5 Ways to Improve Your Point-of-Sale Security

Posted by on December 26, 2012 in Credit Card Processing [ 0 Comments ]

Many business owners think that meeting the basic requirements of the Payment Card Industry Data Security Standard (PCI DSS) protocols will keep their point-of-sale systems from being hacked. But here’s the truth: hacking into retailer POS systems is a recurring problem worldwide, even for retailers who meet PCI DSS standards.


In just the last couple of years, several high-profile cases have received media coverage:

  • In late 2011, a scheme was discovered that involved hackers from Romania stealing credit card data from hundreds of POS systems, including those from 150 Subway franchises. More than 146,000 cards were compromised, and losses have been estimated at up to $10 million.
  • In September 2012, hackers got into POS systems in 63 Barnes & Noble stores in nine states. The company removed POS card readers from all its stores while the incident was investigated.
  • In December 2012, an Israeli security firm found a strain of malware infecting hundreds of POS systems in 40 countries. By injecting malware into a system’s iexplore.exe file on Windows servers, the malware hijacked data that could be used for cloning credit cards.

Countless other cases of POS “hacking” come from insiders: your employees. Keeping on top of POS security is essential for every business. Here are 5 ways to improve your POS security.

1. Know Your Enemy

Awareness is the first step toward POS security. Key methods for hacking a POS system include:

  • Targeting systems that lack firewall protection between hackers and terminal or Windows RDP services
  • Gaining remote system access using tools like PCAnywhere on “back of house” servers
  • Finding systems using default vendor-supplied credentials for OS and remote applications

Systems are frequently hacked by criminals who are employed seasonally or temporarily, particularly in restaurants and bars. Dave Marcus, security research director at McAfee Labs, said in an interview with Ars Technica, “This is the crime of the future. Robbing a retailer won’t involve holding up a cash register at gunpoint, but rather root[ing] them from across the planet, and steal[ing] digitally.”

2. Assess Your Risks

PCI DSS Requirements version 12.1.2 requires organizations to develop formal processes for identifying vulnerabilities that reduce security of cardholder data. A customized risk assessment can help businesses determine which specific controls are best suited for protecting cardholder data for their business. Not only should organizations have a formal risk assessment methodology suited for its particular vulnerabilities, it  should treat risk assessment as an ongoing process so that information about emerging threats can be addressed through preventive measures. Risk assessments are important, but they are not a substitute for implementing all applicable PCI DSS requirements.

3. PA-DSS Validate Applications

PA-DSS stands for Payment Application Data Security Standard. Validation under PA-DSS can help merchants protect customer data by improving security controls and supporting PCI DSS compliance, as well as securing maintenance and updating capabilities. When properly installed and maintained, PA-DSS validation gives retailers a long-term solution to POS security issues. But if PA-DSS validation isn’t installed, configured, and maintained correctly, it won’t provide much (if any) benefit.

4. Consider Training Under the Qualified Integrators and Resellers Program

The PCI Council now has a Qualified Integrators and Resellers (QIR) program for improving POS security. Eligible professionals in qualifying organizations can receive training about secure installation of PA-DSS validation applications to boost PCI DSS security compliance. QIR training educates retail professionals on guiding principles and procedures for securely installing and maintaining payment applications to maximize PCI DSS compliance.

5. No Default Passwords

Nobel Prize-winning physicist Richard Feynman learned how to crack safes while working on the Manhattan Project in the 1940s. Like any good scientist, he tried out the simplest methods first: checking safes with the written original factory combinations on the gamble that nobody bothered to change them. And, in several instances, he was right. A surprising number of POS systems use the factory passwords because retailers don’t bother to change them, and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a POS system relies on the retailer being lazy about password implementation and changes.

Whether you’re implementing your first POS system, or are upgrading with a new one, cardholder security should be a top priority and should be an ongoing — rather than a one-time — concern.

Photo Credit: Gilbarco Veeder-Root


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>