Friday, April 6, 2012

Encrypted vs. Clear Text Mag Readers

EasyMag card reader

The discussion about the prevalent use of clear text mag card readers for credit cards came up recently with one of our customers.

We talked about how their Mac could be used as a credit card skimmer by unscrupulous employees or a trojan key-logger that would record every keystroke entered into the Mac.

If you are still using them with your credit card processing application, you need to seriously consider upgrading to a processor which uses a secure solution.

Let us show you why.

Using a clear text card reader like the EasyMag card reader attached to your Mac via a USB cable, it is very easy to skim a credit card.  The information could then be sent to anyone, anywhere via an email or web browser.  It uses the keyboard interface to your Mac to pass the card information.  It is as though you typed the information in.  The computer or MacPOS does not know the difference.

If you have one of these types of readers and have not discovered the serious security issue, follow the steps below :

• Start to compose an email, doesn't matter in what app you use

• Swipe a card in the reader

This is an example of what appears in your email

%B4003000123456781^TEST/MPS^15121010000000000?
;4003000123456781=15125025432198712345?

That is the full credit card track data in clear text [ non-encrypted format and not a real credit card ]

YIKES...

This is exactly what you don't want to see, let alone store and handle this sensitive information. Doing so significantly increases your risk of non-compliance with the credit card industry PCI-DSS regulations.

Below is what you see in the email or any text input field in any application when you swipe a credit card using an encrypted reader such as the MAGTEK - Products - Secure Card Reader Authenticators







That's right, there is nothing there. This is because the readers do not enter anything into the email program or any text field via a keyboard interface.

Behind the scenes, the encrypted readers use Triple DES technology, and using a direct USB interface to MacPOS, it sends the card information in a very secure manner.  The card information cannot be skimmed.

However this information is NOT captured by any application with a text input field because it is not a keyboard device.

If somehow, the communication between the mag card reader and the merchant processor was intercepted, the hacker would see the data in the format below.

AP88NRCDmlflKlFBvCt5ioXGaRssp3d5c4rZTDRGYRoPmQSEQkQARIgDRAB |00|2101002010003aEb281295652963294c4PVKd5e00j203793129550896793lH 

It would take a super computer a very long time to decipher the above information in blue.


A 5 yr old could interpret the clear text information in red.

For the reasons stated above, MacPOS v2012 will no longer support the AuthPayX First Data Client application because it employs the use of insecure clear text readers.  It's way too easy to breach the lack of encryption and risk litigation that would occur from such an occurrence.

You decide the risk you want to take with your customer's credit card data and your business' reputation!