POS Security-Beyond PCI DSS
Many business owners think that meeting the basic requirements of the Payment Card Industry Data Security Standard (PCI DSS) protocols will keep their point-of-sale systems from being hacked. But here’s the truth: hacking into retailer POS systems is a recurring problem worldwide, even for retailers who meet PCI DSS standards.
In just the last couple of years, several high-profile cases have received media coverage:
- In late 2011, a scheme was discovered that involved hackers from Romania stealing credit card data from hundreds of POS systems, including those from 150 Subway franchises. More than 146,000 cards were compromised, and losses have been estimated at up to $10 million.
- In September 2012, hackers got into POS systems in 63 Barnes & Noble stores in nine states. The company removed POS card readers from all its stores while the incident was investigated.
- In December 2012, an Israeli security firm found a strain of malware infecting hundreds of POS systems in 40 countries. By injecting malware into a system’s iexplore.exe file on Windows servers, the malware hijacked data that could be used for cloning credit cards.
Countless other cases of POS “hacking” come from insiders: your employees. Keeping on top of POS security is essential for every business. Here are 5 ways to improve your POS security.
1. Know Your Enemy
Awareness is the first step toward POS security. Key methods for hacking a POS system include:
- Targeting systems that lack firewall protection between hackers and terminal or Windows RDP services
- Gaining remote system access using tools like PCAnywhere on “back of house” servers
- Finding systems using default vendor-supplied credentials for OS and remote applications
Systems are frequently hacked by criminals who are employed seasonally or temporarily, particularly in restaurants and bars. Dave Marcus, security research director at McAfee Labs, said in an interview with Ars Technica, “This is the crime of the future. Robbing a retailer won’t involve holding up a cash register at gunpoint, but rather root[ing] them from across the planet, and steal[ing] digitally.”
2. Assess Your Risks
PCI DSS Requirements version 12.1.2 requires organizations to develop formal processes for identifying vulnerabilities that reduce security of cardholder data. A customized risk assessment can help businesses determine which specific controls are best suited for protecting cardholder data for their business. Not only should organizations have a formal risk assessment methodology suited for its particular vulnerabilities, it should treat risk assessment as an ongoing process so that information about emerging threats can be addressed through preventive measures. Risk assessments are important, but they are not a substitute for implementing all applicable PCI DSS requirements.
3. No Default Passwords
Nobel Prize-winning physicist Richard Feynman learned how to crack safes while working on the Manhattan Project in the 1940s. Like any good scientist, he tried out the simplest methods first: checking safes with the written original factory combinations on the gamble that nobody bothered to change them. And, in several instances, he was right. A surprising number of POS systems use the factory passwords because retailers don’t bother to change them, and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a POS system relies on the retailer being lazy about password implementation and changes.
Whether you’re implementing your first POS system, or are upgrading with a new one, cardholder security should be a top priority and should be an ongoing — rather than a one-time — concern.
Article by Resource Nation