PCI Compliance For Point of Sale Systems
December 11th, 2009 | by admin |Making Sure Your Point Of Sale Equipment Is Secured
While credit card commercials show lines of dancing shoppers joyfully using their credit cards and praise the convenience you get in a cashless society, they don’t include the very real risk behind the cash register.
The director of embedded solutions for Solidcore (www.solidcore.com), Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at Point of Sale systems.
Lock It Down
“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”
Chauhan observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open operating systems such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.
Chauhan also included, the security risks for POS equipment owners is due to the greater system flexibility and quicker development time of these equipments.
There Could Be Vulnerable Systems
From Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com) – a security firm that focuses on the security of information and compliance management solutions, agrees with Chauhan that many but not all POS systems are vulnerable to exploitation.
According to McCullen, dial-up swipe machines is low on risks, what’s more vulnerable are devices that are computer-based and/or have Internet access; the threat lies in those two prime factors.
Another thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can easily be exploited through tampering.
“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.
As Chauhan discuss other vulnerabilities, she says that because today our POS systems are similar to networked PCs, it will require constant patching. She included that embedded systems have also become susceptible to attack through inappropriate and unauthorized changes as they are handed off to others in the distribution channel. With these, it often results to malfunctions and can cause the equipment to no longer meet its PCI DSS (PCI Data Security Standard) requirements.
PCI DSS Challenges
Chauhan and McCullen agree that POS equipment is faced with unique challenges with its PCI DSS compliance.
Chauhan says that in the PCI DSS requirement 5, it states that antivirus software must be used and updated regularly. An ativirus software can be an overhead expense for a low-footprint POS system, she even notes; by contrast, change control software can eliminate the need for antivirus software.
As an example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. With this software, NEC Infrontia was able to remove the antivirus software that was affecting the performance of their devices, according to Chauhan.
PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.
“It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and get put into production at the retail location,” Chauhan observes.
One of the large suppliers of technology and POS systems for independent grocers and small retail stores, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 though embedded Solidcore change control in its systems.
StoreNext was able to reduce the amount of time they spend on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. Chauhan also claims that the PCI auditing requirement can be met through change control software.
Other difficult areas include data encryption and user-based access controls, McCullen states.
Any Questions?
If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS
professional serving your area.
The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.