The simple cash registers of the past have been almost completely overtaken by Point of Sale (POS) systems in the majority of retail environments today. The current generation of POS systems are linked to payment processing, business inventory as well as customer relationship management (CRM) functions. With their increased role in handling all kinds of financial transactions, POS systems have become easy and tempting targets for the criminal class.
Retail organizations processing card transactions are required to meet the security requirements established by the Payment Card Industry Data Security Standards (PCI DSS) to protect card data at the point of sale. Merchant’s obligation extend far beyond compliance regulations. They are responsible for securing customer data. In the event of a data threat, merchants can be held accountable, fined heavily, ordered to compensate; risk losing customers or even weaken their brand and quite possibly, running their business to the ground.
What, if anything, can be done by small and medium businesses to limit the exposure of POS systems to malware? Here are 5 Things You Must Know About POS Malware, the appropriate measures to secure data and take the edge off a full blown infection.
Avoid POS terminals on multi purpose devices:
POS terminals in the early years looked similar to home PCs with a few additional hardware devices such as barcode readers, scanners, etc. These devices operated on a specific OS and were priced just like home computers, which made them very accessible to small businesses. Today, a POS malware terminal can be installed on our smart devices without any external hardware – a convenience that has many small businesses rushing to adopt. Trouble is, smart devices are also extremely vulnerable to threats and malware attacks. A dedicated POS malware terminal has more chances of securing data when compared to a mobile POS.
Implement Point to Point Encryption (P2PE):
Point to Point Encryption (P2PE) allows payments to be accepted on a device that encrypts data on the device, such as a card swipe terminal, for transmission to a third-party for processing. In the case of a P2PE, the card data never stays on the POS device and therefore cannot be stolen. This shifts much of the responsibility to protect customer data to the third-party processor. However, merchants are still bound by the compliance regulations of (PCI DSS) since they handle the actual card payments and maintain P2PE devices.
Secure the network:
Network is the medium through which any data theft and security breach can happen. It is therefore critical to secure the network prior to securing devices. By deploying Intrusion detection systems into the network, unauthorized access can be identified. Whitelisting Applications installed on the POS will prevent installation of unauthorized applications thereby reducing the vulnerability to attacks. Periodic changes of passwords and security questions will also help protect unauthorized physical access.
Adapting to new payment solutions:
POS malware terminals must be flexible in adapting to new payment techniques like EMV standards-based payment cards and Near Field Communications (NFC). EMV is a set of specifications that covers several methods for authentication, risk management and transaction authorization, enabling secure transactions at POS malware terminals and ATMs. Near Field Communication, is a technology similar to Bluetooth that enables a radio connection between two electronic devices within proximity to each other. NFCs facilitate contactless payments via mobile devices through radio connection between two devices within proximate distance of each other, much like Bluetooth.
Understanding the security solution:
Even Though POS terminals are secured with security softwares, there are chances a security breach will happen. One of the prime reasons for this is a basic misunderstanding of available security solutions. There are various security solutions available in market, each serving a specific purpose. For example, a “Malware Detection Software” is not same as “Malware Removal Software”. Malware Detection Software only detects the malware and doesn’t remove it. Therefore, choosing the right solution becomes an important factor in securing data.
As criminals get more and more sophisticated and efficient in their attacks, it becomes our responsibility to continuously review, monitor, adapt and secure card data beyond what is prescribed by the (PCI DSS).
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.