Point of sale, point of weakness

Jan. 5, 2016
With public, industry and government scrutiny at an all-time high, here are five practices that can secure POS systems

Retailers and hospitality enterprises have a weak point unique to their business – the point of sale (POS) device. Despite significant investment in top-notch security systems and personnel, it’s still too easy for cyber criminals to access corporate networks. POS devices handle most of the payment card transactions around the world for retailers, restaurants, hotels, grocers, and gas stations. Because these systems are highly interconnected and accessed by numerous employees and other devices, they remain a highly lucrative target for organized cybercrime.  

Compromised POS systems were the source of recent, major data breaches at Target, Hilton Worldwide, Trump Hotels, Neiman Marcus, Subway and many others. Experts speculate these systems are targeted because they are often outdated and unpatched. Third-party vendors using default and shared passwords, poor enforcement of corporate password policies, and phishing attacks are to blame for providing bad actors with initial access points.

Once inside a retailer’s corporate network, lax internal controls and configuration errors mean cyber criminals often have unfettered access to every cash register, allowing them to remotely install POS-specific malware that collects customer credit card information and transmits it (often overseas) straight to black market crime rings. The recently published Krebs report on the Target breach investigation is at once alarming and enlightening: an assessment by Verizon consultants found multiple weaknesses, including misconfigured servers, widespread use of weak and default passwords, and valid network credentials stored on several servers.

It’s past time for businesses to examine and enhance POS security capabilities. Taking the following five steps can mitigate your risk of a compromised POS, while preserving the powerful business benefits of these systems.

1. Take a Hard Look at Your Baseline Security Practices and Act on Critical Gaps

POS security breaches typically start with a breach of the corporate network.  The first step in protecting POS devices is to ensure baseline security practices are being followed.  Are your users creating strong passwords? Are they changing them regularly? Are your network connections protected by a firewall? Is your network traffic filtered for malware?  Are your employees’ BYODs screened before coming onto your network? 

While these read like standard operating procedures, buttoning them down will substantially reduce your risks.  A 2015 industry report found nearly 30 percent of data breaches are attributable to weak passwords.  These SOPs are particularly important for POS devices.  During installation, POS vendors often use system default passwords for simplicity but fail to change them later. It’s a simple matter for hackers to find these passwords online. Make sure you are looking at all the systems in your enterprise; experts claim the Hilton breach (and similar breaches at other hotel chains) was achieved not by exploiting the main reservations systems but through peripheral POS systems in hotel gift shops, restaurants, and coffee kiosks.

2. Enforce Your Security Standards with Outside Vendors

Your security is only as good as the weakest link – and that may be your outside vendors who have access to your network. Are they adhering to your security standards?  How do you know? Target’s record-breaking data breach came through a the hacked credentials of a Target refrigeration vendor -- resulting in 110 million compromised customer records, lost business, class action lawsuits, government investigations, and the resignation of the CEO.

3. Implement all POS-Specific Security Measures

Today’s POS devices are mission critical, sophisticated business devices.   You would not buy a new Tesla motorcar and use an outdated brake system or skip the airbag.  Likewise, every POS implementation should have a robust, modern security solution.  It should leverage the power of the cloud, continuously update in real time to keep pace with dynamic POS-specific malware, and guard against today’s multi-layered threats.  It should not shut down the POS – and shut down sales -- through too many “false positives” or limit the POS’s functionality – and its value to your operations -- by handcuffing its use. 

4. Develop Patch Protocol: Update POS Applications Regularly

POS systems are function-specific computers and, like any desktop or notebook PC, they are vulnerable to attacks when software updates and patches are not downloaded and installed. Application vendors spend considerable time bug-fixing and addressing critical security fixes.  Make sure that good work makes it onto your POS devices as soon as possible.    

5. Raise Awareness: Continuous Training Strengthens Front Line Defenses

Even the best laid plans still rely on people to execute them.  Despite all the publicity about the risks of infected emails and websites, over 23 percent of recipients open phishing emails, and 11 percent click on phishing attachments. Nearly 70 percent of attacks involve inadvertent download of a malicious file from an infected website. Employees need to be kept informed of risks, trained in proper security precautions, and retrained regularly to ensure the messages stick.  Regular emails to your team and online training can make this a much more streamlined and effective process.   

Taking these five steps will ensure your organization realizes the benefits of its POS investment to maximize sales and productivity, while still maintaining control over POS security. As we enter 2016, the very real business, legal and regulatory risks of a data breach can no longer be ignored. Public, industry and government scrutiny is at an all-time high, and the liability for breaches is increasingly shifting onto retailers. The financial costs, lawsuits, federal investigations, customer dissatisfaction and brand damage that follow a breach can be disastrous for your business, your employees, and your customers. Securing your POS systems is a critical first step in strengthening your entire organization from the inside out.

About the Author: James Socas is executive chairman of iSheriff, Inc., and a cloud security company with more than 3,000 business customers including leading healthcare providers: North Ohio Heart Center, Scotland Memorial Hospital, Bay Area Medical Center, Archcare, and Carteret General Hospital. Socas serves as a general partner of Updata Partners, a growth equity investment firm, based in Washington D.C.