Every time a hacker breaches the POS systems of a large retailer, we get a stark reminder of the need for proper POS security protocols. You need to ensure that your business is doing all it can to keep your POS systems protected from malware attacks, lest you suffer a data-breach that compromises the information of your customers and the wellbeing of your business. And this threat doesn’t discriminate; POS data breaches can come to businesses of any size.
Fraud and data breaches can come in many forms and from many sources, including your employees. That’s why it’s important to stay informed on the best ways to protect your POS systems.
In this article, you’ll find an overview of common malware threats, tips to secure your POS systems, and information regarding what happens when a breach occurs.
Malware Threats to POS Systems
One of the threats you’ll have to be wary of is malware. POS systems are often easily compromised by malware, including (among many others):
Dexter was initially discovered by Seculert (formerly Radware) researchers in 2012. An internet parsing tool retrieves credit card information from the infected device before sending the data to a command-and-control server.
The successor to Dexter, vSkimmer malware, first appeared in 2013. Whenever the infected device is not connected to the Internet, the malware waits until a USB device with a specific volume name is connected before it copies stolen data.
The Backoff malware, also from 2013, scrapes memory to track data, monitors keystrokes, and connects to a command-and-control website to steal data and download new malware.
Cisco researchers discovered the PoSeidon malware in 2015, which installs a keylogger and scans the memory of the POS device for sequences that match credit card data before uploading it to an exfiltration server.
Researchers at Forcepoint recently detected UDPoS malware masquerading as a LogMeIn service pack. The malware uses DNS requests to transport stolen data to a command-and-control server.
15 Security Tips to Protect Your POS Systems
From securing your terminals and networks and limiting their access to ensuring your business is compliant with the latest PCI security standards, the following list of tips covers a wide range of solutions centered around POS security:
- Check Your Terminals for Tampering
Ensure there is no tampering with card skimmers, wires, or other devices. Make a list or take images of all your terminals with serial numbers to compare them to the real devices to ensure they haven’t been exchanged.
- Don’t Connect Your POS to Other Networks
It is not necessary for a hacker to be physically present in a retail store to steal vital business and client information. The most dangerous hackers can compromise systems remotely. Externally accessible systems are more vulnerable to hacking attacks. It’s possible for external systems to be infiltrated with malware that acts once the POS connects to the network. It is recommended to keep your operations internal and secure for critical tasks such as payment processing.
- Consider Using an iPad for Your POS
Several POS security breaches have been attributed to malware apps placed in the memory of the POS system. Hackers can install malware into POS systems and then steal data without the merchant or user realizing it. For the attack to work, however, another app must be active in the background (in addition to the point-of-sale app). This is why iOS has historically been less vulnerable to attacks. Since iOS can only run one program at a time, these attacks are uncommon on Apple devices.
One of the advantages of Windows is the ability to run many apps simultaneously. It is an advantage Microsoft does not wish to lose, and yet Apple-specific POS systems are rarely attacked. Remember when the iPad Pro was released? Many questioned whether Apple would provide genuine multitasking capabilities, allowing two apps to run at full speed simultaneously. Apple has yet to include this functionality in the latest iPad Pro, much to the consternation of everyone but those likely to run POS software on their devices.
- Use Strong Passwords and Update them Frequently
Simple passwords should not be used. Ideally, you will use a long string of numbers, letters (both upper- and lower-case), and symbols. Additionally, you should encourage your employees to update their passwords regularly.
- Limit the Access Level You Grant to the POS System
Managers must have access to the backend of your POS system, so grant them only the rights they need. Grant other users only the minimum rights they require. You may need to grant access to vendors. Identify who has access and what level of access they have to identify breaches and where they occurred.
- Use End-to-End Encryption
Even though most POS systems are equipped with 256-bit encryption, it’s a good idea to use a payment gateway that is end-to-end encrypted. This will ensure that data is encrypted from transaction to gateway.
