Learn how to secure POS systems against compromises and data theft in Data Protection 101, our series on the fundamentals of information security.
A Definition of POS Security
POS security, or point-of-sale security, is the prevention of unauthorized access to electronic payment systems by individuals who are typically looking to steal customers’ personal details such as credit card information. POS security aims to create a safe environment for customers to complete their purchases and transactions, and it’s a must-have measure for fostering trust with today’s consumers.
How POS Security Compromises Work
It is important to acknowledge that all POS systems do have some level of risk when it comes to security. Many attackers are just looking for targets using systems that are vulnerable and launching automated attacks on their POS environments. According to the SANS Institute, “the basic POS breach phases include infiltration, propagation, exfiltration and aggregation.” In the first phase, an attacker gains access to the targeted systems, often by exploiting a system vulnerability or through social engineering techniques. Once inside, the attacker installs malware, which spreads until it can access the system’s memory and collect the desired data. From there the data is moved to another location within the target’s environment for aggregation and finally offloaded to an external location accessible to the attacker.
Examples of Data Breaches Involving POS Security Compromises
Many of the most high profile data breaches of customer payment information involved POS security compromises. Here are just a few examples from recent years:
- Target: The retail giant fell victim to one of the largest and most publicized data breaches of all time in late 2013 after attackers infected its POS systems with the Trojan.POSRAM malware and stole PII and payment card information on as many as 70 million target customers. Target ended up settling a class action suit from the breach for $39 million and incurring another $19.9 million in associated legal costs.
- Home Depot: In September 2014 news broke that yet another major retailer had been hit with POS malware and an ensuing breach of POS system data. Up to 56 million customers spanning 2,200 stores were impacted by the data breach, and Home Depot paid $19 million as settlement for a resulting class action suit.
- Wendy’s: One of the most recent examples of a data breach stemming from a POS security compromise came earlier this year when the fast food chain confirmed that 1,025 of its stores had been infected with POS malware, resulting in a data breach of an undisclosed number of records. Wendy’s is facing multiple class action suits related to the incident.
Best Practices for POS Security
Enterprise should take several measures to improve POS security, prevent POS malware infections, and avoid POS data breaches:
- Encrypt all POS data upon entry and decrypt it only when it reaches the payment processor.
- Implement application whitelisting, which allows only necessary applications to run on a POS system. Any apps that might normally add risk, like web browsers or email, are blocked, thus preventing malware infections through these channels.
- Keep POS software up-to-date by installing software updates, which often contain important security patches implemented as a result of newly discovered vulnerabilities. Patch management is critical for a secure system.
- Perform regular vulnerability testing to identify weaknesses. Implement procedures or protections that address any vulnerabilities detected.
- Monitor all activity in POS systems and data for any anomalous activity and indications of threats.
- Segment any networks utilized by POS systems.
- Always use complex, secure passwords and two-factor authentication.
- Run antivirus software continuously, periodically scanning systems for malicious files.
- Think about physical security for your POS system. Cybercriminals may attempt to attach card skimmers to a POS device to steal customer credit card numbers when they scan their cards to make payments. Train employees to be on the lookout for these kind of actions.
The Need for POS Security
POS security is challenging because of the sheer volume of both known and unknown threats that exist, coupled with the value that POS system data holds for cybercriminals. In addition, the number of threats facing POS systems continues to rise because new POS malware is being created or updated all the time. Despite these challenges, enterprises - especially those in retail, hospitality, food service, or others that rely heavily on POS systems - should prioritize POS security, as these systems handle sensitive customer data and a breach of customer payment information can be highly costly both literally and in terms of damage to your company’s reputation. By implementing measures to protect POS systems and transactions and training staff on POS security policies, businesses can drastically reduce their likelihood of experiencing a costly POS security incident.