Over the years, the point-of-sale (POS) environment has evolved from traditional cash registers and dial-up modems to more flexible, always-on multipurpose systems. These systems bring forth a greater technical complexity for retail storefronts.
Merchants now use high-speed connections with POS terminals that commonly link to a central server, providing the corporate office with insight into customer purchases and their spending habits. Operating on high-speed connectivity at all times also brings a new level of efficiency to the payments industry, including handling system maintenance and troubleshooting remotely.
The convenience of being able to remotely access your POS system from anywhere can be appealing and convenient. It may save you, your IT staff or your service providers (vendors, integrators, resellers) a visit to your office or store.
But the advantages offered by remote management software exposed to the internet may also pose significant risk to the security of your customer payment card information. Attackers, too, can gain access to these remote access tools - often by cracking weak passwords - to bypass security measures and laterally advance across your network. According to the 2016 Trustwave Global Security Report, insecure remote access software and policies, at 13 percent, contributed to the largest share of compromises Trustwave investigated in 2015 - and nearly all POS breaches in the year prior.
Security of cardholder data for merchants is critical, but remote access solutions pose an increased risk if they are not used in a manner with the Payment Card Industry Data Security Standard (PCI DSS). Here are some tips for helping stay in compliance and keeping your POS systems safeguarded against cyberattacks.
What You Should Do
- If remote connectivity is required, enable it only during the time needed for work/updates - and ensure the latest versions of the remote management tools and applications are being used.
- Use effective network segmentation, including firewalls - and separate Wi-Fi and security cameras from your POS environment.
- Work with your service providers to ensure that your POS environment in configured securely and in compliance with PCI DSS.
- Consider security testing, risk assessments and two-factor authentication (in concert with unique credentials, preferably passphrases) to identify weaknesses and ensure stronger access controls.
What You Should Not Do
- Do not use your POS for surfing the internet and checking email. (Remember, it is for card transactions and reporting only).
- Do not share credentials for logging into a remote solution or any part of the POS.
- Do not use your remote access to get to your security cameras.
- Do not leave remote access enabled after work is completed. (This leaves an open window for hackers to access your POS).
For best practices in fraud protection, view Sterling Payment Technologies tips on card-present and card-not-present transaction fraud here.
This guest post was written by Sterling Payment Technologies, a Tampa, Fla.-based payment processor.