Point-of-sale security is a necessity when it comes to businesses protecting their customers. POS systems are essential in the world of retail. However, the data transmitted and stored on POS systems is sensitive.
Because of this, it is a merchant’s responsibility to ensure that their POS infrastructure is secure. Merchants can achieve point-of-sale security and consumer trust when they adopt the policies outlined in our POS implementation checklist.
What is a Point-of-Sale (POS) System?
A POS system is today’s digital cash register. It facilitates transactions at any location where a sale is occurring. This can be in a physical store, in the field, or online.
POS systems not only accept payment, but they also offer additional features that create seamless business functions. Including reporting, customer relationship management, staff management, inventory management, menu programs, payroll, and more.
What Makes Up a POS System?
A physical POS system contains both hardware and software. The hardware includes a touchscreen computer device or tablet, a barcode scanner, a card reader, a receipt printer, and a cash drawer if the merchant accepts cash.
The software includes the base system capabilities used for point-of-sale transactions. The software can also include transaction reporting and management systems. Almost all POS systems today have integration capabilities designed for combination use with additional software and hardware systems.
Types of POS Systems
With merchant business models being diverse, there are multiple POS systems designed to complement each type of business. Below are the most common types of POS systems:
- POS apps
- Online POS
- Mobile POS
- Terminal POS
- Tablet/Touch-Screen POS
- Cloud-based POS
- Open-source POS
- Multichannel POS
- Self-service kiosk
A merchant may be stationary, traveling, mobile, or online. They may need a POS system that is inexpensive, portable, customizable, or connects to multiple locations. So, depending on the type of business, the budget, and the needs, each POS system will benefit different merchants in different ways.
How Are POS Systems Breached?
A 2020 survey concluded that 55% of small businesses have experienced cyberattacks, costing them around $59,000.With this in mind, big or small, businesses need to take POS security seriously.
Cyber Attacks on Online POS Systems
The increased eCommerce industry presents new virtual threats to consumer data. Cybercriminals exploit vulnerabilities in online systems to steal sensitive information. These criminals may install web skimmers into merchants’ virtual terminals. A malicious code that gathers card data every time a customer makes a credit card purchase.
Malware Threats to POS Systems
In addition to cyber attacks on virtual terminals, malware is one of the greatest threats merchants can face with compromised point-of-sale security. Malware is an umbrella term that includes all malicious software programs like spyware, ransomware, worms, and adware. This malicious software easily compromises POS systems when installed by an attacker. Retrieving credit card information and sending the data to a command-and-control server for the attacker to gain access.
What Consequences Come From a Data Breach?
Compromised point-of-sale security can have catastrophic consequences. A recent study by IBM and the Ponemon Institute discovered that data breaches have affected almost every industry.
However, the hardest hit belongs to the healthcare sector-with an average of $7.13 million in losses. The retail industry follows closely behind in damages.
Once a criminal has access to credit card information, your customers’ sensitive data and finances are at risk. As is your business and the relationships you’ve built.
Fortunately, tighter POS security measures have decreased data breach costs by a few million dollars every year.
How to Secure Your Merchant POS System
It is important to secure your POS system from both internal and external attacks. Though we focused on cyber and malware attacks earlier, take note that internal theft can account for a majority of all retail theft. This includes employees targeting the POS system.
16 Best Practices to Protect Your POS Systems
Regardless of the size of your business, whether a global retailer or a small eCommerce business, you ought to make sure you’ve done everything you can to keep your system, hardware, users, and network secure.
Below are 16 steps to consider in your loss prevention management. These tips cover a wide range of solutions so you can keep point-of-sale security in check.
1. Physically Secure Your POS Devices
Theft and human error can put your POS devices at risk. One of the first steps you need to take is to secure your POS devices physically.
POS devices are easily portable and can easily be stolen, left behind, or lost.
When these devices are not secured, anyone can gain access to the device and its installed software. Access to this information means card records and customer information are at risk.
To physically secure your POS devices, consider:
Mount your POS system and its PIN pads to the store’s countertop.
Store all hardware and external devices in a secure area at the end of each work day. Only a few select employees should have access to this location.
When your terminals are not in use, store them out of reach or under the check-out counter. But remember to keep it plugged in for easy access when customers are ready for checkout.
