In late 2013, the huge retailer Target announced that some 70 million customer records had been compromised, including credit and debit card data. The attack on Target used malware installed on POS systems to siphon data into the hands of malicious hackers. Both the CEO and the CIO were forced to resign over the data breach, and Target is still reeling from the breach’s damage to their reputation.
How Can POS Data Be Stolen?
To tamper with equipment, a criminal has to actually be at the POS system. While it’s unlikely, employees do commit credit card theft sometimes — in 2011, a collection of the wait staff at high-end restaurants in New York City were caught after stealing around $1 million via credit cards.
People other than employees may also attempt to steal credit card data through your POS system. Social engineering is a prevalent tactic used by criminals to gain access to POS systems and other terminals. The criminal might pose as part of the staff, or attempt to persuade an employee to let them use an otherwise restricted terminal. Other times, they may simply leave malicious software in conspicuous places in the hopes that an employee will unwittingly use it.
How Criminals Physically Steal Credit Card Data
Once a thief has gained physical access to a POS system, they can go to work. A common technique used is called skimming — the thief will install some extra hardware on the POS system that reads card data, or they will simply swipe the card through a device that reads and stores the information.
Another popular technique is using hidden cameras to record customers entering PIN numbers. If the PIN number is matched with the credit card information from a skimmer or another method, the thief has all they need to sell or use the card.
Physical methods of obtaining credit card data will never be as lucrative as digital methods, however. Criminals know this, and they use some very sophisticated and coordinated approaches to stealing customer data through POS systems.
Cybersecurity for Your POS System
The attack on Target used malware, malicious software, that siphoned credit card data from the POS system in a series of stages. Malware attacks can be as complex as the Target occurrence, or they can be more straightforward. Either way, the damage to the customer and the business is clear.
The most direct way attackers use malware is by reading card data during payment processing. Card data is encrypted at all times, except during payment processing. Malware can be designed to save card data read during payment processing to the POS itself. The data is retrieved later when the transfer won’t be noticed.
Point-of-Sale Security Best Practices
You can take steps to protect your businesses POS system right now. Most data breaches are preventable by security best practices. The Target data breach, the largest of its kind, could have been prevented by the activation of a feature on the already present antivirus software. Take a look at these point-of-sale best practices:
Use Only PCI Compliant Devices
The PCI Security Standards Council regulates the Payment Card Industry (PCI) Security Standards and provides training and education, product certification programs, and other tools that help implement the security standards.
American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. all abide by the regulations set by the PCI Security Standards Council. Having PCI compliant devices means you can be sure they are up to standards for security.
Monitor Physical Devices
Criminals will go to great lengths to get your customers credit card information. Placing hidden cameras is an easy way for someone to get PIN numbers. Also, by tampering with physical devices, a thief can obtain records of every credit card scanned by those devices.
Keep an eye out for extra wiring, or labels that don’t seem to belong — torn or curling edges, mismatched brands, non-related stickers. Missing or loose screws is another indication that a device might have been tampered with.
Don’t Connect Your POS to External Networks
Hackers don’t have to be at your retail location to install software onto your POS systems. Systems connected to external networks are vulnerable to attacks from malicious hackers. Instead, process payments through a corporate network to be more secure.
Devices that are PCI compliant are more secure, but that’s only part of securing your customer’s information. The PCI Security Standard Council also makes regulations on online shopping carts, network devices, and networks themselves.
Other Steps to Have a Secure POS System
The PCI Security Council also recommends that you delete cardholder data unless it’s necessary for some reason. Regular check-ups with your payment processor are also suggested by the Security Council.
POS software typically allows for different permission levels based on the user. It’s good to have an admin role to access all facets of the POS system, a manager role who can handle most things, and a general user or clerk role who can take payments but not much else.
If you’re having trouble keeping up on security, don’t be afraid to hire a security expert. Even a one over on your POS security can save you a ton of time and money in the future.Sign Up