Don't become a hacker's next victim. Follow these steps to safeguard your company against Point-of-Sale (POS) intrusions.
This week, Russian cybercriminals breached more than 330,000
point-of-sale (POS) systems manufactured by Oracle subsidiary Micros—one of the three largest POS hardware vendors in the world. The
breach has potentially exposed customer data at fast food chains, retail stores, and hotels around the world.
POS attacks aren't new. One of the biggest data breaches in US history, the Target hack,
exposed more than 70 million customer records to hackers, and cost the
retailer's CEO and CIO their jobs. At the time of the attack, it was
revealed that the attack could have been avoided if Target had
implemented the auto-eradication feature within its FireEye anti-malware system.
The reality is that most POS attacks can be avoided. There are many threats
to your POS systems but there are just as many ways to combat these
attacks. In this article, I'll list six ways your company can safeguard
against POS intrusions.
1. Use an iPad for POS
Most of the recent attacks, including the Wendy's and Target attacks,
have been the result of malware applications loaded into the POS
system's memory. Hackers are able to secretly upload malware apps into
the POS systems and then pilfer data, without the user or the merchant
realizing what happened. The important point to note here is that a
second app must be running (in addition to the POS app), otherwise the
attack can't occur. This is why iOS has traditionally facilitated fewer
attacks. Because iOS is only able to fully run one app at a time, these
types of attacks rarely occur on Apple-made devices.
"One of the advantages of Windows is having multiple apps running at once," said Chris Ciabarra, CTO and cofounder of Revel Systems.
"Microsoft doesn't want that advantage to go away...but why do you
think Windows crashes all the time? All those apps are running and using
all your memory."
To be fair, Revel Systems sells POS systems specifically designed for
the iPad, so it's in Ciabarra's interest to push Apple's hardware.
However, there's a reason you rarely, if ever, hear of POS attacks
occurring on Apple-specific POS systems. Remember when the iPad Pro
was unveiled? Everyone wondered if Apple would enable true multitasking
functionality, which would allow two apps to simultaneously run at full
capacity. Apple left this feature off of the iPad Pro, much to the
chagrin of everyone except those users who were likely to run POS
software on their new devices.
2. Use End-to-End Encryption
Companies such as Verifone
offer software that's designed to guarantee your customer's data is
never exposed to hackers. These tools encrypt credit card information
the second it's received on the POS device and once again when it's sent
to the software's server. This means that the data is never vulnerable,
regardless of where hackers might be installing malware.
"You want a true point-to-point encrypted unit," said Ciabarra. "You
want the data to go straight from the unit to the gateway. The credit
card data won't even touch the POS unit."
3. Install Antivirus on the POS System
This is a simple and obvious solution for preventing POS attacks. If
you want to ensure harmful malware doesn't infiltrate your system,
install
endpoint protection software on your device.
4. Lock Down Your Systems
Although it's highly unlikely that your employees will use your POS
devices for nefarious purposes, there's still plenty of potential for
inside jobs or even just human error to cause massive trouble. Employees
can steal devices with POS software installed on them, or accidentally
leave the device at the office or in a store, or lose the device. If
devices are lost or stolen, anyone who then accesses the device and the
software (especially if you didn't follow rule #2 above) will be able to
view and steal customer records.
To ensure that your company doesn't fall victim to this kind of
theft, make sure to lock down all of your devices at the end of the
workday. Accounted for all devices each day, and secure them in a place
to which nobody but a select few employees has access.
5. Be PCI-Compliant from Top to Bottom
In addition to managing your POS systems, you'll want to comply with the Payment Card Industry Data Security Standard
(PCI DSS) across all card readers, networks, routers, servers, online
shopping carts, and even paper files. The PCI Security Standards Council
suggests companies actively monitor and take inventory of IT assets and
business processes in order to detect any vulnerability. The Council
also suggests eliminating cardholder data unless absolutely necessary,
and maintaining communication with banks and card brands to ensure no
issues occur or have already occurred.
You can hire qualified security assessors to periodically review your
business to determine whether or not you're following PCI standards. If
you're concerned about giving access of your systems to a third party,
the Council provides a list of certified assessors.
6. Hire Security Experts
"The CIO isn't going to know everything a security expert will know,"
said Ciabarra. "The CIO can't stay up-to-date on everything that's
happening in security. But a security expert's sole responsibility is to
stay up-to-date on everything."
If your company is too small to hire a dedicated security expert in
addition to a technology executive, you'll at least want to hire someone
with a deep security background who will know when it's time to reach
out to a third party for help.
Follow Us
Were this world an endless plain, and by sailing eastward we could for ever reach new distances