- Make Your Employees Aware of Social Engineering and Phishing
Malicious attackers can often obtain credentials for employees or vendors by e-mail, but they can also do so by telephone and in person. Ensure everyone who works for or with you knows how to avoid social engineering attempts. Your account and password will never be asked by a legitimate customer service representative or IT employee. Make sure you double-check.
- Upgrade to EMV Readers
You should upgrade to EMV chip card readers if you still use swipe-style card readers. The newer EV terminals with chips offer greater protection against fraud than the traditional signature or swipe-based devices. As of March 2019, 75% of US merchants accept EMV as of March 2019 in a bid to upgrade their platforms.
- Update Your POS Software Frequently
Updates are usually made to all types of software and components, including new features and fixes to any vulnerabilities that hackers may exploit. New updates may make your data more secure, so you should not wait for them.
- Install Antivirus Software
It is possible to avoid malware on your POS equipment by using antivirus software. The program will scan your computer regularly and detect malicious files or software. Please contact your POS software account executive if you have questions about which software to use or how to install it.
- Hire Security Experts
CIOs will not have the same level of security expertise as security specialists. There is too much going on in the security world for the CIO to keep up with. A security specialist must, however, always keep up with everything.
If your firm is too small to hire a dedicated security specialist, you should hire someone with considerable experience in security who will know when to seek outside assistance.
- Keep Track of and Monitor Your POS Devices
Monitor the POS activities of your system. Ensure all sales and inventory numbers are correct, and the activity is not irregular. Additionally, if your team accepts payments from consumers using portable devices, ensure you collect them and lock them up at the end of the day. Stealing by employees is one problem, but you should also be prepared to respond to the loss or theft of any device at any time.
- Secure Your Systems at the End of the Day
While it is exceedingly unlikely that your staff will use your POS devices for illegal purposes, there is still room for insider trading or even human error to cause major issues. Employees can steal devices with POS software installed, leave them at the office or in a store, or lose them. When devices are lost or stolen, anyone with access to the device and software can view and steal client records, especially if rule #5 is not followed.
Ensure that all your gadgets are locked down at the end of the workday to avoid being a victim of this type of theft. Account for all devices daily and store them in a secure location where only a few staff members have access.
- Divide Your Wi-Fi Network
The advantage of an external network for a physical store is that customers get free Wi-Fi, and you’re likely to collect useful data. Your network, however, must be compartmentalized, as hackers can quickly hack into a system and get access to payment information. Ensure your internet access is restricted to business purposes and use an internal network for payment processing.
- Ensure Your Company Follows PCI Compliance
PCI DSS, one of many compliance regulations affecting businesses in most industries, provides basic requirements for point-of-sale endpoint security, such as using a firewall, changing default passwords, protecting stored data, encrypting sensitive data transmission, using antivirus software, restricting physical access to payment card information, and more.
Additionally, remote access requires multi-factor authentication. When multiple factors are in place to ensure that only authorized individuals have access to relevant resources, it goes a long way toward safeguarding environments but only as one of many levels of security in-depth.
This point highlights the most important point about PCI compliance: It is only a starting point; it does not guarantee security. Although the PCI SSC standards have been continually updated to keep up with changing threats, it is always the merchant’s responsibility to identify the risks in their environment and take appropriate security measures.
However, the PCI DSS can be a great place to start. It is often discovered after a post-breach investigation that the cause of large data breaches is a lack of adequate security procedures, which the PCI DSS addresses.
You should also ensure that all card routers, servers, card readers, networks, online shopping carts, and even paper files adhere to the Payment Card Industry Data Security Standard (PCI DSS). According to the PCI Security Standards Council, businesses should monitor and inventory IT assets and business processes to detect potential vulnerabilities. Furthermore, the Council recommends not storing cardholder data unless necessary and keeping in touch with banks and card brands to ensure no issues arise.
To ensure compliance with PCI regulations, you should hire qualified security assessors to audit your organization regularly. The Council provides a list of certified assessors if you are concerned about allowing third parties access to your systems.
What Are the Consequences of a Data Breach?
