Xigaware

Making Sure Your Point Of Sale Equipment Is Secured

In credit card commercials, although they show us a couple of happy shoppers swiping their credit cards as they go on a shopping spree and enjoying the convenience of a cashless society, they tend to forget to discuss the very real danger of identify theft at the cash register.

The director of embedded solutions for Solidcore (www.solidcore.com), Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at Point of Sale (POS) systems.

Locking it Down

Chauhan states that if these Point of Sale systems aren’t properly locked down, they can be vulnerable to attacks. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.

Chauhan also included, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.

These Are Vulnerable Systems

From Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com) – a security firm that specializes in information security and compliance management solutions, agrees with Chauhan that many but not all POS systems are vulnerable to exploitation.

McCullen says, a little dial-up swipe machine has a low risk, but computer-based and/or have Internet access (risk lies in those two prime factors) devices are more prone to vulnerable exploitation.

Another thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can easily be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan says embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.

The Challenges With PCI DSS

Both Chauhan and McCullen agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. Antivirus software can be a very high overhead expense for a low-footprint POS system, she even notes; inspite of that, change control software can eliminate the need for antivirus software.

For example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. With this software, NEC Infrontia was able to remove the antivirus software that affects the performance of their devices, according to Chauhan.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be tough for POS equipment providers in ensuring that their systems sustain PCI compliance after the equipments are shipped through the dealer network and put into production.

According to Chauhan, StoreNext (www.storenext.com), a large supplier of technology and POS systems for independent grocers and small chains, solved PCI DSS Requirement 6 patching challenges by embedding Solidcore change control in its systems.

StoreNext was able to reduce the amount of time they spend on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other challenging areas, as McCullen affirmed, include data encryption and user-based access controls.

Questions?

For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area.

The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

If you enjoyed this post, make sure you subscribe to my RSS feed!