Home » Data Protection » Network Security

Security at the Point of Sale

Cash, cards, inventory and customer data intersect at the point of sale. Here's how to keep your defenses up to date.

Rizk says that he picked a vendor, DiamondTouch, that develops systems specifically for pizza stores. But it was a big plus that it offered managed security services and also gave them the option to integrate a surveillance camera with the point-of-sale system. Such systems time-stamp the video every time the cash register drawer opens, allowing store owners to monitor whether money is staying where it belongs.

The systems don't use wireless at all; DiamondTouch encourages franchisees to change their passwords on a monthly basis and makes sure they're encrypting their data. The franchisees are not expected to send data on operations or customers back to the central office, Rizk says.

Even so, the system isn't ironclad. Original Pizza Pan wants its store owners to save their data on a separate computer as a backup. Rizk says, "I recommend to my franchises that they download their database to a computer that does not have Internet access." But whether they really listen to him, he doesn't know. "That's their business," he says.

Rizk is in the enviable position of being able to start from scratch. Most established retailers don't have that luxury, says RSR's Kilcourse. Worse, a large retailer probably has the ultimate distributed computing environment, which makes them a huge headache to upgrade.

"If you have 3,000 stores with 10 to 12 point-of-sale systems apiece, you have a management problem of very large proportion," Kilcourse says. "How do you safely upgrade so many systems? And if you're going to do it, how do you afford the cost?"

He says that it's almost financially impossible for a large retailer to go through a major replacement of point-of-sale systems. In fact, he says he's heard a retail CIO say his point-of-sale system was "old enough to drink."

The downturn means that retailers will likely hang on to technology even longer. The threat of fines for not complying with PCI is spurring companies to upgrade. But it's hard for retailers to cost-justify many types of technology upgrades.

For instance, chip-and-PIN technology for credit cards, prevalent in Europe, is more secure than using classic magnetic-stripe cards. TJX Vice Chairman Donald Campbell told The Boston Globe in late August that he'd like to see retailers, banks and card issuers pool their resources and upgrade all cards and readers to the chip-and-PIN system. The cost: about $2 per credit card and as much as $500 per reader, multiplied by 12 million readers. Campbell told the Globe that it would probably cost TJX $20 million to upgrade to chip-and-PIN readers. (TJX did not respond to a request for comment for this article.)