Point of Sale (POS) Systems: PCI Compliance Challenges

Sept. 8, 2009 - PRLog -- Making Sure Your Point Of Sale Equipment Is Secured

While credit card commercials show lines of dancing shoppers joyfully swiping their credit cards and extolling the convenience you get in a cashless society, they tend to forget to point out the very real danger of identify theft at the cash register.

Solidcore's director for embedded solutions, Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS systems.

Locking it Down

“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

Chauhan observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open OS like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.

Chauhan also said, the security risks for POS equipment owners was accompanied by greater system flexibility and quicker development time of these equipments.

Some of These Systems Are Vulnerable

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm specializing in information security and compliance management solutions, agrees with Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, dial-up swipe machines is a low-risk device, what's more prone to attacks are those computer-based and/or have Internet access devices; the threat lies in those two prime factors.

One other thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can be exploited by tampering.

In general, as McCullen explained, there is a low risk of exploit with hardware swipe terminals, instead a higher risk of tampering, but with tampering allows hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the data they need.

As Chauhan discuss other vulnerabilities, she says that because today our POS systems are similar to networked PCs, it requires constant patching. She included that embedded systems have also become vulnerable to unauthorized and inappropriate changes as they are handed off to others in the distribution channel. With these, it often results to malfunctions and can cause the equipment to no longer meet the PCI DSS (PCI Data Security Standard) requirements.

PCI DSS (PCI Data Security Standard) Challenges

Both Chauhan and McCullen agreed that POS equipment faces some unique challenges when complying with the PCI DSS.

PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. Antivirus software can be very high overhead for a low-footprint POS system, she even notes; inspite of that, the need for an antivirus software can be eliminated with a change control software.

As an example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, Chauhan notes.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

“It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and get put into production at the retail location,” Chauhan observes.

Though embedding Solidcore change control in its systems, StoreNext (www.storenext.com) - a large supplier of technology and POS systems for independent grocers and small retail stores - have solved their PCI DSS Requirement 6 patching challenges.

“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other thorny areas, as McCullen specified, include user-based access controls and data encryption.

-------------------------------------------------------------

Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

-------------------------------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!