Cybercriminals and payment card data are like dogs and bacon, they just can’t get enough. And with Point of Sale (POS) devices now handling most of the payment card transactions around the world for retailers, restaurants, hotels and grocers, these systems are in the cross-hairs. Compromised POS’s were the source of major data breaches at Target, Neiman Marcus, Subway and many others, and there are no signs the security risks are slowing down.
Taking the following five steps can mitigate your risk of a compromised POS, while still enabling the powerful business benefits of these systems.
1. Assess and update your security profile.
POS security breaches typically start with a breach of the corporate network. The first step in protecting POS devices is to ensure baseline security practices are being followed. Are your users creating strong passwords? Are they changing them regularly? Are your network connections protected by a firewall? Is your network traffic filtered for malware? Are your employees’ BYODs screened before coming onto your network? While these read like standard operating procedures, buttoning them down will substantially reduce your risks. A 2015 industry report found nearly 30% of data breaches are attributable to weak passwords. These measures are particularly important for POS devices. During installation, POS vendors often use system default passwords for simplicity but fail to change them later. And the default passwords can be easily obtained online by criminals.
2. Ensure your vendors are following your security standards.
Your security is only as good as the weakest link - and that may be your outside vendors who have access to your network. Are they adhering to your security standards? How do you know? Target’s record-breaking data breach came through a the hacked credentials of a Target refrigeration vendor - resulting in 110 million compromised customer records, lost business, class action lawsuits, government investigations, and the resignation of the CEO.
3. Install POS-specific security.
Today’s POS devices are mission critical, sophisticated business devices. You would not buy a new Tesla motorcar and use an outdated brake system or skip the airbag. Likewise, every POS implementation should have a robust, modern security solution. It should leverage the power of the cloud, continuously update in real time to keep pace with dynamic POS-specific malware, and guard against today’s multi-layered threats. It should not shut down the POS - and shut down sales - through too many “false positives” or limit the POS’s functionality - and its value to your operations - by handcuffing its use.
4. Regularly update POS software applications.
POS systems are function-specific computers and, like any desktop or notebook PC, they are vulnerable to attacks when software updates and patches are not downloaded and installed. Application vendors spend considerable time bug-fixing and addressing critical security fixes. Make sure that good work makes it onto your POS devices as soon as possible.
5. Train and re-train.
Even the best laid plans still rely on people to execute them. Despite all the publicity about the risks of infected emails and websites, over 23% of recipients open phishing emails, and 11% click on phishing attachments. Nearly 70% of attacks involve inadvertent download of a malicious file from an infected website. Employees need to be kept informed of risks, trained in proper security precautions, and retrained regularly to ensure the messages stick. Regular emails to your team and online training can make this a much more streamlined and effective process.
Taking these five steps will ensure your organization realizes the benefits of its POS investment to maximize sales and productivity, while still maintaining control over POS security and reducing the very real business, legal, and regulatory risks of a data breach.