In spite of heavy investments in security technology and top-notch security personnel, retailers and hospitality firms have an Achilles Heel unique to their business–the point of sale (POS) device. With POS devices handling most of the payment card transactions around the world for retailers, restaurants, hotels and grocers, these systems are squarely in the cross-hairs of today’s cybercriminals.
Compromised POS’s were the source of recent, major data breaches at Target, Neiman Marcus, Subway and many others, and there are no signs that the security risks are slowing down.
Given today’s growing security threat landscape, it’s a critical time for businesses to examine and enhance POS security capabilities. Taking the following five steps can mitigate your risk of a compromised POS, while still enabling the powerful business benefits of these systems.
1. Assess and Update Your Security Profile
POS security breaches typically start with a breach of the corporate network. The first step in protecting POS devices is to ensure baseline security practices are being followed. Are your users creating strong passwords? Are they changing them regularly? Are your network connections protected by a firewall? Is your network traffic filtered for malware? Are your employees’ BYODs screened before coming onto your network?
While these read like standard operating procedures (SOP), buttoning them down will substantially reduce your risks. A 2015 industry report found nearly 30 percent of data breaches are attributable to weak passwords. These SOPs are particularly important for a POS device. During installation, POS vendors often use system default passwords for simplicity but fail to change them later. And the default passwords can be easily obtained online by criminals.
2. Ensure Your Vendors Are Following Your Security Standards
Your security is only as good as the weakest link–and that may be your outside vendors who have access to your network. Are they adhering to your security standards? How do you know? Target’s record-breaking data breach came through a the hacked credentials of a Target refrigeration vendor–resulting in 110 million compromised customer records, lost business, class action lawsuits, government investigations, and the resignation of the CEO.
3. Install POS-Specific Security
Today’s POS devices are mission-critical, sophisticated business devices. You would not buy a new Tesla motorcar and use an outdated brake system or skip the airbag. Likewise, every POS implementation should have a robust, modern security solution. It should leverage the power of the cloud, continuously update in real time to keep pace with dynamic POS-specific malware, and guard against today’s multi-layered threats. It should not shut down the POS–and shut down sales–through too many “false positives” or limit the POS’s functionality–and its value to your operations–by handcuffing its use.
4. Regularly Update POS Software Applications
POS systems are function-specific computers and, like any desktop or notebook PC, they are vulnerable to attacks when software updates and patches are not downloaded and installed. Application vendors spend considerable time bug-fixing and addressing critical security fixes. Make sure that good work makes it onto your POS devices as soon as possible.
5. Train and Re-Train
Even the best laid plans still rely on people to execute them. Despite all the publicity about the risks of infected emails and websites, over 23 percent of recipients open phishing emails, and 11 percent click on phishing attachments. Nearly 70 percent of attacks involve inadvertent download of a malicious file from an infected website. Employees need to be kept informed of risks, trained in proper security precautions, and retrained regularly to ensure the messages stick. Regular emails to your team and online training can make this a much more streamlined and effective process.
Taking these five steps will ensure your organization realizes the benefits of its POS investment to maximize sales and productivity, while still maintaining control over POS security and reducing the very real business, legal and regulatory risks of a data breach.
- Cybercrime is the new healthcare crisis - November 9, 2015
- Tackling point of sale (POS) device security in 5 simple steps - October 28, 2015