Data breaches can have catastrophic consequences if POS security is not properly addressed. A study by the Ponemon Institute and IBM found that data breaches affect almost all industries, but they are most costly to the healthcare sector, costing an average of $7.13 million. However, thanks to tighter security measures at POS systems, retail data breaches decreased from $3.9 million in 2015 to $2.01 million on average in 2016.
Hundreds of millions of customers’ personal information was exposed in the most serious retail data breaches. More than 110 million Target customers had their credit card information stolen in 2013. In 2014, hackers hacked Home Depot’s servers and stole 56 million credit card details. In the meantime, retailer TJ Maxx suffered a cyberattack that cost the company $162 million over 18 months.
How Are POS Systems Breached?
Typically, businesses don’t disclose how they suffer a data breach, but in these major breaches, details emerged gradually as the store tried to preserve data and compensate customers. Some infamous examples include:
- TJ Maxx used outdated Wi-Fi security, allowing hackers to exploit a security gap. To gain access to unencrypted transaction data (for 18 months), they collected staff logins before creating their logins.
- A hacker used vendor credentials to gain access to and inject malware into Home Depot’s network to steal the credit card information of 40 million consumers.
- An unauthorized user accessed Target’s POS system using vendor login information and used malware to steal credit card information.
The above examples involved massive companies, but that doesn’t mean that small companies are not also vulnerable. Symantec’s 2016 Internet Security Threat Report found that SMB cyber-attacks rose from 18% in 2011 to 43% by 2015. Furthermore, a ConnectWise 2020 survey found that 55% of SMBs have experienced cyberattacks that cost them on average $58,902. As a result, POS security has become increasingly important for small businesses.
Who Pays for the Fraud?
Financial institutions (banks and payment processors) are usually liable for the costs of unauthorized debit and credit card transactions. They can, however, sue a store for reimbursement for customer protection costs. For example, Home Depot had to settle with banks, and Target also paid a settlement.
What Are the Costs of Securing Your POS?
Built-in POS security features will provide the majority of your POS security. You can, however, take additional steps for enhanced security that align with the best practices and guidelines listed above.
- Firewall: Data flows on your company’s network can be protected by a physical firewall, also known as a router. Prices vary, but you should expect to pay between $100 and $300. Popular choices include SonicWall and Cisco.
- Antivirus Software: You should spend $200 or more per year on antivirus software for your business computers. Popular options include McAfee and Norton.
- EMV Readers: It may be expensive to purchase EMV chip readers if you have not upgraded yet. These readers typically cost between $500 and $1,000 each. Ensure that your merchant account provider has the most current payment technology.
- Security Cameras: POS devices and terminals can be protected against physical tampering with the help of security cameras. Business security options from SimpliSafe, Vivint, and ADT begin at $19.99 per month.
Who’s Responsible for POS Security?
A data breach is ultimately the merchant’s responsibility (the data owner). Even if third-party vendor credentials are stolen, the retailer is still liable if a data breach occurs. To protect POS hardware and software, many POS companies recommend the following security measures:
POS security responsibilities of small business owners
- Keep terminals and other POS equipment physically secure. Ensure POS software is updated regularly.
- Maintain POS transactions and user information.
- Limit access to the backend of the POS system.
- Make the most of all security features provided by the POS company.
- Ensure the security of your company’s computer system by installing firewalls, end-to-end encryption, anti-malware, and other security measures.
Security responsibilities of POS systems and payment processors
- Provide the POS system with strong security tools and capabilities.
- Regularly patch known security vulnerabilities.
- Provide customers with round-the-clock customer service and fraud reporting mechanisms when severe threats or breaches occur.
The security of your POS systems will require a multilayered approach. To begin with, full compliance with PCI security standards is essential, as well as training your staff, so they are aware of some common fraud methods and social engineering techniques. As well as limiting access to your POS systems, you should secure all your units at the end of the day.
You will be better off partnering with a POS provider that offers robust security features, but at the end of the day, you will be responsible for staying protected. The only way to ensure that your business operations are secure is to get involved with your security needs.