Security Experts:

Data Security at the Point of Sale: Back to the Basics

With Point of Sale Security, Simple Preventative Solutions are Often Taken for Granted and Get Lost in all of the Rhetoric

What comes to mind first when talking about data security at the Point of Sale (POS) in the retail industry? I can guarantee that thoughts immediately gravitate towards hackers sitting in basements, connected to the Internet, probing for security vulnerabilities where sophisticated programs (malware) can be inserted into internal networks to purge and copy cardholder’s data. To plug potential data security holes, merchants are building and implementing technical control systems to monitor data traffic, tokenizing and encrypting data, to increasing their IT security solutions. But often times, simple preventative solutions are taken for granted and get lost in all of the rhetoric.

POS Data SecurityFirst Line of Defense: Employees

Let’s examine protecting cash at the cash register as one example. Securing cash is a process that uses a blend of physical and technical controls to monitor accounts for every dollar. Cameras, locks, and most of all employees, are used to insure that this tangible resource stays protected, but once the cash drawer is removed from the cash register, many merchants feel their job is done. But what about POS terminals? Usually, they are taken for granted and left unattended or unsupervised for extended periods of time when customer traffic is slow, especially during the early store opening or late evening hours. This complacency has resulted in a number of terminal tampering attacks. And here’s why.

POS Terminal Tampering Attacks

In a terminal tampering attack, the terminal is stolen (i.e. physically removed) from the front end of the checkout counter when the thief has the opportunity to unplug and take the terminal. Common terminal theft is likely to occur in areas that are typically unattended that the consumer may have access to. Prime targets for this crime: areas that are only used at certain times of the day or an area that may have only a single store employee (e.g. a cashier) who can be easily distracted. Though there is no information in the POS terminal that can be extracted, the terminal itself becomes the primary target. A stolen POS terminal is illegally modified by organized crime members to add a skimming device and then returned to service, normally at another location or by a merchant that is using the same POS equipment. On average, a card skimmer costs about $300, and the equipment to make a counterfeit credit card costs about $5,000 to $10,000.

Consider the following examples of skimming attacks. In one attack, the POS terminal appeared to be working correctly, but would generate an error after the skimming was completed to give the appearance that there was an error with the cardholder’s card or a connecting cable. Another attack resulted in the terminal looking as if having a software failure and simply requiring a download. In both cases, the unsuspecting merchant’s support staff repaired the POS terminal and returned it to service not realizing that it was not their device which had been stolen and then secretly replaced with the modified unit.

All merchants should take time to educate their current and newly hired employees on the potential for a physical theft of a POS device for skimming attack purposes.

Common Sense and Mitigation Strategies

In both examples, a combination of physical and tech-based controls would have alerted the merchant’s staff to an issue. Today POS terminal vendors and suppliers offer terminal stands with a locking mechanisms that requires a key to unlock the physical stand to gain access to the mounting mechanism and adjacent cabling. Adding a lock to a stand is often over looked, yet can be a very effective measure towards preventing a physical theft of the device. In addition to locking the terminal, the merchant’s staff should use their common sense and be aware of some basic steps to maintain a secure store environment during all store operation hours, especially around cash registers and POS devices. All major payment card brands and the Payment Card Industry Security Standards Council (PCI SSC) regularly publish best practices on skimming prevention and tips for merchants on how to secure their store environment.

Consider these simple steps that can help reduce risk of a skimming attack:

• Maintain a detailed list of type and serial number of your cash register and POS equipment.

• Physically check the POS terminals to see if the stickers have been altered or tampered with. The serial number on the sticker should match the serial number displayed in the terminal. Also, check for any missing parts, screws, or unusual wirings.

• Do visual inspection of the terminal for any obvious signs of tampering and be alert if the equipment looks different or is behaving differently. If so, remove it from service.

• Make sure that only authorized store employees are removing/replacing POS devices within your payments network.

Locks and tech controls can only do so much. Though most merchants would like to outsource their security to a third party security vendor, it’s the employees who use the POS equipment day in and day out who are your first line of defense against skimming attacks. A frequent Back to the Basics: Security 101 training will help to ensure that store employees know what specific actions/steps to take if a POS device is stolen or has obvious signs of device-tampering. Trust your employees to use their common sense, maintain their vigilance, and be on the lookout for something that is not right. They will keep your store safe for customers!

view counter
Christopher Justice is President of Ingenico North America and is responsible for driving the development of the company's strategy in the US and Canada. He is a graduate of the University of Tennessee, has held several executive positions in the electronic payment industry. Prior to being President and CEO of Merchant Link, Chris was Senior Vice President of First Data, where he led the National Accounts group for various banking relationships including CitiBank and SunTrust. Before joining First Data, he served as VP of National Accounts for Concord EFS, an electronic payments processor and a recent First Data acquisition.