Improving Point of Sale Security

By Savannah Rainey

As long as humans have used money to pay for goods and services, other humans have found ways to take that money illegally. The difference today is that thieves no longer have to enter a bank wearing a mask and brandishing a gun to steal money: now they can do so from the comfort and safety of their own home using only a computer. While credit cards make paying for things much quicker, easier, and just generally more convenient for consumers, when not handled properly they also make it easier for hackers to empty out bank accounts.

To help combat this, the Payment Card Industry (PCI) Security Standards Council released version 3.0 of its PCI Data Security Standard (PCI DSS) in 2014 which aims to improve security measures already being followed to protect consumers.

The specifications set out by the PCI DSS can be technical and confusing, but they basically boil down to three steps: Assess, Remediate, and Report.

Assess:  “The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by your business,”states the PCI DSS. This can be done through self-assessment questionnaires for small businesses and merchants and by eliciting the help of a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) for larger companies. These trained personnel are hired to ensure that a company is in compliance with the PCI DSS and to test security software for vulnerabilities.

Remediate: "The process of fixing vulnerabilities — including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data.” This includes fixing unsafe processes and testing again to make sure that the remediation was successful.

Report: All businesses are required to report regularly to the PCI to ensure compliance.

Along these same lines, BizTech Magazine also suggests six strategies for heightened point of sale (POS) security:

1. Accurately scope payment card networks. By identifying all of the systems that interact with card data, you can reduce what resources fall within the scope of the PCI standard and better understand the flow of data within the network.

2. Close commonly overlooked security gaps. Many POS terminals and ATMs are still running Windows XP despite the fact that Microsoft has not offered security updates or technical support for that operating system since April 2014. Not upgrading systems is great business for hackers, as it makes sensitive credit card information even more vulnerable.

3. Redouble efforts to block threats beyond the POS environment. Training staff members to avoid sketchy emails that could contain viruses and keeping anti-virus and other security measures up-to-date can prevent hackers from successfully stealing information.

4. Assume you’ve been hacked no matter how well you defend your environment. When a breach does happen, you need a way to quickly detect the attack and limit the hacker to only a small section of the network while preventing them from exporting data.

5. Don’t wait for an annual audit of security systems. Frequent testing will help keep systems more secure.

6. Secure physical devices. Transaction devices such as card readers are vulnerable to attack and need to be closely monitored.

The Switch to Chip-based Credit Cards

Chip-based credit cards could be the answer to some of these problems. While these cards became the standard more than a decade ago in European countries, it took the 2013 breach of Target's payment system (a breach that exposed the credit card information of tens of millions of consumers) to convince American industries to begin making the switch.

Chip-based cards are more secure because they are nearly impossible to copy, but using them requires businesses to install upgraded payment terminals. For many small businesses, the cost of the new hardware is burdensome — though perhaps not as burdensome as a data breach could be, since liability for fraudulent transactions will shift from credit card companies to retailers on Oct. 1.