Data breaches are hitting the retail and hospitality industries in droves. Here are just three of various examples: Late last year, hackers stole credit and debit card information for 40 million customers of Target Stores. In 2014, the Neiman Marcus department store chain experienced a breach of its POS system database that involved theft of credit card information associated with 350,000 individuals and fraudulent use of more than 9,000 of these numbers. This past fall, cyber- criminals reportedly used malware to compromise credit card information for approximately 56 million consumers who shop in Home Depot’s 2,000 U.S. and Canadian stores. With so many of these incidents making the news, it’s important to better defend your POS system from attacks. Here’s how.
1. Secure your network. This starts with installing and maintaining a strong firewall, as prescribed by the Payment Card Industry Data Security Standard (PCI DSS). A firewall is essential “armor” for guarding against unauthorized access to or from any private network, thus staving off outside attacks on your POS system. It works by screening out network traffic from hackers, as well as from viruses, worms, and various types of malware specifically designed to compromise a POS system.
Additional network protection can be achieved by segmenting POS devices into their own private network. Limit entrances and exits to required systems and ports, and then monitor the traffic for anomalies.
2. Keep software updated. POS software updates often include important security patches. Failing to install these patches renders your POS system vulnerable to malware and other attacks that could put your data at risk.
Additionally, ensuring that you download and install updates as soon as possible after you’ve received them yields POS networks and hardware a far greater level of protection than does doing this on a more sporadic basis. So, too, does changing passwords on a regular basis.
3. Use a strong password, and change it often. POS system installers are prone to using default passwords upon initial setup of online payment processing for merchants and not changing the passwords to something more secure. Using the default password makes life easy for the installers, but these passwords are fairly easy for criminals to obtain. Using complex, computer-generated passwords and unique account names are highly recommended. It’s also advisable to change passwords on a regular basis.
4. Conduct regular scans. Regularly scanning your systems, including your POS system, is the most effective means of determining whether they have been compromised. For a fairly low annual fee, you can engage a security vendor to remotely scan all of your external systems access points and assess whether any are vulnerable to intrusion. Check references before hiring such a company.
5. Implement more secure payment methods. While merchants that operate outside the U.S. are less likely to become victims of data breaches, those that have not fallen prey to hackers at all have probably embraced the EMV (Europay/MasterCard/Visa) or “chip-and-PIN” smartcard standard. EMV combines PIN usage with a cryptographic component, increasing the security of card-based transactions. Chip-and-PIN has not proven to be infallible, but it does produce some barriers to fraudulent card usage. This approach does not necessarily stop the theft of payment card data, but it reduces hackers’ incentive to breach the POS database because the collected data is not as accessible as it would otherwise be.
With perpetrators developing new hacking schemes every day, retailers and restaurant operators must be ever more vigilant when it comes to protecting their POS system. The above five tips are an excellent framework for doing so.
