers have achieved PCI-PTS certification on a new design based on our secure microcontroller within 6 months compared to the 12 to 18 months that this process can typically take. MAX32558-KIT is an evaluation kit that provides a way for you to assess the capabilities of the MAX32558.