PCI Compliance For Point of Sale Systems
Making Sure Your Point Of Sale Equipment Is Secured
In credit card commercials, although they show us a couple of happy shoppers swiping their credit cards as they go on a shopping spree and enjoying the convenience of a cashless society, they do not care to discuss the dangers of identify theft when shopping with credit cards.
Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.
Locking it Down
These Point of Sale systems are vulnerable to exploitation if not properly locked down. For decades now, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) has shifted the standards in the retail industry.
Chauhan have also observed that this standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-shelf software on commoditized hardware running commercial or open operating systems such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.
According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.
Some Systems Are Vulnerable
From Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com) - a security firm focusing on the security of information and compliance management solutions, agrees with Chauhan that there are many POS systems that are susceptible to attacks.
According to McCullen, dial-up swipe machines is a low-risk device, what’s more prone to vulnerable exploitation are those computer-based and/or have Internet access devices; risk lies in those two prime factors.
According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.
In general, as McCullen explained, only low risk exploits can experienced with hardware swipe terminals, instead a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the data they need.
As Chauhan pointed out other vulnerabilities, she says that because the POS systems today are similar to networked PCs, constant patching is required. Chauhan also included that embedded systems have also become susceptible to attack through unauthorized and inappropriate changes as they are handed off to others in the distribution channel. This often results in malfunctions and can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.
PCI Data Security Standard Challenges
Chauhan and McCullen both agreed that POS equipment is faced with unique challenges when it comes to complying with the PCI DSS.
PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. The ativirus software can be a very high overhead expense for a low-footprint POS system, she even notes; however, change control software can eliminate the need for antivirus software.
As an example, NEC Infrontia installed and uses a change control software on its POS offerings which prevented unauthorized code from breaking unpatched systems. With this software, it allowed NEC Infrontia to remove the antivirus software that was impacting the performance of their devices, Chauhan notes.
In the PCI DSS Requirement 6, develop and maintain secure systems and applications. It also presents unique challenges, Chauhan notes.
It’ll be a very challenging on the part of POS equipment providers to ensure their systems will supply the PCI compliance after shipping them to the dealer network and put into production at the retail location.
Though embedding Solidcore change control in its systems, StoreNext (www.storenext.com) - a large supplier of technology and POS systems for independent grocers and small chains - have solved their PCI DSS Requirement 6 patching problems.
“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.
Other hard areas include data encryption and user-based access controls, McCullen states.
Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area.
The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.