Home » Data Protection » Network Security

Security at the Point of Sale

Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.

It is perhaps a small wonder that the biggest known data theft to date occurred at a retailer, TJ Maxx, or that high-profile data attacks have happened at Hannaford's, Lowe's, Stop & Shop and other retailers.

In the last few years, a series of improvements in process and technologies have improved point-of-sale cybersecurity. Some of these improvements come thanks to the efforts of card issuers like American Express, MasterCard and Visa, which created the Payment Card Industry Data Security Standard, PCI for short.

Among them:

Compensating controls to manage data flow into and out of the various point-of-sales technologies. PCI includes provisions for such controls for different sorts of retailers; encryption protocols for transmitting data between different parts of point-of-sale systems, such as the bar-code scanner and the credit card swiper—VeriFone's VeriShield is a popular example;
better data storage practices, like changing software commands to avoid storing certain types of data;
for data that is stored, using encryption systems;
wireless credit card readers like the Exadigm XD2000, which include built-in security and reduce potential credit card fraud by making sure the credit card never leaves its owner's hands.

WAITER, THERE'S A HACKER IN MY SOUP
But it's a gigantic challenge to get new technology out to the millions of points of sale, which range from the big box retailers to the fitness club to the restaurants to the corner gas station. Each kind of retailer presents its own problems.

Avivah Litan, a Gartner analyst, notes that gas stations have a PCI exemption until 2010, in part because credit card readers tend to be integrated into gas pumps, so upgrading the card reader means upgrading the pump, a very pricey proposition. In the meantime, pumps at the gas station feed to a server, which might feed to a regional server and then on to one at a headquarters operation, each a potential point of weakness.

Many retailers have flocked to wireless technology, which can create more flexible floor layouts and, for restaurants, can draw customers. But the white-hat hacker Simple Nomad says he was asked by a friend who managed a Bennigan's to check out whether a wireless hub in the restaurant allowed him to gain access to the point-of-sale terminal. He was able to do so. In another restaurant with a wireless hub, he found he could alter orders at the point of sale.

Wireless networks can become insecure even after a retailer thinks it's taken all the right steps to secure them, says Peter Evans, vice president of marketing at IBM Internet Security Systems. Evans says wireless access points are often set to default to insecure settings. So after a power outage or a reset, the security settings would default to off, and the retailers might not know for months that their information was vulnerable to hackers.