What You And Your Customers Can Benefit From a Good POS Security

Whether you’re trading online or in a physical store, your retail business relies on a point-of-sale (POS) system for efficient payment processing and capturing valuable customer information. This data helps you give customers a better experience, but you must protect it at all costs.

That’s why it’s vital to put POS security measures in place, to reduce the risk of cybercriminals accessing your system and stealing your customer’s credit card details or personal information.

Can POS be hacked? Are POS transactions safe? This post will answer these questions and more, and provide tips on how to protect your customers’ data and your business.

What is POS security?

POS security refers to any protocols and safety measures surrounding your point-of-sale system, or any action that you take to prevent a data breach. This might include digital solutions such as encryption, antivirus software, and firewalls, plus physical measures such as checking POS terminals for anomalies and locking them in a secure place when not in use.

The aim is to prevent unauthorized access to the system by hackers who want to steal (and/or sell) customers’ personal and financial details. POS security helps you create a safer environment for customers to make purchases from your business.

Why is POS security so important?

Cybercriminals understand the importance of POS systems to retail businesses, and seek to exploit your reliance on the technology. There’s a huge volume of known and unknown threats, with new POS malware being created at a rapid rate. For multichannel retailers, the threat is increased.

The number one issue is that customer information could be used for fraud or identity theft. You need to be able to reassure shoppers that you’ve done everything possible to prevent a breach, or you’ll lose their trust. 81% of consumers would stop engaging with a brand online following a data breach.

Image Sourced from Kaspersky

Failing to protect customer data isn’t only a problem for your reputation. In 2021, the global average cost of a data breach was $4.35 million (and $9.44 million in the US). You could also face legal action from customers whose information was compromised.

If the breach means your POS system goes down, you’ll lose out on sales. And it’s not just the terminal that’s affected. Remember, POS software is integrated with your other business systems, such as inventory management and accounting. Once a hacker has gained access, they could do untold damage.

What are the risks for POS systems?

No matter how advanced your POS system is, there will always be some level of risk. Cybercriminals can potentially access millions of credit card details just by hacking one application. They’re always looking out for potential weaknesses, such as someone downloading a dangerous attachment or clicking a risky link.

A malware attack is when a hacker gets into your system and installs POS malware (“bad” software) such as Prilex, specifically designed to steal card details. This spreads through the system memory to scrape and collect data, which is eventually offloaded to an external location. You probably won’t even know it’s happening, although sometimes it can cause a system outage.

Another type of attack targets POS hardware by installing a small digital scanner or card reader onto a physical POS terminal or a self-serve payment kiosk. This practice, known as “skimming”, captures card data and transmits it back to the attacker.

In addition, employees could accidentally lose devices containing POS software, allowing anyone that picks up the device to view or steal data.

Examples of POS data breaches

Target famously suffered a POS security breach in 2013, when details of 40 million credit and debit cards were stolen. This cost the retailer more than $200 million, including the cost of a lawsuit. More recently, 1,025 branches of Wendy’s were infected with POS malware. The firm ended up paying $50 million to settle legal claims from those affected.

Image Sourced from Bleeping computer

How can I secure my POS system?

The consequences of a data breach are clearly far-reaching. But the good news is that businesses of all sizes can take practical steps to defend themselves against cyberattacks. Here are some best practices you can follow.

Risk assessment

The first step is to consider all the potential ways a hacker could gain access. Carry out an audit of all the systems where data is stored and evaluate the security measures you already have in place. This should highlight any gaps or inefficiencies, and show how prepared you are for a potential attack. You can draw up a contingency plan for if the worst happens.

Password security

This is a habit you and your employees should maintain for all systems and apps. Encourage complex passwords with a mixture of characters, and mandate that everyone should change their login passwords every six months. Make sure you change the default password for any new POS software or equipment. Other tips include using two-factor authentication and setting user permissions.

End-to-end encryption

This technology limits the amount of potential exposure to hackers, by keeping data secure while it's being transmitted between your POS and a payment processor. Credit card details, for instance, are encrypted as soon as the POS device receives the data, and are only decrypted when it reaches the payment processor.

Software updates

Even if your POS software is relatively new, it’s important to install any updates recommended by your vendor. Security vulnerabilities are being discovered all the time, and updates often contain security patches to counteract them. You could also consider using POS terminals that accept contactless payments, as these are more secure than magnetic stripe readers.

Anti-virus software

Antivirus software, anti-malware programs, and firewalls all help you to prevent POS attacks. They can detect malware and viruses, as well as potentially unsafe apps, files, or user activity. The technology will notify you if there is a potential issue and show you what to do. You should run antivirus software continuously.

Image Sourced from Fortinet

Whitelisting

Whitelisting means that you only allow strictly necessary applications to run on your POS system. This blocks apps like email and web browsers, which could potentially open the door to malware. So, if you want to send an automated follow up email after a POS sale, it’s best to do this from a separate system.

It’s also possible for criminals to hack a POS system remotely, often through systems that can connect to external networks. You can avoid this by using secure internal networks to handle transactions and payment processing.

Employee security

All employees should receive security training, so that they follow best practice in terms of passwords and keep an eye out for things like card skimmers. It’s not common for a cyberattack to be an “inside job”, but it’s also important to look out for suspicious colleague behavior. If you require the services of an external POS technician, always verify their credentials.

Keep track of every company-owned device so that you know straight away if one is missing. Employees should shut down the devices at the end of each working day, and lock them in secure locations with restricted access. If you have security cameras in store, make sure they have a view of POS terminals (but obviously not close enough to see a customer’s PIN).

Regulatory compliance

Make sure you comply with any regulatory requirements, such as those regarding data privacy and protection. For example, the Payment Card Industry Data Security Standard (PCI DSS) regulates security standards for any organization that takes payments from major credit cards. It covers card readers, online shopping carts, networks, routers, servers, and paper files.

The PCI DSS is administered by the PCI Security Standards Council, which suggests that organizations eliminate cardholder data where possible, and maintain communication with credit card providers in order to detect and reduce fraud. Non-compliance may lead to fines by card issuers or increased transaction fees by banks.

Image Sourced from Altamira

Monitoring and testing

If you bought the software from a reputable vendor, it will already have been through rigorous automated and manual testing. But as it gets older, it becomes more vulnerable, so you should conduct regular testing to identify weaknesses, as well as looking out for anomalous activity or indications of threats. It’s also important to monitor any third-party services you may use.

Backup your data

The steps described above will help you to protect your business and customers, but they can’t guarantee that you’ll never be hacked. It’s vital that you back up all your data regularly, so that it’s not lost forever in the event of an attack.

If you have an on-premises computer system, you’ll have to do this yourself. Cloud-based systems usually back up automatically, enabling the data to be restored.

Final thoughts

POS systems help you run your retail business more efficiently, but they also represent a significant security risk. Don’t treat POS security as an afterthought, or assume that your system is too modern to be compromised. A cyberattack can happen to anyone.

Implementing robust POS security means you’re doing everything possible to protect customer data and payment card details. It also protects you against financial losses, including legal action, if you do experience an attack. Constant vigilance and the right software make that less likely.