The chip card (EMV) era has arrived with the promise that data in retail environments will be better protected. Cardholders will have much greater security at the point of sale with their own card data. But, while it will be much more difficult for thieves to steal card data at the point of swipe, the hackers are still hacking and data is still being lost – almost daily.
Fast-food chain Wendy’s is facing a class-action lawsuit over a recent breach of its existing point-of-sale (POS) system. The Wendy’s breach comes on the heels of numerous other POS attacks at major retailers in recent years, including breaches at Michaels, eBay, Neiman Marcus, Target, and the largest of them all, Home Depot (56 million cards). Retailers have been shaken by these events; a recent study found that 100% of retailers cite cybersecurity as one of their top business concerns, up from only 55% in 2011, according to BDO, a business advisor to consumer business companies for over 100 years.
Retail customer data breaches can result in a company losing millions of dollars to class action lawsuits, possibly facing penalties for Payment Card Industry Data Security Standard (PCI DSS) violations, and irreparably harming its reputation. However, PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches. It merely means minimum standards have been achieved.
Following are five steps merchants in any industry can take to prevent their POS systems from being compromised:
1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks
There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe.
While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers are yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.
2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.
3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password.
Changing default passwords is required as part of an organization’s compliance with PCI DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.
4. Isolate the POS System from Other Networks
Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system.
The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.
5. Always Purchase POS Systems from Reputable Dealers
Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.
POS system security requires expertise in both information security and PCI DSS compliance, the latter of which is mandatory for any organization that processes, stores, or transmits cardholder data. Retailers and restaurants that do not have sufficient in-house IT staff to handle data security and PCI DSS compliance should partner with an MSSP to ensure that their POS systems are both safe and compliant. MSSPs are flexible and can tailor their solutions to fit each company’s needs, from remote monitoring to on-site security staff, either in conjunction with existing staff or on their own.
Automation has lowered labor costs and improved efficiency and the customer experience in the retail industry – and will do so in the restaurant industry – but the security of POS technology should not be disregarded. As POS data breaches continue to multiply, and especially as large fast-food chains plan to install brand-new ordering kiosks at a rapid pace, retailers and restaurants need to take proactive steps to protect their customers’ card data – and themselves from lawsuits, government penalties, and reputation damage.