In Depth
Security at the Point of Sale
Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.
By Michael Fitzgerald
November 03, 2008 — CSO — Point of sale security keeps getting trickier.
When thieves stole the PIN pads at a cash register in one of his company's stores, Daniel Marcotte was amazed. Not that they'd done it—such thefts can happen once a week during the holiday season. But watching it on videotape later, "I couldn't tell they had it with them when they left" the store, says Marcotte, director of systems and data security at La Senza, a Montreal retailer now owned by The Limited.
A couple of hours later, the thieves were back. They'd doctored the PIN pads to let them get customer card data. They got them back onto the point-of-sale system quickly, too. But here's where La Senza's security precautions kicked in: Its PIN pads in effect have their own Media Access Control address, and once they're disconnected, that address is no longer available. So the thieves were foiled—this time.
The point of sale has always been a target for thieves. While they once went after the cash drawer, retailers often find themselves facing sophisticated networks of thieves intent on the criminal equivalent of volume discounts—reams of credit card data, entire shelves of goods to launder or, in the case of pharmaceuticals like Sudafed, drugs used for making methamphetamines. Retailers, then, operate under the constant threat of having their point of sale either hacked by cyberthieves (the Dave & Buster's wireless hack being another recent high-profile example) or spoofed by real ones.
Between them, these various thieves target all the major aspects of a modern point-of-sale system:
- The cash register
- The bar-code scanner
- Wireless access
- The in-store voice or IP network
- The store inventory management system
Where once the big scourge was "till tappers"—people who grab the money and run—that's no longer a major headache for most retailers, says Keith Aubele, the former loss prevention executive at Wal-Mart and Home Depot, and now a loss-prevention consultant. Instead, they have to contend with sophisticated rings of thieves who've figured out that it's far more lucrative to systematically steal goods by spoofing the point-of-sale systems, especially self-checkout systems, which are "incredibly easy to bypass," says Aubele.
"You've got one supervisor for four to six registers, and you can easily distract that person and you take merchandise and scan some and hit the deactivator and walk out," he says.
A bigger problem still is under-ringing, or sweethearting, where crooked cashiers in cahoots with thieves simply don't scan all the items presented. Retail theft was almost $35 billion, according to the 2007 National Retail Security Survey, and Aubele estimates that between $8 billion and $10 billion of it comes from under-ringing.
point of sale security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
