Keep Your Point-Of-Sale Equipment Secure
While credit card commercials show lines of dancing shoppers merrily using their credit cards and praise the convenience of a cashless society, they don’t stress out the very real danger of identify theft at the cash register.
The director,Monica Chauhan, for embedded solutions at Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at POS systems.
Lock It Down
Chauhan states that if these Point of Sale systems are not properly locked down, they can be susceptible to attacks. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”
“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.
According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.
These Are Vulnerable Systems
Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm that specializes in information security and compliance management solutions, agreed to Chauhan that there are many POS systems that are vulnerable to attacks.
McCullen says, a little dial-up swipe machine has a low risk, but computer-based and/or have Internet access (risk lies in those two prime factors) devices are more prone to attacks.
Another thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can easily be exploited by tampering.
In general, as McCullen explained, hardware swipe terminals have low exploit risk, instead a higher risk of tampering, but with tampering comes the opportunity for hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the information.
As Chauhan further points out other vulnerabilities, she claims that because today our POS systems are similar to networked PCs, constant patching is required. Chauhan also said that embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.
PCI Data Security Standard Challenges
Chauhan and McCullen both agreed that Point of Sale equipment is faced with unique challenges when complying with the PCI DSS.
“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. Antivirus software can be a very high overhead expense for a low-footprint POS system, she even notes; however, the need for an antivirus software can be eliminated with a change control software.
As an example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.
The the PCI DSS Requirement 6, develop and maintain secure systems and applications. It also presents unique challenges, Chauhan notes.
It’ll be a very challenging on the part of POS equipment providers to ensure their systems will supply the PCI compliance after shipping them to the dealer network and put into production at the retail location.
A large supplier of technology and POS systems for independent grocers and small chains, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 by embedding Solidcore change control in its systems.
“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.
Other difficult areas, as McCullen states, include data encryption and user-based access controls.
Any Questions?
If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS
professional serving your area.
The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.
