January 2, 2023
Point-of-sale security is a necessity when it comes to businesses protecting their customers. POS systems are essential in the world of retail. However, the data transmitted and stored on POS systems is sensitive.
The wealth of personal financial information is highly attractive to cybercriminals. Cybercrime, POS data breaches, and fraud can affect both large and small businesses.
Because of this, it is a merchant’s responsibility to ensure that their POS infrastructure is secure. Merchants can achieve point-of-sale security and consumer trust when they adopt the policies outlined in our POS implementation checklist.
A POS system is today’s digital cash register. It facilitates transactions at any location where a sale is occurring. This can be in a physical store, in the field, or online.
POS systems not only accept payment, but they also offer additional features that create seamless business functions. Including reporting, customer relationship management, staff management, inventory management, menu programs, payroll, and more.
A physical POS system contains both hardware and software. The hardware includes a touchscreen computer device or tablet, a barcode scanner, a card reader, a receipt printer, and a cash drawer if the merchant accepts cash.
The software includes the base system capabilities used for point-of-sale transactions. The software can also include transaction reporting and management systems. Almost all POS systems today have integration capabilities designed for combination use with additional software and hardware systems.
With merchant business models being diverse, there are multiple POS systems designed to complement each type of business. Below are the most common types of POS systems:
A merchant may be stationary, traveling, mobile, or online. They may need a POS system that is inexpensive, portable, customizable, or connects to multiple locations. So, depending on the type of business, the budget, and the needs, each POS system will benefit different merchants in different ways.
The increased eCommerce industry presents new virtual threats to consumer data. Cybercriminals exploit vulnerabilities in online systems to steal sensitive information. These criminals may install web skimmers into merchants’ virtual terminals. A malicious code that gathers card data every time a customer makes a credit card purchase.
Compromised point-of-sale security can have catastrophic consequences. A recent study by IBM and the Ponemon Institute discovered that data breaches have affected almost every industry.
However, the hardest hit belongs to the healthcare sector-with an average of $7.13 million in losses. The retail industry follows closely behind in damages.
Once a criminal has access to credit card information, your customers’ sensitive data and finances are at risk. As is your business and the relationships you’ve built.
Fortunately, tighter POS security measures have decreased data breach costs by a few million dollars every year.
Regardless of the size of your business, whether a global retailer or a small eCommerce business, you ought to make sure you’ve done everything you can to keep your system, hardware, users, and network secure.
Below are 16 steps to consider in your loss prevention management. These tips cover a wide range of solutions so you can keep point-of-sale security in check.
Theft and human error can put your POS devices at risk. One of the first steps you need to take is to secure your POS devices physically.
POS devices are easily portable and can easily be stolen, left behind, or lost.
When these devices are not secured, anyone can gain access to the device and its installed software. Access to this information means card records and customer information are at risk.
To physically secure your POS devices, consider:
Mount your POS system and its PIN pads to the store’s countertop.
Store all hardware and external devices in a secure area at the end of each work day. Only a few select employees should have access to this location.
When your terminals are not in use, store them out of reach or under the check-out counter. But remember to keep it plugged in for easy access when customers are ready for checkout.
This could mean either hiring a security specialist, or a security guard to monitor the premises. In addition, they can monitor security cameras should you also choose to install them.
Position security cameras toward the POS devices and entrance to the storefront. However, avoid aiming the camera directly at the PIN pad. As this can conversely compromise your customers’ security. Video surveillance will however detour criminal activity.
Once your devices are physically secure, you will still need to do a physical point-of-sale inspection for any tampering with devices.
You can check for tampering in a few ways. First, be sure to have security seals on kiosks such as those at outdoor gas station terminals. If a seal looks broken, the machine has most likely been tampered with.
Next, your POS inspection should include looking for skimmers. Criminals install skimmers on a card reader to steal credit card information as a transaction takes place.
Additionally, make a list of your terminal serial numbers. When inspecting devices, make sure the serial numbers all match what you have on your list. If the numbers do not align, chances are the terminals have been exchanged by a different card reader not tied to your merchant account.
Having the inspection logged with a certification of inspection like this one will keep all parties accountable and maintain cardholder security.
Evidence of tampering could include:
If you notice anything that seems off about your devices, do not use the equipment. Be sure to notify management immediately if a terminal looks different or is missing.
Software is constantly upgraded. When new updates are made available for your payment software be sure to install them right away. Some updated features can include security upgrades that can help keep customer card data secure.
If your system has the option to update automatically, we recommend setting it up to do so. This will ensure you never miss an opportunity to stay as updated and secure as possible. Giving no room for error and less chance for a hacker to intervene in your system.
The first thing you should do when setting up your point-of-sale equipment is to change default passwords. Criminals can easily intercept default passwords. You will want to change your device password to a strong and unique set of alphanumeric characters. Including special characters and alternating upper and lower cases.
Next, be sure to update your passwords frequently. Additionally, if you have the option to use two-factor authentication, this will add an additional level of security to your business.
