All problems are finally scientific problems.
—George Bernard Shaw
Wherever there is information that needs to be protected, there lurks a need for cryptography. Not just a pure cryptography but rather its proper application. In the case of POS applications, there is the presence of sensitive cardholder data that must be hidden from prying eyes during the entire payment-processing cycle. There are remarkable books already written about cryptography.1 The goal of this chapter is not another explanation of underlying math or algorithm implementations, but cryptography applied to the payment application security through specific methods and implementations. In order to understand what protection mechanisms are available, whether they are appropriate in particular situations, and how to implement them correctly, we still need a bit of theory.
Modern payment applications already use cryptography in many cases; however, they are not always used in the most secure way. Many developers are already familiar with the principle of using well known encryption algorithm implementations rather than trying to create new, unproven, “in-house” code. The problem is that cryptography is not limited to just an algorithm implementation library, which is only the tip of the iceberg. There is the whole issue of key management, which surrounds any type of encryption and requires appropriate attention when designing the payment application. ...