Your point-of-sale system is undoubtedly one of the most important pieces of hardware your business owns. But. criminals can use your POS and/or online payment gateways to steal sensitive information about your customers and your business. So what are the best practices to keep your POS safe?
Before we get there, let’s look at what was once one of the most common ways that criminals attacked a POS system: skimming.
What is Card Skimming?
Skimming is when scammers illegally install devices inside credit card readers to pull information from the magnetic strip. In most cases, consumers cannot see or recognize that an additional device has been placed inside the card reader.
Skimming can only work at an unsupervised POS. Common targets for skimmers include gas station pumps and ATMs. These unmanned, unsupervised locations can become easy venues for skimmers to install their card readers, even if security cameras are nearby.
There are several ways criminals can skim for information. They place a thin overlay on top of the keypad to capture PINs. An overlay inside the insertion slot can capture data on the magnetic strip. They may even use tiny cameras placed near the keypad to record your finger movements.
What Do Skimmers Do With Card Data?
Often the skimmers will wait nearby, collecting data that is transmitted to them from the skimming device. They may go to the skimmer to collect card information, but the remote way of collecting information is safer—for them, of course.
Once they have card data, they can use it to manufacture fake cards. They can use the card info online. Or they could see the card info on the dark web (and it’s not called dark because of the decor). FICO estimates that in 2022 alone, 161,000 cards were compromised by skimmers, costing businesses and consumers one billion dollars in losses.
Card skimming works best with cards that have magnetic strips. These strips store static information like the card number, expiration date, security code, and pin. Because the data is static, there is nothing that can stop it from being captured and used.
Chip and Contactless Payments Are the Best Solutions
That’s why our first tip to prevent POS fraud is to encourage contactless payments or at least EMV chips. Because magnetic strips are such a liability, Mastercard will begin phasing them out of existence in 2024. By 2033, no Mastercard cards will have them. Other companies like Visa, Amex, and Discover are following suit.
The latest cards will rely on EMV chip technology or contactless RFID technology. Both of these technologies use encryption to translate payment information into randomized strings of code. The codes must be unscrambled or decrypted using specific keys that are only in the possession of the card networks.
Moreover, every single transaction generates a different code, making skimming worthless. Skimming only works with static information that can be replicated and used again. If payment information changes every time, it’s useless to criminals.
The RFID technology that animates contactless payments uses radio wave communication to connect the plastic card to the POS. Information is only exchanged within a few inches of the terminal, which also effectively eliminates outsider attempts to access the information.
Then there are mobile phone payments. Customers can store credit card information in digital wallets. At the point of sale, accessing this card information can trigger an NFC chip (near-field communication) inside of the phone to send and receive radio waves. Much like contactless cards, the phone itself becomes a piece of hardware for tendering payment.
POS Best Practice Tip #1: Use The Most Up-to-date POS Hardware
NFC, RFID, and EMV technology are the near future of the payment card industry. These technologies do a significantly better job of protecting cardholder data than traditional magnetic strip cards. That’s why our first POS systems best practices tip is to use the most up-to-date POS devices—ones that facilitate contactless payments.
Until the magnetic strips disappear, you can encourage your customers to use contactless payments with signage. Put clear signage in large letters near the register, letting them know they can use mobile wallets and contactless cards to pay. Some additional fringe benefits include much shorter transaction times than swipes and chip insertions.
One final word about this topic: make sure your payment processor can lease or loan their hardware to you. Alternatively, if they sell it to you outright, make sure they can buy it back or exchange it as the hardware changes. You do not want to be left with antiquated POS hardware that doesn’t work with the latest, safest payment technology.
POS Best Practice Tip #2: Do Not Leave Your POS Unattended
This one seems like a no-brainer, but you’d be surprised how often employees walk away from an active terminal. They may need to use the restroom. A customer may have a question. They might see their crush outside the store, in the mall.
Whatever the reason may be, an unattended POS terminal is susceptible to someone who will attempt to gain access. Unattended POS systems are not just a threat in retail settings. They can also be problematic in restaurants.
Restaurants have long been notorious for presenting a risk of credit card fraud because the actual card is taken away from the diner for several minutes. Moreover, when the floor is busy, servers might come and go from the terminal without logging on and off.
Exposed POS terminals are not just susceptible to outsiders. They are susceptible to insiders as well…that is, fellow employees. Locking POS terminals when they are unattended can also prevent employee theft. Let’s take a look at some common forms of employee theft.
Common Forms of Employee POS Theft, Fraud, and Manipulation
Void Manipulation
Sometimes an employee will manipulate voids. This means they void a legitimate purchase on the register. But in practice, they give the product or service to the customer and pocket the refund themselves.
