A new report from McAfee outlines the growing risks in the sales and commerce industry, due in part to the mix of legacy and newer Point of Sale (POS) systems, in addition to secondary market hardware. Overall, McAfee’s point is that businesses need to focus on more than just PCI DSS compliance.
McAfee’s report points out that 38% of the systems used in the retail sector today are running DOS or a legacy version of Windows. POS systems that are updated too infrequently create vast windows of opportunities for criminals to find and exploit vulnerabilities, McAfee explained. So once a new vulnerability is located, businesses using the same types of systems are easily identified and attacked.
One would expect that systems vital to a retail operation would be updated and maintained, but IHL North American research shows that hardware updates, if they’re done at all, only occur every 10 years or so. Even then, many retailers often upgrade by purchasing off the secondary market, which puts them in the position of owning slightly used, newer outdated hardware.
“The industry is very fragmented with a large base of smaller merchants utilizing secondary market or used point of sale systems,” said Kim Singletary, director of retail solutions marketing at McAfee.
“Merchants who do not have a broader security and privacy focus are leaving themselves vulnerable to susceptible systems and processes. If security, compliance and privacy adherence were more transparent to consumers, then retailers could look at these things as business differentiators rather than obligations.”
Naturally, McAfee has a horse in the race here, as their suggestions are all focused on something that they, or their parent company Intel, can offer. Yet, other firms have tackled the secure POS for a while now, including Diebold, Citrix, even Oracle.
Still, McAfee’s suggestions; such as application whitelisting, POS integrity control and hardware-enhanced security, along with centralized management, are worth investigating. At the same time, it’s worth researching the best solution available for your organization, because smaller mom and pop retail operations cannot afford all that McAfee and Intel have to offer.
“Retailers have worked hard not to store cardholder data, however, they still maintain a great deal of specific proprietary customer data on their networks that are a potential treasure trove for criminals and identity thieves,” said Greg Buzek, founder and president of IHL Consulting Group.
A full copy of McAfee’s report is available here.
Related Reading: New Malware Targeting POS Systems, ATMs Hits Major US Banks
Related Reading: vSkimmer Targets Payment Card Terminals Connected to Windows
Related Reading: Dexter Malware Targets POS Systems in Time for Holiday Rush