payment devices. For most devices, the data is encrypted over
            the wireless link and then decrypted at the wireless gateway
            before being re-encrypted to transmit over the internet to the
            bank. If a person taps into the wireless access point, then they
            can capture the payment card data at that moment that it is
            unencrypted.


            Network Layer Encryption

            Encryption at the network layer is done using IPsec (Internet
            Protocol Security). IPsec has several modes of operation that
            can be used; Authentication Header (AH) and Encapsulating
            Security Payload (ESP). Each mode has a different function.

            Authentication Header is used to do what its name says -
            authenticate the IP header information. In the IP header are
            several fields, including the source and destination addresses,
            and a checksum that is used for integrity.

            IPSEC is designed to ensure the integrity and authentication of
            two parties that are communicating over the internet - a
            connectionless communications process. How can we know
            whom we are talking to (preventing masquerading, man-in-the-
            middle, or spoofing) and know that our communications have
            not been altered en route? This is what AH can do for us.

            The first step in establishing an IPsec tunnel is using IKE
            (internet key exchange) to exchange a SA (security association)
            via Oakley and ISAKMP (Internet Security Association Key
            Management Protocol). Oakley is an implementation of the
            Diffie-Hellman key agreement protocol and sets up the
            encryption keys to be used. The SA is used in IPsec to validate