“PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches…”
It merely means minimum standards have been achieved. As cybercriminals become more sophisticated, staying ahead of threats is a daily challenge. The card number is only a small part of what a hacker wants. The more data a hacker gets, the more complete a profile of an individual they obtain, making the data they steal that much more valuable.
Merchants need to take several measures to be compliant and prevent their POS systems from being compromised.
1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks
There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe. While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers has yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.
2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.
3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password. Changing default passwords is required as part of an organization’s compliance with PCI-DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.
4. Isolate the POS System from Other Networks
Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system. The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.
5. Always Purchase POS Systems from Reputable Dealers
Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.