Earlier this month, fast food chain Wendy's discovered malware on the point-of-sale (POS) systems at more than 1,000 of its franchised US restaurants. Hackers were able to access customer credit card information, including the cardholder's name, credit card number, expiration date, and verification code. Basically, everything a hacker would need to illegally use your card to make a purchase.
Continue Reading Below
POS attacks aren't new. One of the biggest data breaches in US history, the Target hack, exposed more than 70 million customer records to hackers, and cost the retailer's CEO and CIO their jobs. At the time of the attack, it was revealed that the attack could have been avoided if Target had implemented the auto-eradication feature within its FireEye anti-malware system.
The reality is that most POS attacks can be avoided. There are many threats to your POS systems but there are just as many ways to combat these attacks. In this article, I'll list six ways your company can safeguard against POS intrusions.
1. Use an iPad for POS Most of the recent attacks, including the Wendy's and Target attacks, have been the result of malware applications loaded into the POS system's memory. Hackers are able to secretly upload malware apps into the POS systems and then pilfer data, without the user or the merchant realizing what happened. The important point to note here is that a second app must be running (in addition to the POS app), otherwise the attack can't occur. This is why iOS has traditionally facilitated fewer attacks. Because iOS is only able to fully run one app at a time, these types of attacks rarely occur on Apple-made devices.
"One of the advantages of Windows is having multiple apps running at once," said Chris Ciabarra, CTO and cofounder of Revel Systems. "Microsoft doesn't want that advantage to go away...but why do you think Windows crashes all the time? All those apps are running and using all your memory."
To be fair, Revel Systems sells POS systems specifically designed for the iPad, so it's in Ciabarra's interest to push Apple's hardware. However, there's a reason you rarely, if ever, hear of POS attacks occurring on Apple-specific POS systems. Remember when the iPad Pro was unveiled? Everyone wondered if Apple would enable true multitasking functionality, which would allow two apps to simultaneously run at full capacity. Apple left this feature off of the iPad Pro, much to the chagrin of everyone except those users who were likely to run POS software on their new devices.
2. Use End-to-End Encryption Companies such as Verifone offer software that's designed to guarantee your customer's data is never exposed to hackers. These tools encrypt credit card information the second it's received on the POS device and once again when it's sent to the software's server. This means that the data is never vulnerable, regardless of where hackers might be installing malware.
"You want a true point-to-point encrypted unit," said Ciabarra. "You want the data to go straight from the unit to the gateway. The credit card data won't even touch the POS unit."
3. Install Antivirus on the POS System This is a simple and obvious solution for preventing POS attacks. If you want to ensure harmful malware doesn't infiltrate your system, install endpoint protection software on your device.
These tools will scan the software on your POS device and detect problematic files or apps that need to be immediately removed. The software will alert you to trouble areas and help you begin the cleansing process required to guarantee the malware doesn't result in data theft.
4. Lock Down Your Systems Although it's highly unlikely that your employees will use your POS devices for nefarious purposes, there's still plenty of potential for inside jobs or even just human error to cause massive trouble. Employees can steal devices with POS software installed on them, or accidentally leave the device at the office or in a store, or lose the device. If devices are lost or stolen, anyone who then accesses the device and the software (especially if you didn't follow rule #2 above) will be able to view and steal customer records.
To ensure that your company doesn't fall victim to this kind of theft, make sure to lock down all of your devices at the end of the workday. Accounted for all devices each day, and secure them in a place to which nobody but a select few employees has access.
5. Be PCI-Compliant from Top to Bottom In addition to managing your POS systems, you'll want to comply with the Payment Card Industry Data Security Standard (PCI DSS) across all card readers, networks, routers, servers, online shopping carts, and even paper files. The PCI Security Standards Council suggests companies actively monitor and take inventory of IT assets and business processes in order to detect any vulnerability. The Council also suggests eliminating cardholder data unless absolutely necessary, and maintaining communication with banks and card brands to ensure no issues occur or have already occurred.
You can hire qualified security assessors to periodically review your business to determine whether or not you're following PCI standards. If you're concerned about giving access of your systems to a third party, the Council provides a list of certified assessors.6. Hire Security Experts "The CIO isn't going to know everything a security expert will know," said Ciabarra. "The CIO can't stay up-to-date on everything that's happening in security. But a security expert's sole responsibility is to stay up-to-date on everything."
If your company is too small to hire a dedicated security expert in addition to a technology executive, you'll at least want to hire someone with a deep security background who will know when it's time to reach out to a third party for help.