In Depth
Security at the Point of Sale
Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.
By Michael Fitzgerald
Evans says it's also simple to put a data skimmer on credit card swipe readers without anyone noticing. In fact, he says that recently, "I was a victim of one of these."
In his case, he says he was fortunate that his credit card provider's algorithms were able to detect fraudulent usage when his credit card data was used, and the thief was nabbed.
Meanwhile, the PCI Security Standards Council certifies software for use with point-of-sale systems. But Tom Wabiszczewicz, a security consultant at NeoHapsis, one of the six Qualified Incident Response Assessors (QIRA) under PCI's Cardholder Information Security Program (CISP), says issues persist. Over the course of the year, he's run into situations where companies have secure servers, but Windows-based, point-of-sale terminals sitting directly on the Internet are effectively wide-open to attack.
He's also seen companies that were storing Track 2 data unencrypted. Track 2 data can be used to recreate a credit card, and in one case he saw at a U.S. retailer, its Track 2 data was being sniffed and used to create fraudulent credit cards that were being used days later in Tokyo.
He says some problems are caused when companies upgrade to a PCI-compliant version of their software without getting rid of the old software, or with older, unencrypted data in databases. Wabiszczewicz says that "they're doing things correctly from that point on, but what about the leftover data from the database, or the previous version that didn't encrypt the credit card number or stored Track 2 data?"
Wabiszczewicz recommends that any such upgrade should include a complete reinstall of the entire system.
Despite these myriad issues, Wabiszczewicz says it is relatively straightforward to protect today's point-of-sale systems. "If you have a correct policy, you train employees, limit what they can do on the front end of the POS system and you're running PCI-compliant point-of-sale software, you are in very good shape," he says.
POINT OF SALE GRADE-A UPGRADES
For companies that are installing brand new point-of-sale systems, they have a much better chance of being secure from the get-go.
That's the course followed by Original Pizza Pan, in North Ridgeville, Ohio. A 25-year-old operation, it went through a franchise boom in the last few years, and now has about 100 locations. It had never used a formal point-of-sale system in its stores, and in 2007 decided that it was time to get one. A secure system was one of its priorities, though it was about fourth on its priority list, behind things like ease of ordering, better customer service and building databases of customers, says Edward Rizk, the firm's development director.
point of sale security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
