Supplementary to Presentation on Kiosk Services ATM System Overview TrigMax Enterprise Solutions Mason Liu, Ph.D

Supplementaryto

Presentation on Kiosk Services

ATM System Overview

TrigMax Enterprise Solutions

Mason Liu, Ph.D.

9/28/2006 TrigMax Enterprise Solutions

Case Study – Wall Mount ATM


System Overview Capacity

Operate up to 1,000 ATM terminals in parallel Software environment

Linux InforMix or Oracle Database ISO8583 Financial Data Exchange Protocol

Security DES-ANSI X3.92:1981 data encryption Public-Key based ISO 7816 security infrastructure Message Authentication Code (MAC) deployment ISO 9564 ： 1991 for Personal PIN protection EMV certified

Multi-level TCP/IP networks with VLAN


Architecture PartitionsSystem TopologyNetwork StructureKiosk TerminalEdge ServerMain ServerSecurity


Technology Overview > System Topology

LANLAN ADSLADSL CDMACDMA

Kiosk Edge Server

Bank Main Server

MODEM

MODEM

3rd Party Edge Server

3rd Party Network

Kiosk Sub-net

Main Network

Virtual LAN


Architecture > Network Structure

Network architecture defines following components:

Multi-layer network topology Terminal – server connection scheme

TCP/IP Client/Server interaction Run-Time environment

Web based secured https access Data distribution

Web based applications SQL database


Architecture > Kiosk Terminal

Hardware and peripheral modulesSoftware and environmentHuman-machine interfaceNetwork interface

Following considerations are needed indesigning the kiosk terminal:


Architecture > Kiosk Terminal > Hardware

LCD and touch-screen display Secured metal keypad, YDT220 CDMA2000-1X / GPRS, sync/async Modem,

LAN(RJ45), RS232 Printer ISO7812 standard 1,2, or 3 track reader ISO7816 IC card （ APDU I/O) Network NIC Power


Architecture > Kiosk Terminal > Parts List

Modules Items Descriptions

Parts Remark

Main Controller

Microprocessor

32bit ARM

4 serial ports on board

Mamory 128M

Motherboard Embedded system board

Display I/F On board

Network I/F On Board

Flash Compact Flash IO 　

Network I/F

Ethernet RJ45

Cellula Wireless CDMA2000-1 or GPRS

Input Devices

Credit Card Reader

Manual card reader LKE750 Standard

IC card/RFID Custom Optional

Keypad Metal keypad, YDT22016 keypad, 2x4 function keysPCB security optional

Output Devices

Display 10.4 inch LCD Bullet-proof glass

Sound Custom 　

Printer Epson,EUT532 EUT532+MB500

Power Main power LW2145 Regulator, Filter, ATX

standard


Architecture > Kiosk Terminal > Software

Basic requirement - Remote upgradeable Security drivers EMV standard card driver

ISO 7816 IC card interface ISO 8583 card-based transaction protocol

Keypad driver, touch screen driver Printer driver Unified Network driver for broadband, wireless, and

serial port connections Multimedia display drivers

Image and video (MPG, JPG, GIF, Flash) Audio (mp3, au)


Architecture > Kiosk Terminal > Human-Machine Interface

Support commercial applicationsSupport multimedia A / V displaySupport image processingValue-added advertisement – online

remote updateUser friendly interactive interface


Architecture > Kiosk Terminal > Network Interface

Support variety of TCP/IP based communication methods Wireless Cellular Wired – Ethernet, Serial, DSL, modem

Generic driver interface ISO 8583 – Standard for Financial

Transaction Card Originated Messages


Architecture > Edge Server

Major functionalities Kiosk terminal management Transaction status tracking

Software environmentNetwork interface


Architecture > Edge Server > Software Environment

Security Measures Security key manager Dynamic key generation and distribution Security monitoring

Data Transaction Measures Transaction recording and dispatch Error handling, recovery Operation monitoring


Architecture > Edge Server > Software Components

The software package consists of following components: Kiosk (ATM side) interface module Main server (bank side) interface module Database (Oracle) management module Security management module


Architecture > Security

Support the Public-Key based ISO 7816 security infrastructure

Support EMV protocolSecurity measurements:

Access control, Identification, Authentication, Data integrity, Data protection, Channel monitoring, error concealment.


Architecture > Security > Keys

Main keyDistributed by the edge server to generate the Terminal Key

Use the Terminal ID as the formation factor

Terminal Key

Scramble the Work Key

①Terminal ： Decrypt and retrieve the Work Key at reception ②Edge Server ： Generate and encrypt the Work Key

Work Key

Encrypt the payload, generate the MAC code for data integrity checking.

①Terminal ： encrypt/decrypt the transaction payload②Edge Server ： encrypt/decrypt the transaction payload

Terminal ID

Unique ID for each terminalCombined with Main Key to track the transaction per terminal

Personal Key

To determine the legality of personal PIN

① Terminal: Collect and encrypt the data and personal key using the Work Key, deliver the payload to the Main Server through the Edge Server.

② Main Server (bank): Validate and authorize the transaction

PSAM (Payment Secure Application Module) MAC (Message Authentication Code)


Architecture > Security > Data Safety

Network safety Firewalls in routers Virtual sub-net (VLAN) partitions

Safety in data transfer Deployment of MAC for data integrity Encryption for data protection

Safety in data storage Identification (access, owner, transaction) Encryption

Documents

Supplementary to Presentation on Kiosk Services ATM System Overview TrigMax Enterprise Solutions Mason Liu, Ph.D