Connect with us

Hi, what are you looking for?



Data Security at the Point of Sale: Back to the Basics

With Point of Sale Security, Simple Preventative Solutions are Often Taken for Granted and Get Lost in all of the Rhetoric

With Point of Sale Security, Simple Preventative Solutions are Often Taken for Granted and Get Lost in all of the Rhetoric

What comes to mind first when talking about data security at the Point of Sale (POS) in the retail industry? I can guarantee that thoughts immediately gravitate towards hackers sitting in basements, connected to the Internet, probing for security vulnerabilities where sophisticated programs (malware) can be inserted into internal networks to purge and copy cardholder’s data. To plug potential data security holes, merchants are building and implementing technical control systems to monitor data traffic, tokenizing and encrypting data, to increasing their IT security solutions. But often times, simple preventative solutions are taken for granted and get lost in all of the rhetoric.

POS Data SecurityFirst Line of Defense: Employees

Let’s examine protecting cash at the cash register as one example. Securing cash is a process that uses a blend of physical and technical controls to monitor accounts for every dollar. Cameras, locks, and most of all employees, are used to insure that this tangible resource stays protected, but once the cash drawer is removed from the cash register, many merchants feel their job is done. But what about POS terminals? Usually, they are taken for granted and left unattended or unsupervised for extended periods of time when customer traffic is slow, especially during the early store opening or late evening hours. This complacency has resulted in a number of terminal tampering attacks. And here’s why.

POS Terminal Tampering Attacks

In a terminal tampering attack, the terminal is stolen (i.e. physically removed) from the front end of the checkout counter when the thief has the opportunity to unplug and take the terminal. Common terminal theft is likely to occur in areas that are typically unattended that the consumer may have access to. Prime targets for this crime: areas that are only used at certain times of the day or an area that may have only a single store employee (e.g. a cashier) who can be easily distracted. Though there is no information in the POS terminal that can be extracted, the terminal itself becomes the primary target. A stolen POS terminal is illegally modified by organized crime members to add a skimming device and then returned to service, normally at another location or by a merchant that is using the same POS equipment. On average, a card skimmer costs about $300, and the equipment to make a counterfeit credit card costs about $5,000 to $10,000.

Consider the following examples of skimming attacks. In one attack, the POS terminal appeared to be working correctly, but would generate an error after the skimming was completed to give the appearance that there was an error with the cardholder’s card or a connecting cable. Another attack resulted in the terminal looking as if having a software failure and simply requiring a download. In both cases, the unsuspecting merchant’s support staff repaired the POS terminal and returned it to service not realizing that it was not their device which had been stolen and then secretly replaced with the modified unit.

All merchants should take time to educate their current and newly hired employees on the potential for a physical theft of a POS device for skimming attack purposes.

Advertisement. Scroll to continue reading.

Common Sense and Mitigation Strategies

In both examples, a combination of physical and tech-based controls would have alerted the merchant’s staff to an issue. Today POS terminal vendors and suppliers offer terminal stands with a locking mechanisms that requires a key to unlock the physical stand to gain access to the mounting mechanism and adjacent cabling. Adding a lock to a stand is often over looked, yet can be a very effective measure towards preventing a physical theft of the device. In addition to locking the terminal, the merchant’s staff should use their common sense and be aware of some basic steps to maintain a secure store environment during all store operation hours, especially around cash registers and POS devices. All major payment card brands and the Payment Card Industry Security Standards Council (PCI SSC) regularly publish best practices on skimming prevention and tips for merchants on how to secure their store environment.

Consider these simple steps that can help reduce risk of a skimming attack:

• Maintain a detailed list of type and serial number of your cash register and POS equipment.

• Physically check the POS terminals to see if the stickers have been altered or tampered with. The serial number on the sticker should match the serial number displayed in the terminal. Also, check for any missing parts, screws, or unusual wirings.

• Do visual inspection of the terminal for any obvious signs of tampering and be alert if the equipment looks different or is behaving differently. If so, remove it from service.

• Make sure that only authorized store employees are removing/replacing POS devices within your payments network.

Locks and tech controls can only do so much. Though most merchants would like to outsource their security to a third party security vendor, it’s the employees who use the POS equipment day in and day out who are your first line of defense against skimming attacks. A frequent Back to the Basics: Security 101 training will help to ensure that store employees know what specific actions/steps to take if a POS device is stolen or has obvious signs of device-tampering. Trust your employees to use their common sense, maintain their vigilance, and be on the lookout for something that is not right. They will keep your store safe for customers!

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...