A whole range of small to large retailers are continually raising questions on the subject of Point of Sale (POS). You may be the owner yourself and you find yourself wondering..
- How can I protect myself against stolen card details?
- What is cloud based POS and how does it help me?
- What is PCI Compliance and how can I better understand it?
In recent times a great deal has been reported about POS, and not a lot of it has been positive. Malware attacks on big US chains Walmart, Target and Home Depot, have had a significant detrimental effect, especially in regards to customer behaviour. The Hacker News recently reported astonishing figures in the wake of Target’s data breach, stating “12% of loyal shoppers no longer shop at that retailer” a further “36% shop at the retailer less frequently” and for the people who remained loyal 79% of them are “more likely to use cash instead of credit cards”. This doesn’t bode well in relation to the belief that people tend to spend more on card than cash. So how can this be avoided and what options are open to you in regards to a safe and secure POS system? We called on 4 industry experts to gauge their opinions, they are Vaughn Clair a Retail Technology Expert & CTO at Black Label Solutions, Matt Fleeks a Point of Sale Technology Specialist at mattfleeks.com , Tom Doepker a Brand Director at Morphick Inc and Stuart Coetzee a President at TISSL Inc.
Are you PCI Compliant?
Dopker whose company Morphick deal with network security, says the question they hear the most from customers is “how can this happen?” when suspicious malware is detected on a POS system. This can be related to a lack of knowledge or negligence towards ‘PCI Compliance’ which is a set of rules every business, big or small, that accepts credit or debit card payments needs to adhere to. PCI Compliance, in short, is the process of you identifying which cardholder data you are responsible for, actively preventing that data from appearing and lastly completing and submitting compliance reports to the bank and card businesses that you operate with. However as Hacker News commented, carrying out these procedures and passing the subsequent audit is the equivalent of "passing your driving test and instantly becoming a safe driver". In other words, you're not entirely safe until you fully educate yourself and all your employees. A good resource for doing this is Kevin Mitnick’s Security Awareness Training, which involves live demos, case studies and a test. There is the point though that, is this enough? Is protection secondary to compliance? Doepker states that there is a lot you can do with a POS machine in order to stay compliant but reinforces the argument that “Compliance driven security doesn’t really help”. How big a problem is this then? A report from USA Today suggested that 43% of US companies experienced a data breach of some sort in 2014. So what’s the solution to this, in regards to POS? [bctt tweet="Compliance driven POS security doesn't really help"]
Cloud Based vs Traditional POS
“My view is that cloud based POS systems are going to be inherently more secure than legacy Client Server (in store) POS systems” is the view of Vaughn Clair, but how do the two systems differ?. Clair continues ““Cloud based systems usually hold the majority of data centrally in one place, which is usually better protected and more secure, usually in a secure data centre - with one set of servers that need to be updated with security patches and firewalls”. This is a crucial point, as Clair mentions the nature of client server systems (traditional POS) is that it is a distributed system which “offers many more points of presence for malware attacks”. This can make unauthorised access particularly difficult to control. The problems don’t end there though as Stuart Coetzee explains that traditional POS is suspect to “incidental infect”, which can be triggered by simply “plugging phones into a terminal to charge”. The process of updating the software, which Clair mentioned earlier, is another dividing factor of note. Matt Fleeks explains that cloud based benefits from the fact that “Software updates are usually included and automatically implemented at no additional charge”, whereas the process would be manual for traditional. A manual task that is described by Clair as “not a simple task” due to the fact that “antivirus systems and firewalls need to be kept up to date across all of these distributed systems”. The process of upgrading and maintaining a traditional POS system can be both a laborious and costly exercise. Along with updates Fleeks explains there are limitations and additional costs when it comes to “remote training, technical support, and database backup” and in most cases “a technician is usually physically needed to perform these task.” The procedure of manually carrying out these tasks or requesting outside help, certainly eats into the time in which you should be focussed on improving your business. Furthermore, the nature of Modern Cloud based POS systems ensure that no sensitive Credit Card data is being stored as they are fully PCI-DSS compliant. What this means is, as Tracey Wallace recently pointed out for Hubspot “the heavy lifting has been taken care of by the experts working on the backend of your technology”.
Home Depot & Target’s failures
The nature of traditional POS systems, in that they distribute information across their system, is ultimately what led to the the attack on Target and cost them financially and severely dented their reputation. As Clair explains “Distributed Client Server systems also usually have communication software installed to move files around (product & price updates and sales transactions) - this is usually a point of weakness that can be exploited by malware”. A similar incident impacted Home Depot when a breach impacted more than 56 million cards over a 5 month stint. The ‘Mozart’ malware attack affected all of its 2,200 stores. This led to Ottawa resident Steven Lozanski filling a $500 million lawsuit against the Canadian Home Depot and it’s parent company after claiming that more than $10,000 of fraudulent charges were made on his card. The personal information of customers become accessible as Doepker explains that the “POS machines need to talk to backend databases”, which led to it being intercepted. In recent times there was the case of LucyPOS, which was malware found on an underground Russian forum. To help prevent yourselves from being exposed, you should block any suspicious domain name that ends in .onion immediately. Coetzee implores that unless you “steadfastly follow PCI compliance standards, you are making yourself far more vulnerable to both direct database breaches” such as these. However this further reinforces the benefits of cloud based POS. Not only will it benefit in regards to maintaining, training and cost but in the this example where new malware is being discovered, you can put these matters in the hands of the experts. As Dopeker, a POS security expert concludes “While it's glaringly obvious to us a "mom and pop shop" would not know what that is, or if they should block it”.