If this is done with cash, the difference will be noticeable at the end of the day when the tills are reconciled. But if the refund is sent to a card, it can be harder to notice.
Discount Abuse
In discount abuse, employees use their employee discount for friends, family, and sweethearts—hence the nickname “sweetheart deals.” Some companies like regional midwest grocer Hyvee have been known to cancel employee discount programs when they discover that employees are abusing them.
Food Theft
Food theft is another similar practice to discount abuse. In food theft, employees will do something like take a whole meal and ring up a snack instead. This type of theft can also occur in retail settings and is very hard to track down if the POS is not integrated with some type of resource or inventory management software.
Sales Processing
This type of theft is also called sales processing. It can occur when a merchant charges someone for a less expensive item but gives them a more expensive one instead—such as charging them for a Natural Ice and pouring them a craft beer (sorry Natty Ice Bros, it’s just not on that level).
False Processing
In false processing, an employee won’t even bother running a transaction through the POS. This is a potential problem in cash-heavy businesses like food trucks or bars. The employee will “ring up” a purchase, take the cash, and pocket it. One way to deal with this type of problem is to mandate that every single transaction MUST go through the POS, even cash.
POS Best Practice Tip #3: Monitor Activity and Use Integrations
The solution to many of these POS security problems is to not only avoid leaving the POS unattended but to monitor the POS activity with surveillance. You can use cameras trained on the actual terminal itself, but there is also software that can track activity within the program, allowing you to watch what employees have done on the screen.
Integrations can also help prevent some of these problems, as mentioned. When your POS is integrated with inventory software, you will know that bartenders are charging for cans of Natural Ice and pouring glasses of Fin du Monde instead. When your POS is integrated with your accounting or inventory software, you will see that they are giving sweetheart deals out under your nose.
POS Best Practice Tip #4: Create Policies and Procedures
How you respond to these patterns is at your discretion. For some employers, this would be a warning. For others, it might be an immediate termination. Creating an employee handbook of expected behaviors may not discourage unscrupulous employees from falling into old patterns.
However, it will cover your bases and allow you to terminate the employee for gross violations of company policy. Part of this employee handbook will spell out procedures for using the POS.
For instance, you can specify that employees must log out of the POS or lock it when they step away. Even if that particular employee wouldn’t do any of the above mentioned things, they can prevent another, less scrupulous employee from doing them.
POS Best Practice Tip #5: Watch for These Suspicious Patterns
Now that we spelled out some of the common crimes committed by employees at the point of sale, let’s look at some patterns you should be on the lookout for.
Refunds
Check all refunds. Check them in person if possible. If not possible, use video surveillance to check them later. See if a customer is actually there, that they have a receipt, and that they’re offering a credit card or taking cash back.
This can seem cumbersome, but it closes the door to refund-related fraud. And if you are getting too many refunds to monitor, you might need to be asking some questions about your business outside of payment processing.
Discounts and Freebies
Monitor discounts and freebies. In restaurant settings, servers might offer free appetizers or discounts to large tables to milk a bigger tip. You may allow your employees some discretion to issue discounts, or even to offer free things to customers or diners. But you should monitor this carefully to make sure these privileges are not being abused.
Voids and No-Sales
Watch for voids. Sometimes voids will happen, for instance, when a customer genuinely walks away and leaves an item behind. But if voids are happening frequently, and especially if they are not corroborated by video evidence, something is up. And it’s not 7up.
In a similar vein, you should watch for no sales. No sales provide an opportunity for an employee to open the register and take cash or add cash (perhaps to cover up a previous theft). Check your video footage and see if they are actually making change for a customer. You might even consider having a no-change policy without a transaction.
In some cash-heavy businesses, this type of policy—we cannot open the register without a sale—can help avoid crime. This is especially true when accompanied by signage stating your cashiers do not carry more than $100 in cash at any given time.
Transaction Sizes, Gaps, and Times
Monitor the size of transactions. Transaction sizes vary throughout the day. If you are seeing smaller transaction sizes during a time when they should be larger, this is a sign that discounts are being abused. An employee might also be ringing up a more expensive transaction, collecting a smaller payment, and pocketing the difference.
Long transactions are another red flag, especially if your business is not a bar. While open tabs are more common in this setting, a retail transaction should not take more than 5 minutes. If you are opening lots of long transactions, something shady might be going on during this time.
Yet another smoking gun is transaction gaps. This refers to a gap between the number of transactions you would expect in a given time frame, and the number that occurs.
For instance, if you expect to have 100 transactions during Happy Hour, but only see 50, you should review video footage of the bar or restaurant. True, it could be that business is slow. But it could also be that some theft is occurring at the point of sale.
