WRITTEN BY: Kyle Pugliese, Director of Payment Technologies and Security, Appetize Technologies Inc.
In our previous Payments Blog Series, Kyle Pugliese, Director of Payment Technologies and Security, dove into the ever-changing landscape of payment security, trending payment methods, and purpose-built hardware overtaking consumer devices. Today, Kyle shares insights into how to securely implement your Point of Sale system.
Here’s a quick look at our ten tips:
The first step to integrating a secure Point of Sale system starts with abiding by the Payment Card Industry (PCI) Data Security Standards. Although PCI outlines guidelines relating to payments, their practices ensure the system is better protected from other standpoints where data breaches could occur, like emails, names, phone numbers, and stored value cards. Even when using a PCI Validated P2PE offering, which reduces your scope as a merchant, following the PCI guidelines will protect your system. Just one guideline, network segregation, can go a long way to ensure performance isn’t degraded by non-POS traffic, malicious or not.
This sounds simple, but is commonly overlooked at an operational level. Don’t leave hardware in a place where a customer or someone with malicious intent could have easy access to it. Avoid leaving cash drawer keys within sight of the POS, always turn POS terminals away from guests so that the screens aren’t visible, and keep them in fixed locations and mounted when possible. Protecting sight of terminals may sound like overkill, but it would be easy for a patron to see manager keys, manually entered credit cards, and other data which needs to remain secured. As mobile POS, or mPOS, becomes more pervasive, there is an overlap between consumer devices and industry devices. This means it’s more attractive for someone to steal a POS as they can use it for personal means, it’s no longer just and industrial device. Having them mounted securely will ensure that they are not easily stolen.
When operators leave terminals unattended and logged in, this provides an easy opportunity for anyone to gain access into the system. This type of breach is most commonly seen at bar terminals or cashier stations. In this logged in state, anyone can walk up to the terminal and perform functions without requiring any authentication. Would you leave your phone unlocked and sitting somewhere that is easily accessible by unknown parties? A similar mentality should be in place for POS sessions. Even worse, if Tip 2 isn’t followed along with Tip 3, then a user may also know the manager’s password and be able to refund transactions or add discounts without the operator’s knowledge.
We live in a world where anyone with a phone or computer can be technically adept, so it’s only fitting that using encryption has become standard practice. Although Appetize uses TLS for all payment traffic, not all Point of Sale systems do. Some use proprietary encryption for credit cards which is susceptible to breaches and decryption. Using P2PE, or Point-to-Point Encryption, and EMV when available from your POS provider will ensure that payment data is much better protected. It is an industry standard type of encryption and greatly reduces the threat that if payment data was stolen, it would be in any format that could be decrypted or used maliciously.
As a POS provider, we are constantly scanning and testing our system for vulnerabilities. The same should be done for operational teams and customers installing POS. Think in terms of someone wanting to exploit the system and actively figure out ways to better protect against them. Are passwords guessable? Are proper authentication procedures in place? Is my hardware somewhere that an attacker could install a malicious application on it? These are all questions that should be reviewed to ensure holes are not left in the implementation of a POS.
As a POS provider, we are constantly scanning and testing our system for vulnerabilities. The same should be done for operational teams and customers installing POS.
Again, regardless of your PCI scope you should always protect your network as other sensitive information is transmitted on it. Following basic security principles, the goal is to protect Confidentiality, Integrity, and Availability of data (CIA). Confidentiality relates to keeping data secure and not available to unauthenticated sources. Integrity ensures that data is not compromised in transit. Network security can greatly protect this as well. Data cannot be manipulated when transmitted correctly. This could be data coming from the POS or updates going to the POS that may have malicious intent. Lastly, availability of a system can be compromised. For POS, this could mean the ability to process transactions.
POS security training should be given to all staff as a part of on-boarding and on an annual basis. Even though it may be high level, let staff know that the risks should be taken seriously. It’s more about the buy in and understanding that security is a concern and staff will be held responsible. This is very similar to the signs that say “smile you’re on camera.” Although there may not even be a camera present, they deter potential thieves and make the awareness of security a concern and reality.
Regardless of your level within the organization, don’t trust anyone. Employees will try to steal, this is nothing new to expect. It’s why controls exist around things that require manager permissions and why roles exist within a system. However, there are always exploits that will be found. Employees use the system more than anyone and it is likely they will find unique “workarounds” that may exist to put that money into their pocket, rather than into the cash register. Don’t trust anyone with your credentials as well, even if it’s a busy rush and you trust the employee may need them.
This rule commonly goes overlooked. Exploits will be found on systems and not just the POS itself. Software is constantly evolving and generally the attackers are ahead of the software manufacturer, including the operating system software. Zero day exploits are the cause of many large breaches and by definition are exploited before the software manufacturer even knew they existed. Patching systems is a great way to ensure that any known exploits for your system are plugged and no longer available. As a POS provider, we are constantly patching and updating systems. It’s always important to ensure that your POS provider is ready for the latest updates. Generally security patches do no harm, but larger operating system updates may need to first be validated and then rolled out to customers.
The cloud exists for a reason. It’s scalable, flexible, and removes vulnerable hardware from being on site. It can be upgraded seamlessly and new components can be introduced without the customer having to do anything. All of the patch management, security, and updates become a core responsibility of the POS provider and the on-site staff only has to worry about operational components and systems used day to day, not the underlying infrastructure. To that end, it is imperative that a POS provider with a great track record and security policies is selected.
Kyle Pugliese is the Director of Payment Technologies and Security at Appetize. He received his undergraduate degree from Pennsylvania State University with a Bachelor of Science, Hotel, Restaurant and Institutional Management. He went on to receive his Master of Science in Cybersecurity from The University of Maryland University College. Kyle is a motivated individual who enjoys a challenge. He applies principles of pragmatic marketing to his solutions to ensure effective problem solving. In his spare time Kyle is an avid photographer and can be followed here: https://www.flickr.com/photos/kylepugliese/