Many eCommerce payment solutions claim to provide secure encryption of credit card and payment information through such popular encryption protocols as Secure Sockets Layer (SSL).
Encryption of payment authentication information or login access control (e.g. User ID and Password) information is very important. However, information entered into a standard keyboard is not actually encrypted until it reaches the microprocessor in your PC. Therefore, for a period of time your entered authentication information (e.g. credit card numbers, User IDs, passwords, etc.) is in your PC and not encrypted.
This may be the weak link in the security chain, providing a window of opportunity for hacker programs and viruses to capture and record the keystrokes as the information is being typed into the keyboard. There are hacker programs widely available such as "Back Orifice" and "Caligula" and other Trojan Horse-type mutations that can collect keystroke information as it is being typed. See a possible PC Keyboard Capture Trojan Horse pictorial here
It does not matter if the user is typing a password, User ID, credit card number, expiration date, bank account number, PIN or other important and personal information. The hacker program can capture this information and send it to the hacker over the Internet for future use, posting or replay.
For an eCommerce payment solution to provide true "end-to-end" payment security, it would have to provide encryption right down to the keystrokes at the user's keyboard. Encrypting information only once it has reached the computer is not an "end-to-end" security solution.
Innovonics' patented PC Pay® device provides secure encryption of credit card and PIN information at the source. The card and PIN information is encrypted within the PC Pay® device using standard DES encryption and then sent up to the PC, where SSL or another encryption protocol could provide an additional layer of protection. The mag-stripe data can even be encrypted with triple-DES encryption. The PC Pay device supports three encryption key management schemes including dynamic key management to change the encryption key for each transaction.
Because the customer's credit card and PIN information never appears "in the clear", the PC Pay device removes the threat that hacker programs and viruses can potentially present. The device can also be used for secure login to websites using the encryption PIN pad and/or smart card to prevent a virus from capturing a user's ID and password typed on a PC keyboard.
The PC Pay device also provides for secure PIN entry to unlock and access a PIN protected smart card, removing the need to enter the PIN into an unsecure keyboard. The PC Pay device provides for direct communication between the PIN pad and a smart card, so the PIN never needs to be sent up to the computer.
