Retail TCP/IP Security

TCP/IP, SSL, TLS. We all know the acronyms involved in our ATM’s communication methodology, but are we using them to the greatest extent possible to provide maximum protection? We’re all aware of the black box attacks that have been in the news and we want to take a moment and explain how to ensure you’re maximizing the communication protection elements already built into your Hyosung ATM’s software.

Certificate Validation

Certificate Validation allows for a higher level of security by only allowing TLS communications with servers using certificates issued by a trusted Certificate Authority (CA) in the TLS encryption process. These certificates add a greater level of security due to the fact that they are issued and managed by the CA, and the public certificate is used to verify the authenticity of the host processor. Put another way, when the ATM has certificate validation enabled, it is considerably harder for a bad guy to impersonate a legitimate transaction host. In the case of a hacked or replaced wireless router, this methodology maintains the transmission encryption, protecting your cash from an unauthorized dispense. There’s an option under TCP/IP Type titled “SSL/TLS CERT. EN/DISABLE” (as seen in the image above). If you do not have this option enabled, then you are not using all the security features available to you. Unless you’ve previously loaded the appropriate certificate for your processor, you will need to download your processors certificate onto your ATM. This can be done remotely using MoniView or at the ATM via a USB drive. Directions for downloading the certificates and enabling the feature can be found by clicking here. Keep in mind that, if you are running value add transactions that communicate with a host other than your primary ATM host such as Planet Payment, you may need to load more than one certificate. In an effort to help promote greater ATM security we will be changing the default settings in our software, enabling the certificate validation process as the default. If you choose not to use certificate validation, it can still be disabled, however we strongly recommend that you enable this feature. Additionally, we will preload the ATM with the certificates used by the common U.S. processors and value add transaction providers in an effort to save you time in the field. We hope this guide has helped you better understand IP security and we wish you many more safe transactions to come!