PCI Compliance Challenges (Point of Sale System)

For some, the PCI compliance seems easy to pass but for others, there are issues that needs to be fixed in order to comply with the standards set by the credit card industry. So here are some of the challenging part when it some to PCI compliance.
 
Sept. 8, 2009 - PRLog -- Point of Sale (POS) Equipment: Securing Your POS

While credit card commercials show lines of dancing shoppers happily swiping their credit cards and extolling how convenient it is to use, they do not care to discuss the peril of identify theft when using credit cards.

Solidcore's director for embedded solutions, Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at Point of Sale (POS) systems.

Lock It Down

These Point of Sale systems are susceptible to attacks if not properly locked down. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”

Chauhan observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-shelf software on commoditized hardware running commercial or open OS like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.

According to her, the security risks for POS equipment owners was accompanied by greater system flexibility and quicker development time of these equipments.

Vulnerable Systems

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm that specializes in information security and compliance management solutions, agrees with Chauhan that there are many POS systems that are susceptible to attacks.

According to McCullen, dial-up swipe machines has a low risk, what's more prone to attacks are those computer-based and/or have Internet access devices; the peril lies in those two prime factors.

If a POS system stores credit card track data, exploitation can occur, and swipe terminals can be tampered, according to McCullen.

In general, as McCullen explained, only low risk exploits can experienced with hardware swipe terminals, rather a higher risk of tampering, but with tampering allows hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the information.

As Chauhan pointed out other vulnerabilities, she says that because the POS systems today are similar to networked PCs, constant patching is required. Chauhan also included that embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. With these, it often results to malfunctions and can cause the equipment to no longer meet the PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Both Chauhan and McCullen agreed that Point of Sale equipment is faced with unique challenges when complying with the PCI DSS.

Chauhan says that in the PCI DSS requirement 5, it states that antivirus software must be used and updated regularly. An ativirus software can be a very high overhead expense on a low-footprint POS system, she even notes; by contrast, you can eliminate the need of an antivirus with the aid of change control software.

For example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. With this software, it allowed NEC Infrontia to remove the antivirus software that affects the performance of their devices, Chauhan notes.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be tough for POS equipment providers in ensuring that their systems will supply the PCI compliance after the equipments are shipped through the dealer network and put into production.

A large supplier of technology and POS systems for independent grocers and small retail stores, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 though embedded Solidcore change control in its systems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. The PCI auditing requirement can be met through change control software, claimed Chauhan.

Other challenging areas include data encryption and user-based access controls, McCullen states.

---------------------------------------------------------

Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

---------------------------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
End



Like PRLog?
9K2K1K
Click to Share