Multiple Refunds
Multiple refunds to the same credit card are suspicious. Some shoppers are constantly indecisive and change their minds. This sometimes happens with lifestyle purchases such as dieting programs.
But in most settings, you should not see multiple refunds issued to the same card number. This probably means that fraud is involved.
Exception Based Reporting
In conclusion, there are several patterns you should be on the lookout for. But there is no way you can watch surveillance footage all day, even if you have lots of popcorn and snack foods.
It also becomes impossible as your business expands to several registers or several different physical locations. So that said, what are the practical POS best practices to avoid employee theft?
What you need is payment processing software that can analyze trends and issue a fraud report. This type of software is called exception-based reporting, and it’s one of the latest trends in loss prevention. It will look for all the patterns mentioned above, calling general patterns and even specific transactions to your attention.
POS Best Practice Tip #6: Stay PCI Compliant
Visa, Mastercard, and other card networks have banded together to create Payment Card Industry Data Security Standards or PCI DSS. These are 12 best practices that businesses must adhere to in terms of collecting and storing payment information. Businesses are required to fill out an annual audit to make sure they are adhering to the rules.
In fact, best practices to keep your POS safe are pretty much all outlined in the PCI DSS. Some of them, however, are not cost-effective for SMBs (small and midsize businesses). A PCI audit, for instance, can start at $15,000.
For most small and midsize business owners, handling customer data in accordance with the PCI DSS is best achieved by outsourcing it to their payment processor. However, there are still some things the business will have to do, which we will outline as we continue to discuss practices to protect your POS system.
POS Best Practice Tip #7: Secure Your Wifi, Software, and Hardware
Some POS systems can operate outside of wireless networks. However, most businesses find it impossible to operate without wifi. An important POS practice for credit card privacy is to secure your internet connection—your hardware, networks, and access to cloud-based services.
Many pieces of hardware come with default passwords. This is a no-go for network security. You will also want to avoid using the same password for all connected devices and all software programs that you use.
You need to also avoid having all employees use the same password. Giving each employee a different password can help trace the source of fraud or theft when it occurs. You can keep a master sheet of passwords in a physically secure location.
Speaking of which, you should avoid displaying passwords, even wifi passwords, in public locations. And you should definitely have a separate network for your customers to use.
You will want to have layers of security and access. There is no reason why all employees should have access to the most sensitive information. One way to prevent unwanted access to the inner sanctums of your network is to have two-factor authentication.
With 2FA, you cannot access certain data points unless a code is texted to your phone, or a physical token (like a card) is inserted into a reader.
Wifi Is the Back Door To Sensitive Data
It’s important to protect your wifi network because it can become a back door for criminals to access your POS and other connected pieces of hardware and software. Cybercriminals are notorious for using side avenues of attack.
For instance, the infamous 2013 Target data breach did not occur by criminals attacking Target directly. They sent a phishing email to a third-party HVAC contractor who had access to Target’s internal systems.
Their entry point had absolutely nothing to do with customer credit card numbers, but once they were in, they made their way there and extracted card data.
POS Best Practice Tip #8: Train Your Employees
This brings us to our final point: train your employees on how to keep the POS system safe, and how to avoid cybercrime in general. Small businesses have the highest rate of Trojan Horse emails, at 1 in 32. Do your employees know what a suspicious email looks like? Strange email addresses, strange syntax, and poor formatting are a few red flags.
Criminals are getting increasingly adept at using phishing emails to install malware or ransomware. But you can train your employees to recognize fraud and create policies about what to do in response. For example, you can have a policy that all emails requesting a refund be forwarded to you or a manager.
Make sure you have policies and procedures in place for accessing the POS and other sensitive systems. Access to these devices should be logged. This can be done with a sign-in sheet, or it can be done digitally—for instance, if each employee has a unique ID and password to access the POS or the system in question. Reasons for refunds and other out-of-the-ordinary transactions should be documented as well
In a related vein, it’s a good idea to create a policy for suspicious transactions or transactions for certain items. This can eliminate some chargebacks from actual fraud. For instance, if you are suspicious of a certain customer, you can request an ID to verify the card they are carrying is actually theirs.
POS Best Practices: A Wrap-Up
The point of sale is a vital artery for your business. This is the point at which goods and services are converted into cash flow. But it’s also the place where theft and fraud can occur. However, with some POS best practices, you can reduce the likelihood of this theft and fraud from occurring.
Your partner in this prevention is your payment processor. They are the ones who can provide exception-based reporting, firewalls, login procedures, integrations, and other solutions that both secure and streamline your business.
They can also take the burden of PCI compliance off your shoulders. If you have questions about how to keep your POS secure, give us a call or contact us below to get in touch.