Lastly, when an employee is no longer with the company, be sure to remove their access and delete their user credentials from the system.
It is important to be sure your staff is well-trained on how to avoid becoming a victim of Phishing attempts. Inform staff that they should never provide their credentials to anyone via email or phone. Nevertheless, they should never give them to anyone who is not authorized or known to be a direct supervisor or in your company’s IT department.
The next way to reduce phishing attempts and unwarranted point-of-sale security risks would be to only allow business-related applications to function on your POS system. This means all other web-based platforms would be blocked, including email and web browsers.
As of Spring 2019, 75% of United States merchants are now accepting EMV payments. If you are still using manual entry or magstripe readers, it is time for an upgrade. EMV and contactless technology offer cardholders a higher level of security with encryption data transfers.
One of the most obvious ways to make sure your customers feel safe at your place of business is to make sure your check-out experience is secure. Some ways to do this include:
Because POS systems are a type of computer, they are vulnerable to the same threats that PCs and Macs are. Installing point-of-sale security measures such as firewalls, end-to-end encryption, and anti-malware software will protect your system from attacks.
Antivirus software scans computers and can detect any malicious software or files on your system that should not be there. From there, it can assist in deleting such files before they corrupt your system.
Because hackers do not need to be present to steal sensitive information, many credit card fraud attempts happen due to cybercriminal activity. Thus it is necessary to make sure your internet connection is secure. It is a huge bonus to your customers to offer free Wi-Fi, but make sure you separate that network from the one your payment system rubs off of.
An essential point of sale requirement is to have complete control over POS user access. Having access levels based on roles allow specific users and groups of users to successfully do their job without compromising the security of the system– closing any gaps for potential malicious activity. Granting users only the minimum access they need will help ensure security measures are properly in place.
Additionally, Knowing your staff well and doing background checks is always a good idea. Criminal activity could just as easily occur within the business as it could from outside.
Moreover, businesses typically do work with vendors and technicians. When this occurrence happens you want to be sure you have point-of-sale security measures in place.
Vendors and Point of sale technicians may require access to your POS system and network to complete their work. Managing their access with login procedures such as requiring their name, photo ID, and company information, s well as requiring a staff member present during service can help minimize any malicious activity.
In today’s retail world, consumers are choosing to shop in ways that are most convenient to them. Whether that be in person or online. Because merchants want to be able to offer a variety of convenient shopping experiences, eCommerce and mobile terminals are a great way to expand point-of-sale solutions.
However, with multiple devices and platforms, it is important to be sure all your platforms have the proper tools and operating systems to securely rub transactions from anywhere.
Securing data makes it more difficult for cybercriminals to gain access to important payment information. Because of this, it is important to encrypt your customer’s data. Not only is it important, but it is also encouraged by The California Consumer Privacy Act and other state’s legislatures.
Let’s take a look at some types of encryption:
Data-in-transit is information that is actively in transfer from the merchant’s POS to the payment gateway, to the network, to the issuing bank, to the card brands, and back. Securing this information from the start to finish is otherwise known as end-to-end encryption.
The second the cardholder provides their payment information, their card number and personal data are scrambled and coded. This encryption can only be decoded by the intended receiver who will have a built-in virtual key for the transaction.
AES is a type of block cipher algorithm that offers speed and point-of-sale security for data protection online. The National Institute of Standards and Technology designed AES with the goal to prevent cyber attacks of brute force or trial and error on government information.
The Payment Card Industry Data Security Standard or PCI DSS manages compliance regulations for merchants who accept any form of card payment. The major card brands designed these standards and The Payment Card Industry Security Standards Council (PCI SSC) administers them.
POS compliance security regulations include many items we discussed above including:
PCI compliance is a great starting point to establish secure payments. However, security is not guaranteed. Yes, PCI standards are continuously updated to cope with evolving threats, but it is ultimately the merchant’s responsibility to identify risks and take all appropriate security measures. All card readers, routers, servers, networks, and online shopping carts, should adhere to the PCI DSS.
Though it is not illegal if your protocols do not meet the PCI requirements, the card brands do enforce PCI non-compliance fees.
Point-of-sale security can be challenging due to the magnitude of how many threats are out there. Known and unknown. Cybercriminal attacks are continuously upgrading as technology and malware advance.
Prioritizing POS security is Key. Because POS systems contain sensitive consumer information, any breaches of data can be costly to a merchant.
Implementing protective measures such as PCI compliance, staff education, device management, and POS access limitations can help reduce the likelihood of criminal activity on your consumer information and POS devices.
Partnering with a payment processing provider that offers PCI compliance assistance and robust security features like ECS will result in better benefits for your business. But keep in mind that at the end of the day, the merchant is responsible for protecting their POS devices and customer information.
To contact sales, click HERE. And to learn more about ECS Payment Processing visit Security.
Financial Writer
MA, University of Oregon.
In my free time I am a guest lecturer at the local community college, teaching art history, architecture, world mythology, and literature.
ECS Payments is committed to providing quality merchant services.
Our aim is to be a “One Stop Shop” for all payment and product needs.