Keeping Point-Of-Sale Equipment Secure
On credit card commercials, we can see a line of dancing shoppers merrily swiping their credit cards, from store to store, and glorifyhow convenient it is to use, they don’t stress out the very real risk behind the cash register.
Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.
Locking it Down
“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”
Chauhan have also observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-shelf software on commoditized hardware running commercial or open operating systems (OS) such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.
According to her, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.
Vulnerable Systems
The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm specializing in information security and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.
“A little dial-up swipe machine is a low-risk device,” McCullen says. “POS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”
If a POS system stores credit card track data, exploitation possibly will occur, and swipe terminals can be exploited through tampering, according to McCullen.
“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.
As Chauhan discuss other vulnerabilities, she claims that because the POS systems today are similar to networked PCs, constant patching is required. She included that embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. With these, equipments often results to malfunctions and/or can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.
PCI Data Security Standard Challenges
Chauhan and McCullen both agreed that Point of Sale equipment is faced with unique challenges when it comes to complying with the PCI DSS.
PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. Antivirus software can be very high overhead for a low-footprint POS system, she notes; inspite of that, you can eliminate the need of an antivirus with change control software.
As an example, NEC Infrontia installed and uses a change control software on its POS offerings whein it prevented unauthorized code from breaking unpatched systems. With this software, it allowed NEC Infrontia to remove the antivirus software that was affecting the performance of their devices, according to Chauhan.
PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.
It’ll be a very challenging on the part of POS equipment providers to ensure their systems sustain PCI compliance after shipping them to the dealer network and put into production at the retail location.
A large supplier of technology and POS systems for independent grocers and small chains, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 by embedding Solidcore change control in its systems.
By simply reducing its patch frequency to quarterly, StoreNext was able to reduce the amount of their time on monthly test and patch distribution cycles. The PCI auditing requirement can be met through change control software, claimed Chauhan.
Other thorny areas include data encryption and user-based access controls, McCullen states.
Do You Have Any Questions?
If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS
professional serving your area.
The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.