The POS Security Snafu

Point of sale (POS) payment systems are commonplace in retail establishments of all kinds. Customers have grown used to them, retailers endure them and hackers downright love them. That's because the Payment Card Industry (PCI) data security standard used by all major credit card companies to protect cardholder data isn't necessarily used in POS devices or software. So, when a POS terminal reads credit card information, performs the transaction and receives the confirmation code, hackers have an easy bulls-eye to target.

PCI standards have recently been updated, but many retailers are still unknowingly using older POS devices and software that don't take advantage of the new standards. So hackers, who are persistent and exploitative by nature, are continuing their assault on a variety of POS systems. Besides stealing customer financial information, they've been known to change prices, lower the quantity on hand, steal customer lists and perform other damage. Here are the two key ways in which hackers exploit the lack of POS system standards:

1. With physical access to a terminal. When a static RAM chip is used in the POS device, memory often doesn't clear. This leaves the cardholder data available for hackers to retrieve. Anyone with access to the device can print batch reports of all transactions and generate duplicate receipts using key combinations publicly available on vendor Web sites. Alternatively, removable flash drives used in a POS device can be easily lifted for nefarious intentions.
   
   Solution: Clear the memory regularly by using specific commands.
2. Through the use of default values. Although user access to different terminal functions is typically protected with authentication codes, the codes are often set to easily available default values. When the same password is used across an entire store or region, a hacker can quickly enter the system, grab the desired information from thousands of cardholders and be gone before anyone knows a breach has occurred.
   
   Solution: Use unique codes and passwords instead of relying on default values. Never use the same password at multiple terminals.

Until the PCI data security standard is applied to all POS devices and software, it's up to retailers to protect themselves and their customers against hackers. Because it's not always an outside job when a POS system is breached, it's a good idea to use strong internal security methods to prevent losses as well.

Along with individual passwords and user IDs, consider using a biometric fingerprint reader. These require a finger scan from the employee whenever access to password-protected areas of the POS software is requested. Many POS companies are now incorporating biometrics into their retail POS software and hardware, and the price for such technology is rapidly lowering.

Although there will be a slight learning curve to add biometrics into a POS system, many retailers are making the leap to protect themselves and their customers. In the meantime, check with your POS vendor to determine whether PCI standards apply to your POS devices and software.

The Connors Group provides IT staffing for the retail apparel industry. Contact Tricia Sentinella , Director of Retail Staffing at the Connors Group, at tricia@theconnorsgroup.com or 201-537-0007.