POS Systems: The Challenges In PCI Compliance

Sept. 8, 2009 - PRLog -- Point-of-Sale Equipment: Securing Your POS

While TV credit card commercials have been showing how merrily shoppers can go around buying stuff using their credit cards and delight on how convenient it is to have one, they tend to forget to include the very real threat of identify theft at the cash register.

The director of embedded solutions for Solidcore (www.solidcore.com), Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at Point of Sale (POS) systems.

Lock Down Your POS

These POS systems, if not properly locked down, can be vulnerable to attacks. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) has shifted the standards in the retail industry.

Chauhan have also observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open operating systems (OS) like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

Some of The Systems Are Vulnerable

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm specializing in information security and compliance management solutions, agrees with Chauhan that there are many, but not all, POS systems that are vulnerable to attacks.

“A little dial-up swipe machine is a low-risk device,” McCullen says. “POS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”

If a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering, according to McCullen.

In general, as McCullen explained, there is a low risk of exploit with hardware swipe terminals, rather a higher risk of tampering, but tampering easily allows hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in getting the data they need.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan also said that embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. This often results in malfunctions and can cause the equipment to no longer meet the PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Both Chauhan and McCullen agreed that Point of Sale equipment is faced with unique challenges with its PCI DSS compliance.

PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. The ativirus software can be an overhead expense for a low-footprint POS system, she notes; inspite of that, you can eliminate the need of an antivirus with the aid of change control software.

For example, the NEC Infrontia installed a change control software on its POS offerings that prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.

In the PCI DSS Requirement 6, developing and maintaining a secure system and application is a must. It also presents unique challenges, Chauhan notes.

It will be difficult for POS equipment providers in ensuring that their systems will supply the PCI compliance after the equipments are shipped through the dealer network and put into production.

According to Chauhan, StoreNext (www.storenext.com), a large supplier of technology and POS systems for independent grocers and small chains, solved PCI DSS Requirement 6 patching challenges by embedding Solidcore change control in its systems.

“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other challenging areas, as McCullen specified, include user-based access controls and data encryption.

-------------------------------------------------------------

Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

-------------------------------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!