PCI Compliance: Facing The Challenging Parts

Making Sure Your Point Of Sale Equipment Is Secured

On credit card commercials, we can see a line of dancing shoppers merrily swiping their credit cards, from store to store, and exalt how convenient it is to use, they don’t include the very real threat of identify theft at the cash register.

The director of embedded solutions for Solidcore (www.solidcore.com), Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at POS (point-of-sale) systems.

Locking it Down

“These point-of-sale systems can be vulnerable to exploitation if not properly locked down,” Chauhan says. For decades now, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) has shifted the standards in the retail industry.

Chauhan observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-shelf software on commoditized hardware running commercial or open operating systems like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.

Chauhan also said, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.

Vulnerable Systems

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm that focuses on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, a little dial-up swipe machine is a low-risk device, but computer-based and/or have Internet access (the danger lies in those two prime factors) devices are more susceptible to attacks.

If a POS system stores credit card track data, exploitation possibly will occur, and swipe terminals can be exploited through tampering, according to McCullen.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan also said that embedded systems have also become susceptible to attack through changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.

PCI DSS (PCI Data Security Standard) Challenges

Chauhan and McCullen both agreed that POS equipment is faced with unique challenges when it comes to complying with the PCI DSS.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. An ativirus software can be an overhead expense for a low-footprint POS system, she even notes; by contrast, the need for an antivirus software can be eliminated with a change control software.

For example, the NEC Infrontia installed a change control software on its POS offerings that prevented unauthorized code from breaking unpatched systems. This allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.

With the PCI DSS Requirement 6, developing and maintaining a secure system and application is a must. It also presents unique challenges, as Chauhan noted.

“It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and get put into production at the retail location,” Chauhan observes.

According to Chauhan, StoreNext (www.storenext.com), a large supplier of technology and POS systems for independent grocers and small chains, solved PCI DSS Requirement 6 patching challenges by embedding Solidcore change control in its systems.

“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other thorny areas, as McCullen affirmed, include data encryption and user-based access controls.

---

Do You Have Any Questions?

If you would like to know more about this topic or have a question in mind, you may ask for advice with our Restaurant POS
professional serving your area.

The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

 

Welcome back!