Protecting Data in POS Environments
POS security, or point-of-sale security, is the prevention of unauthorized access to electronic payment systems by individuals who are typically looking to steal customers’ personal details such as credit card information. POS security aims to create a safe environment for customers to complete their purchases and transactions, and it’s a must-have measure for fostering trust with today’s consumers.
How POS Security Compromises Work
It is important to acknowledge that all POS systems do have some level of risk when it comes to security. Many attackers are just looking for targets using systems that are vulnerable and launching automated attacks on their POS environments. According to the SANS Institute, “the basic POS breach phases include infiltration, propagation, exfiltration and aggregation.” In the first phase, an attacker gains access to the targeted systems, often by exploiting a system vulnerability or through social engineering techniques. Once inside, the attacker installs malware, which spreads until it can access the system’s memory and collect the desired data. From there the data is moved to another location within the target’s environment for aggregation and finally offloaded to an external location accessible to the attacker.
Examples of Data Breaches Involving POS Security Compromises
Many of the most high profile data breaches of customer payment information involved POS security compromises. Here are just a few examples from recent years:
Target:
The retail giant fell victim to one of the largest and most publicized data breaches of all time in late 2013 after attackers infected its POS systems with the Trojan.POSRAM malware and stole PII and payment card information on as many as 70 million target customers. Target ended up settling a class action suit from the breach for $39 million and incurring another $19.9 million in associated legal costs.
Home Depot:
In September 2014 news broke that yet another major retailer had been hit with POS malware and an ensuing breach of POS system data. Up to 56 million customers spanning 2,200 stores were impacted by the data breach, and Home Depot paid $19 million as settlement for a resulting class action suit.
Wendy’s:
One of the most recent examples of a data breach stemming from a POS security compromise came earlier this year when the fast food chain confirmed that 1,025 of its stores had been infected with POS malware, resulting in a data breach of an undisclosed number of records. Wendy’s is facing multiple class action suits related to the incident.
Best Practices for POS Security
Enterprise should take several measures to improve POS security, prevent POS malware infections, and avoid POS data breaches:
The Need for POS Security
POS security is challenging because of the sheer volume of both known and unknown threats that exist, coupled with the value that POS system data holds for cybercriminals. In addition, the number of threats facing POS systems continues to rise because new POS malware is being created or updated all the time. Despite these challenges, enterprises - especially those in retail, hospitality, food service, or others that rely heavily on POS systems - should prioritize POS security, as these systems handle sensitive customer data and a breach of customer payment information can be highly costly both literally and in terms of damage to your company’s reputation. By implementing measures to protect POS systems and transactions and training staff on POS security policies, businesses can drastically reduce their likelihood of experiencing a costly POS security incident.