7 Steps to Securing Your Point-of-Sale System

The recent Macy's data breach, where hackers were able to steal customer's personal and payment information, is a reminder that online and retail shopping can to be risky. Consider how the Target store hack in 2014 was one of the biggest point-of-sale (POS) system data breaches in United States history that exposed more than 70 million customer records to hackers, and cost the retailer's CEO and CIO their jobs. It was later revealed that the attack could have been avoided if Target had just implemented the auto-eradication feature within its FireEye anti-malware system.

With this season's Black Friday fast approaching, organizations should get serious about protecting their POS systems. Fortunately, the reality is that most POS attacks can be avoided. Yes, there are many threats to POS systems, but there are now just as many ways to combat these threats. No matter which method you use, be sure your company has a virtual private network (VPN) in place to safeguard data that's traveling back and forth on your company's network. Read on for the six ways your company can safeguard against POS intrusions.

1. Use an iPad for POS

Most of the aforementioned attacks have been the result of malware applications loaded into the POS system's memory. Hackers are able to secretly upload malware apps into the POS systems and then pilfer data, without the user or the merchant realizing what happened. The important point to note here is that a second app must be running (in addition to the POS app), otherwise the attack can't occur. This is why iOS has traditionally facilitated fewer attacks. Because iOS is only able to fully run one app at a time, these types of attacks rarely occur on Apple-made devices.

"One of the advantages of Windows is having multiple apps running at once," said Chris Ciabarra, co-founder of POS platform Revel Systems. "Microsoft doesn't want that advantage to go away...but why do you think Windows crashes all the time? All those apps are running and using all your memory."

To be fair, Revel Systems sells POS systems specifically designed for the iPad, so it's in Ciabarra's interest to push Apple's hardware. However, there's a reason you rarely, if ever, hear of POS attacks occurring on Apple-specific POS systems. Remember when the iPad Pro was unveiled? Everyone wondered if Apple would enable true multitasking functionality, which would allow two apps to simultaneously run at full capacity. Even in its newest iteration, Apple has still left this feature off of the latest iPad Pro , much to the chagrin of everyone except those users who are likely to run POS software on their devices.

2. Use End-to-End Encryption

Companies such as Verifone offer software that's designed to guarantee your customer's data is never exposed to hackers. These tools encrypt credit card information the second it's received on the POS device and once again when it's sent to the software's server. This means that the data is never vulnerable, regardless of where hackers might be installing malware.

"You want a true point-to-point encrypted unit," said Ciabarra. "You want the data to go straight from the unit to the gateway. The credit card data won't even touch the POS unit."

3. Install Antivirus on the POS System

This is a simple and obvious solution for preventing POS attacks. If you want to ensure harmful malware doesn't infiltrate your system, install endpoint protection software on your device.

These tools will scan the software on your POS device and detect problematic files or apps that need to be immediately removed. The software will alert you to trouble areas and help you begin the cleansing process required to guarantee the malware doesn't result in data theft.

4. Lock Down Your Systems

Although it's highly unlikely that your employees will use your POS devices for nefarious purposes, there's still plenty of potential for inside jobs or even just human error to cause massive trouble. Employees can steal devices with POS software installed on them, or accidentally leave the device at the office or in a store, or lose the device. If devices are lost or stolen, anyone who then accesses the device and the software (especially if you didn't follow rule #2 above) will be able to view and steal customer records.

To ensure that your company doesn't fall victim to this kind of theft, make sure to lock down all of your devices at the end of the workday. Account for all devices each day, and secure them in a place to which nobody but a select few employees has access.

5. Avoid Connecting your POS to External Networks

The most dangerous hackers can compromise systems remotely and don't need to be in a retail location in order to syphon away valuable business and client information. Systems that connect to external networks are more susceptible to attacks from hackers. Some who may have infiltrated external systems with software that lays dormant until they connect with a POS. Consider keeping things internal and secure, use a corporate network to handle critical tasks like payment processing.

6. Be PCI-Compliant from Top to Bottom

In addition to managing your POS systems, you'll want to comply with the Payment Card Industry Data Security Standard (PCI DSS) across all card readers, networks, routers, servers, online shopping carts, and even paper files. The PCI Security Standards Council suggests companies actively monitor and take inventory of IT assets and business processes in order to detect any vulnerability. The Council also suggests eliminating cardholder data unless absolutely necessary, and maintaining communication with banks and card brands to ensure no issues occur or have already occurred.

You can hire qualified security assessors to periodically review your business to determine whether or not you're following PCI standards. If you're concerned about giving access of your systems to a third party, then the Council provides a list of certified assessors.

7. Hire Security Experts

"The CIO isn't going to know everything a security expert will know," said Ciabarra. "The CIO can't stay up to date on everything that's happening in security. But a security expert's sole responsibility is to stay up to date on everything."

If your company is too small to hire a dedicated security expert in addition to a technology executive, then you'll at least want to hire someone with a deep security background who will know when it's time to reach out to a third party for help.

Comments are closed.