How Can I Face The Challenging Part In PCI Compliance

Sept. 8, 2009 - PRLog -- Securing Your Point Of Sale Equipment

In credit card commercials, although they show us a couple of happy shoppers swiping their credit cards as they go on a shopping spree and enjoying the convenience of a cashless society, they don't care to discuss the risk of identify theft when using credit cards.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

Locking it Down

These POS systems are vulnerable to attacks if not properly locked down. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

Chauhan observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open operating systems (OS) such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

These Are Vulnerable Systems

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm focusing on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, dial-up swipe machines is a low-risk device, what's more vulnerable are devices that are computer-based and/or have Internet access; risk lies in those two prime factors.

One other thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can easily be exploited through tampering.

In general, as McCullen explained, there is a low risk of exploit with hardware swipe terminals, rather a higher risk of tampering, but along with tampering is the opportunity for hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the data they need.

As Chauhan further points out other vulnerabilities, she claims that because today our POS systems are similar to networked PCs, they need constant patching. Chauhan also included that embedded systems have also become susceptible to attack through changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Chauhan and McCullen both agreed that POS equipment is faced with unique challenges when it comes to complying with the PCI DSS.

PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. An ativirus software can be a very high overhead expense for a low POS system, she notes; by contrast, change control software can eliminate the need for antivirus software.

For example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. With this software, NEC Infrontia was able to remove the antivirus software that was affecting the performance of their devices, according to Chauhan.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be challenging for POS equipment providers in ensuring that their systems supplies the PCI compliance after they are shipped put into production through the dealer network.

One of the large suppliers of technology and POS systems for independent grocers and small chains, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 though embedded Solidcore change control in its systems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other challenging areas, as McCullen affirmed, include data encryption and user-based access controls.

---------------------------------------

Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

---------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!