Making Sure Your Point Of Sale Equipment Is Secured

While credit card commercials show lines of dancing shoppers merrily swiping their credit cards and praise how convenient it is to use, they don’t care to discuss the peril of identify theft when using credit cards.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

Lock Down Your POS

These Point of Sale systems, if not properly locked down, can be susceptible to attacks. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

Chauhan have also observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-shelf software on commoditized hardware running commercial or open operating systems (OS) like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.

Chauhan also said, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.

Vulnerable Systems

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm that focuses on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, a little dial-up swipe machine has a low risk, but computer-based and/or have Internet access (risk lies in those two prime factors) devices are more vulnerable.

If a POS system stores credit card track data, exploitation will occur, and swipe terminals can be tampered, according to McCullen.

In general, as McCullen explained, hardware swipe terminals have low exploit risk, instead a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in getting the information they want.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan also said that embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. With these, equipments often results to malfunctions and/or can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Both Chauhan and McCullen agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

Chauhan says that in the PCI DSS requirement 5, it states that an antivirus software must be used and regularly updated. Antivirus software can be a very high overhead expense for a low POS system, she notes; on the other hand, you can eliminate the need of an antivirus with the aid of change control software.

As an example, the NEC Infrontia installed a change control software on its POS offerings which prevented unauthorized code from breaking unpatched systems. With this software, it allowed NEC Infrontia to remove the antivirus software that was impacting the performance of their devices, Chauhan notes.

The the PCI DSS Requirement 6, develop and maintain secure systems and applications. It also presents unique challenges, Chauhan notes.

It’ll be a very challenging on the part of POS equipment providers to ensure their systems supplies the PCI compliance after shipping them to the dealer network and put into production at the retail location.

Though embedding Solidcore change control in its systems, StoreNext (www.storenext.com) - a large supplier of technology and POS systems for independent grocers and small chains - have solved their PCI DSS Requirement 6 patching difficulties.

By simply reducing its patch frequency to quarterly, StoreNext was able to reduce the amount of their time on monthly test and patch distribution cycles. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other challenging areas include data encryption and user-based access controls, McCullen states.

Do You Have Any Questions?

If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant Point of Sale
professional serving your area.

The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.