How Can I Face The Challenging Part In PCI Compliance

Point-of-Sale Equipment: Securing Your POS

While TV credit card commercials have been showing how merrily shoppers can go around buying stuff using their credit cards and delight on how convenient the life on a cashless society, they do not care to discuss the risk of identify theft when using credit cards.

Solidcore’s director for embedded solutions, Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at Point of Sale (POS) systems.

Lock It Down

Chauhan says that if the POS systems are not properly locked down, they can be vulnerable to exploitation. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) has shifted the standards in the retail industry.

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

Vulnerable Systems

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm focusing on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, a little dial-up swipe machine is low on risks, but computer-based and/or have Internet access (the peril lies in those two prime factors) devices are more prone to attacks.

One other thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can easily be exploited by tampering.

In general, as McCullen explained, only low risk exploits can experienced with hardware swipe terminals, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the data they need.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan says embedded systems have also become susceptible to attack through changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. With these, it often results to malfunctions and can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

The Challenges With PCI DSS

Both Chauhan and McCullen agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. The ativirus software can be a very high overhead expense on a low-footprint POS system, she notes; however, change control software can eliminate the need for antivirus software.

As an example, the NEC Infrontia installed a change control software on its POS offerings whein it prevented unauthorized code from breaking unpatched systems. With this software, NEC Infrontia was able to remove the antivirus software that was impacting the performance of their devices, according to Chauhan.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be difficult for POS equipment providers in ensuring that their systems will supply the PCI compliance after the equipments are shipped through the dealer network and put into production.

One of the large suppliers of technology and POS systems for independent grocers and small retail stores, StoreNext (www.storenext.com), have solved their patching difficulties with PCI DSS Requirement 6 by embedding Solidcore change control in its systems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. The PCI auditing requirement can be met through change control software, claimed Chauhan.

Other thorny areas, as McCullen states, included data encryption and user-based access controls.

Do You Have Any Questions?

For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area.

The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.