PCI Compliance for POS Systems: Dealing With The Difficult Part

Sept. 8, 2009 - PRLog -- POS System Equipment: Securing Your POS

While credit card commercials have been showing how merrily shoppers can go around buying stuff using their credit cards and glorify how convenient the life on a cashless society, they do not care to discuss the peril of identify theft when using credit cards.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

> Lock It Down

“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.

Chauhan also said, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.

> Some Systems Are Vulnerable

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm that focuses on the security of information and compliance management solutions, agrees with Chauhan that there are many, but not all, POS systems that are vulnerable to exploitation.

According to McCullen, a little dial-up swipe machine is low on risks, but devices that are computer-based and/or have Internet access (the threat lies in those two prime factors) devices are more vulnerable.

According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

In general, as McCullen explained, only low risk exploits can experienced with hardware swipe terminals, instead a higher risk of tampering, but along with tampering is the opportunity for hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in getting the data they need.

As Chauhan discuss other vulnerabilities, she claims that because the POS systems today are similar to networked PCs, they need constant patching. She included that embedded systems have also become susceptible to attack through inappropriate and unauthorized changes as they are handed off to others in the distribution channel. With these, equipments often results to malfunctions and/or can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

> The Challenges With PCI DSS

Chauhan and McCullen both agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

Chauhan says that in the PCI DSS requirement 5, it states that antivirus software must be used and updated regularly. An ativirus software can be an overhead expense for a low POS system, she notes; inspite of that, the need for an antivirus software can be eliminated with a change control software.

For example, NEC Infrontia installed and uses a change control software on its POS offerings which prevented unauthorized code from breaking unpatched systems. With this software, it allowed NEC Infrontia to remove the antivirus software that affects the performance of their devices, according to Chauhan.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It'll be a very challenging on the part of POS equipment providers to ensure their systems provide PCI compliance after shipping them to the dealer network and put into production at the retail location.

A large supplier of technology and POS systems for independent grocers and small chains, StoreNext (www.storenext.com), have solved their patching challenges with PCI DSS Requirement 6 by embedding Solidcore change control in its systems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other difficult areas include data encryption and user-based access controls, McCullen states.

-----------------------------------------------

Do You Have Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.

-----------------------------------------------

# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!