2. Invest in a Security Company
This could mean either hiring a security specialist, or a security guard to monitor the premises. In addition, they can monitor security cameras should you also choose to install them.
Position security cameras toward the POS devices and entrance to the storefront. However, avoid aiming the camera directly at the PIN pad. As this can conversely compromise your customers’ security. Video surveillance will however detour criminal activity.
3. Inspect POS Hardware for Tampering
Once your devices are physically secure, you will still need to do a physical point-of-sale inspection for any tampering with devices.
You can check for tampering in a few ways. First, be sure to have security seals on kiosks such as those at outdoor gas station terminals. If a seal looks broken, the machine has most likely been tampered with.
Next, your POS inspection should include looking for skimmers. Criminals install skimmers on a card reader to steal credit card information as a transaction takes place.
Additionally, make a list of your terminal serial numbers. When inspecting devices, make sure the serial numbers all match what you have on your list. If the numbers do not align, chances are the terminals have been exchanged by a different card reader not tied to your merchant account.
What To Do If You Notice Device Tampering
Evidence of tampering could include:
- A missing terminal
- A broken security seal
- New cables
- A different serial number
- Loose screw
- Broken screen
- An attached unfamiliar device
- The device is in a different location than where it was last left
If you notice anything that seems off about your devices, do not use the equipment. Be sure to notify management immediately if a terminal looks different or is missing.
4. Monitor POS Device Activity
The next way to check the security of your customer’s information is to manage reports and the activity on your POS systems. Making sure all sales numbers and transaction activity look correct is one of the simplest ways to ensure your customer’s sensitive information is secure.
5. Keep Your POS Software Up-to-Date
Software is constantly upgraded. When new updates are made available for your payment software be sure to install them right away. Some updated features can include security upgrades that can help keep customer card data secure.
If your system has the option to update automatically, we recommend setting it up to do so. This will ensure you never miss an opportunity to stay as updated and secure as possible. Giving no room for error and less chance for a hacker to intervene in your system.
6. Use Advanced Password Protection
The first thing you should do when setting up your point-of-sale equipment is to change default passwords. Criminals can easily intercept default passwords. You will want to change your device password to a strong and unique set of alphanumeric characters, including special characters and alternating upper and lower cases.
Next, be sure to update your passwords frequently. Additionally, if you have the option to use two-factor authentication, this will add an additional level of security to your business.
Lastly, when an employee is no longer with the company, be sure to remove their access and delete their user credentials from the system.
7. Educate Your Employees on Criminal Activity Schemes
It is important to be sure your staff is well-trained on how to avoid becoming a victim of Phishing attempts. Inform staff that they should never provide their credentials to anyone via email or phone. Nevertheless, they should never give them to anyone who is not authorized or known to be a direct supervisor or in your company’s IT department.
8. Implement Application Whitelists
The next way to reduce phishing attempts and unwarranted point-of-sale security risks would be to only allow business-related applications to function on your POS system. This means all other web-based platforms would be blocked, including email and web browsers.
9. Use EMV and Contactless Card Readers
As of Spring 2019, 75% of United States merchants are now accepting EMV payments. If you are still using manual entry or magstripe readers, it is time for an upgrade. EMV and contactless technology offer cardholders a higher level of security with encryption data transfers.
10. Protect Cardholder PINs
One of the most obvious ways to make sure your customers feel safe at your place of business is to make sure your check-out experience is secure. Some ways to do this include:
- Giving cardholders room to enter their PIN on the terminal without other customers and employees being able to see.
- Do not face security cameras toward the PIN pad of your terminal. Recording a customer entering their PIN severely impacts the interpreted security of your point-of-sale.
- Allow customers to hold the PIN pad while they enter their PIN. Never allow an employee to enter a PIN for the customer.
11. Install Antivirus Software
Because POS systems are a type of computer, they are vulnerable to the same threats that PCs and Macs are. Installing point-of-sale security measures such as firewalls, end-to-end encryption, and anti-malware software will protect your system from attacks.
Antivirus software scans computers and can detect any malicious software or files on your system that should not be there. From there, it can assist in deleting such files before they corrupt your system.
