Point Of Sale Security
 

Recent news tells us that retail and hospitality organizations are under attack by cyber criminals. In fact, nearly half of the US companies and 30% of UK companies on the Top 250 Global Powers of Retailing have experienced a publicized breach. Why? These organizations have what cyber criminals want: credit card numbers. Because these businesses interact heavily with consumers, they collect massive amounts of credit card data.

Point Of Sale = Point Of Entry: Pos Security & Cybercrime

Cyber criminals have found a new way in: the POS terminal. Long considered a "dumb device" only 30% are protected by endpoint anti-malware. We've examined this issue and many others in this new white paper. This paper will help you understand the unique security challenges of POS devices and how iSheriff handles those challenges, such as the startling size of this risk and why POS devices are the entry point, the three primary security vulnerabilities unique to POS devices, and which malware affects POS devices the most.

It's a real problem. Payment information is central to what a retailer does and increasingly sales are made with debit and credit cards instead of cash. The very numbers that enable retailers to operate must be protected at all costs. Yet this is the same information that cyber criminals desire. Consider these recent and well-reported case studies:

While few details have emerged about the Home Depot breach, it's clear the attack hit the stores’ registers The hack put as many as 56 million cards at risk The home-improvement chain expects to pay about $62 million this year to recover from the incursion, including costs for call-center staffing and legal expenses

Target revealed that the company’s point-of-sale (POS) systems were infected with malware Approximately 40 million credit and debit card accounts impacted by the breach; an additional 70 million names, email addresses, mailing addresses and phone numbers have also been stolen

POS systems are actually computers with peripherals like card readers and keypads attached to them. Many of these systems run a version of Windows Embedded as the OS as well as special cash register software. Hence, they can be both protected and hacked in the same manner as all other computers. However, protection on these devices is lacking.

Overview Of PCI Requirements

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.

Goals	PCI DSS Requirements
Build and Maintain a Secure Network and Systems	Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	Protect all systems against malware and regularly update antivirus software or programs Develop and maintain secure systems and applications
Implement Strong Access Control Measures	Restrict access to cardholder data by business need to know Identify and authenticate access to system components Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain an Information Security Policy	Maintain a policy that addresses information security for all personnel

Organizations that are held to a PCI standard must satisfy these requirements and perform self-assessments to ensure continued compliance.