Introduction

False facts are highly injurious to the progress of science, for they often long endure; but false views, if supported by some evidence, do little harm, as everyone takes a salutary pleasure in providing their falseness; and when this is done, one path towards error is closed and the road to truth is often at the same time opened.

—Charles Darwin

Nearly five million point-of-sale (POS) terminals process about 1,500 credit and debit card transactions every second in the United States alone.¹,²,³ Most of these systems, regardless of their formal compliance with industry security standards, potentially expose millions of credit card records—including those being processed in memory, transmitted between internal servers, sent for authorization or settlement, and accumulated on hard drives. This sensitive data is often weakly protected or not protected at all. It is just a matter of time before someone comes along and takes it away. Valuable cardholder information can be stolen from many places in a merchant's POS system, such as unprotected memory, unencrypted network transmission, poorly encrypted disk storage, card reader interface, or compromised pinpad device.

There are more than one billion active credit and debit card accounts in the United States.⁴ It is not surprising that such cards have become an attractive target for hackers. In 2011, payment card information was involved in 48% of security breaches—more than any other data type.⁵ In 2012, POS terminals and ...