12. Divide Your POS Wi-Fi From Other Networks
Because hackers do not need to be present to steal sensitive information, many credit card fraud attempts happen due to cybercriminal activity. Thus it is necessary to make sure your internet connection is secure. It is a huge bonus to your customers to offer free Wi-Fi, but make sure you separate that network from the one your payment system rubs off of.
13. Limit POS System Access Levels
An essential point of sale requirement is to have complete control over POS user access. Having access levels based on roles allow specific users and groups of users to successfully do their job without compromising the security of the system– closing any gaps for potential malicious activity. Granting users only the minimum access they need will help ensure security measures are properly in place.
Additionally, Knowing your staff well and doing background checks is always a good idea. Criminal activity could just as easily occur within the business as it could from outside.
Moreover, businesses typically do work with vendors and technicians. When this occurrence happens you want to be sure you have point-of-sale security measures in place.
Vendors and Point of sale technicians may require access to your POS system and network to complete their work. Managing their access with login procedures such as requiring their name, photo ID, and company information, s well as requiring a staff member present during service can help minimize any malicious activity.
14. Protect Multi-platform POS Systems
In today’s retail world, consumers are choosing to shop in ways that are most convenient to them. Whether that be in person or online. Because merchants want to be able to offer a variety of convenient shopping experiences, eCommerce and mobile terminals are a great way to expand point-of-sale solutions.
However, with multiple devices and platforms, it is important to be sure all your platforms have the proper tools and operating systems to securely rub transactions from anywhere.
15. Employ End-to-End Encryption
Securing data makes it more difficult for cybercriminals to gain access to important payment information. Because of this, it is important to encrypt your customer’s data. Not only is it important, but it is also encouraged by The California Consumer Privacy Act and other state’s legislatures.
Let’s take a look at some types of encryption:
Data-at-rest is payment information that is not currently in transfer from POS to the payment network. Though it is not active, it is still vulnerable to attack. Encrypted data-at-rest is currently inactive and sitting in a secure vault.
Data-in-transit is information that is actively in transfer from the merchant’s POS to the payment gateway, to the network, to the issuing bank, to the card brands, and back. Securing this information from start to finish is otherwise known as end-to-end encryption.
The second the cardholder provides their payment information, their card number and personal data are scrambled and coded. This encryption can only be decoded by the intended receiver who will have a built-in virtual key for the transaction.
A 256-bit encryption key means that a cybercriminal would require 2256 combinations to hack into an encrypted message. This would be nearly impossible. Encryptions also come in 128 and 192-bit.
Advanced Encryption Standard (AES)
AES is a type of block cipher algorithm that offers speed and point-of-sale security for data protection online. The National Institute of Standards and Technology designed AES with the goal to prevent cyber attacks of brute force or trial and error on government information.
16. Become PCI Compliant
The Payment Card Industry Data Security Standard or PCI DSS manages compliance regulations for merchants who accept any form of card payment. The major card brands designed these standards and The Payment Card Industry Security Standards Council (PCI SSC) administers them.
POS compliance security regulations include many items we discussed above including:
- enabling a firewall
- changing default passwords
- protecting stored payment data
- encrypting sensitive payment data transmission
- Installing antivirus software
- restricting physical access to payment card information
PCI compliance is a great starting point to establish secure payments. However, security is not guaranteed. Yes, PCI standards are continuously updated to cope with evolving threats, but it is ultimately the merchant’s responsibility to identify risks and take all appropriate security measures. All card readers, routers, servers, networks, and online shopping carts, should adhere to the PCI DSS.
Though it is not illegal if your protocols do not meet the PCI requirements, the card brands do enforce PCI non-compliance fees.
Point-of-sale security can be challenging due to the magnitude of how many threats are out there. Known and unknown. Cybercriminal attacks are continuously upgrading as technology and malware advance.
Prioritizing POS security is Key. Because POS systems contain sensitive consumer information, any breaches of data can be costly to a merchant.
Implementing protective measures such as PCI compliance, staff education, device management, and POS access limitations can help reduce the likelihood of criminal activity on your consumer information and POS devices.
Partnering with a payment processing provider that offers PCI compliance assistance and robust security features like ECS will result in better benefits for your business. But keep in mind that at the end of the day, the merchant is responsible for protecting their POS devices and customer information.