How Secure is Your POS?: Tips from McAfee
A database hack is a huge public relations nightmare for business owners, and for good reason. Customer confidence is based on security as much as it is on service and product quality. Once security is breached, the reputation of the company is compromised and the damage can last months, if not years.
Consumers form most of their opinions about the integrity of a business through social media these days. Angie’s List and customer comments on business’ websites, neighborhood community ratings, “likes” and “dislikes” on Facebook, TripAdvisor – all have replaced the traditional call to a local Better Business Bureau for consumer satisfaction. Consumers are diligent in researching the services or products they need and the businesses that can best meet those needs through social media. What they can’t do through this venue is to determine the security of the business and how well it will protect their financial and personal information.
As much as most consumers will blithely hand over a credit card to be swiped in a point of sale (POS) terminal, it’s crucial for business owners to assess their risks should a breach occur that could affect their reputation, consumer confidence and – bottom line – sales.
A recent white paper from McAfee provides important information for retailers about consumer information security. Some of the elements include the history of consumer security guidelines, the evolution of POS from an electronic cash register to an integrated business management system, and the future of retail security.
Starting with history, McAfee’s report informs readers that the Payment Card Industry (PCI) Security Standards Council introduced the first version of the PCI Data Security Standard in 2006 with the goal of creating an additional protection for consumers by establishing minimum levels of security for storing, processing and transmitting cardholder data. During the ensuing years, these standards have slowly evolved, and there remains opportunity for exploitation of consumer financial and personal information, including email addresses and phone numbers.
As the report notes, the potential for risk continues to climb as credit card usage continues to grow. McAfee’s researchers state that “worldwide there was an increase of $14.56 billion USD in credit card charges—12.1 percent—since 2011,” with many transactions allowed only via credit card, not cash (headphones and cocktails on airplanes, for example). According to the 2011 US Census Projection, the average number of credit cards in the US is 1,278 million, or about 10 credit cards per person.
With the advent of the POS systems into retail and hospitality establishments, we are finding integrated systems designed for stand-alone as well as multiple establishments, capable of everything from inventory reporting, employee movement, loyalty programs, order processing and payment capabilities. Someone capable of hacking into a database of consumer information could also wreak havoc on the functioning capability of the business.
The report observes that upgrades should be expected in platforms, devices and applications, but McAfee’s research suggests otherwise, stating, “The range of systems in use today is astonishing: 38 percent of them still run DOS or a legacy Microsoft Windows operating system, according to the 2012 IHL North American Retail POS Terminal Market Study. In an ideal scenario for ease of management and security, you would expect homogeneous systems with centralized management across a single retailer, but this is rare. You would also expect that systems that are so integral to the retail business would be updated more frequently, but upgrades may occur only every 10 years in some segments such as department stores. …Because of the age of these systems, vulnerabilities abound. POS transaction applications may not encrypt data in memory, have debug configurations, or have defaults that can put items in clear text. A simple configuration change can turn into a vector for exploits. Remote management and access control can be particularly vulnerable.”
The report cites a hacking incident at Dave & Buster’s 11-location system, when thieves achieved access to usernames and passwords used for POS terminal maintenance: “The actual number of breaches or records compromised are never disclosed. The public never knows about security issues or breaches unless the story is interesting enough to hit the media. “
Ironically, when merchants do not comply with security guidelines, the fines they are assessed often come in the form of higher transaction rates that are passed on to the consumer. Some states, including Washington and Nevada, are incorporating PCI compliance into law as part of a consumer protection program.
McAfee, not surprisingly, has developed several proprietary technologies that they recommended retailers explore, and readers of Point of Sale News can find those on the McAfee site. But, as the white paper acknowledges, self-reporting and self-compliance are not enough to protect privacy and card-holder data, and in many instances it’s easier and less expensive to deal with the repercussions of a data breach after it happens rather than being proactive “just in case.” Only if a breach is widespread and hits the media does the public become aware of these issues. Otherwise, the only indication that consumer information may have been compromised is when a new credit or debit card is re-issued to customers through banks without any details as to the reason for the alert.
The report recommends that consumers take a more proactive approach, researching the retailer’s security and privacy status and learning about how the company protects information. Given the trusting nature of most people and the incredible convenience of credit card usage, this seems a little Pollyanna-ish. At the same time, retail and hospitality owners have an obligation to provide more information about their security measures and the efforts they take to protect their customers – and their businesses – from cyber-thieves, by publicly ensuring their clientele that they have invested in security.
Read the entire report here.
- Barcoded Cards Can Help Fundraising
- (QR codes and 2D )
- Shocking Security Analysis of QR/Barcode Apps – Some contain malware
- (QR codes and 2D )
- Created on 20 February 2015
- Cyber security expert Gary Miliefsky takes down a number of rogue QR code apps found in the Google Play store that are silently communicating your personal data to foreign countries! By Gary S. Miliefsky, …
… including the Payment Card Industry Data Standards (PCI DSS); and (2) pay for any fines and assessments issued by the card associations following a card data compromise event. If a merchant
McAfee, a technology company best known for its anti-virus software, recently issued a warning about the potential for devices with Near Field Communication (NFC) capabilities to be infected with ..
Follow us on Twitter: https://www.twitter.com/thePOSnews
Follow us on Facebook: https://www.Facebook.com/ThePOSNews