Is Your POS System Secure?

Watch out, merchants: Dubbed “PoSeidon” by Cisco Security Solutions, this malware is a new type of trojan that specifically targets POS (point of sale) systems, nabbing the credit card information of your unsuspecting customers.

Cisco stated in a March 2015 report that POS malware attacks are on the rise, affecting businesses both large and small. An example of a recent high-profile PoS credit card data breach is the BlackPOS malware strain, which exposed more than 40 freaking million Target customers’ debit and credit card information in 2013.

Concerned? You should be, as you could ultimately be held liable for the theft of your customers’ data should your POS system become infected. Read on to learn how to protect your business from the PoSeidon virus, and how to minimize your risk of POS system data breach in general.

The PoSeidon Point-of-Sale Virus

During card-present payment processing, sensitive credit card information is available in plain text in the memory of the POS system. Like most point-of-sale trojans, PoSeidon uses a technique known as “memory scraping,” scanning the RAM of infected POS terminals to find these unencrypted strings that match credit card information.

Once this information is retrieved, it is sold to nefarious cybercriminals who might, say, encode it into a magnetic stripe and use it with a new card.

Senior technical leader for Cisco’s Talos Security Intelligence and Research Group Craig Williams told SCMagazine.com that PoSeidon stands out from other similar POS malware in that it is self-updatable.

Additionally, says Williams, “It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common PoS malware, which logs and stores for future exfiltration from another system.”

OK, so don’t you worry — you don’t really need to understand everything that guy just said. The takeaway here is that PoSeidon is more sophisticated than previous POS malware programs. Though PoSeidon isn’t the be-all, end-all of POS malware, this lucrative type of crime is not going away, either. After PoSeidon, the next, smarter incarnation of POS bug will surely appear to take its place.

PCI Security Standards

Fortunately, there are some things you can do to protect your POS system from data breaches, and one of these involves something called PCI compliance. Being PCI-compliant doesn’t make you impervious to attacks like PoSeidon, but it helps.

PCI DSS stands for Payment Card Industry Data Security Standard. These are standards set by the PCI Security Standards Council, and merchants are required to follow them in order to remain compliant.

You’ll have to look up exactly what you need to do to remain PCI complaint depending on your specific type of business (for example, it is much easier to be PCI-complaint as a small e-commerce site vs. as a brick-and-mortar store), but essentially, the standards require you to do all you can to protect the cardholder data you process. One thing every merchant can do is use PCI-complaint terminal equipment.

Check out our blog post on PCI compliance to find the online resources you need to make sure your business is complaint with PCI standards.

How Cloud-Based POS Software Can Help

Another important action merchants can take to secure their customers’ data against security breaches — probably the most important thing — is used cloud-based POS software.

With cloud-based POS software, the card data and customer data is removed from your hands entirely —  this sensitive data is stored encrypted in the cloud, rather than in your POS system. This makes a data breach much more difficult, and virtually impossible using a PoSeidon-type virus.

Cloud-based POS software also allows the system to stay up-to-date more easily, which further helps protect you from new malware and other issues. And it has a bunch of other benefits, such as allowing the business owner to log in to the cloud POS system remotely.

For a good overview on the deal with cloud-based POS software, check out our very readable article on the subject.

How Will Chip Cards Impact Data Security?

EMV chip or “chip card” technology adds yet another layer of data security. Also called “smart cards,” these are credit/debit cards store the cardholder’s data on a microprocessor chip rather than a magnetic strip.

Not too many US merchants accept chip cards at present, but this is likely to change, as a new law regarding chip card fraud liability goes into effect in October 2015 (more on that here).

So what do chip cards have to do with data security? Welp, they have dynamic (changing) card information instead of a single string of numbers, which makes replicating them much more difficult. While they won’t prevent data theft, they will make it so that the stolen data itself cannot easily be used to make counterfeit cards and fraudulent transactions.

So, you don’t necessarily need to update your terminals to update chip cards right this second, but EMV chip transactions are inherently safer than non chip-equipped credit or debit cards (at least, when it comes to card-present transactions). As the technology becomes more popular, it will be in your best interest as a merchant to accept chip card payments and thereby reduce your fraud liability risk.

Conclusion

The PoSeidon virus demonstrates the importance of data security for all businesses, online and off. As the technology used by data thieves continues to advance, so too must merchants’ POS systems. Brick-and-mortar businesses often think that they are not at risk for data breaches, but Target, Home Depot, Kmart, and other big and small retailers have learned the hard way just how vulnerable they are.

When it comes to protecting your business from data breaches, having an up-to-date POS system is important. Using a cloud-based system, maintaining PCI compliance, and preparing to accept chip cards when the time comes can help to mitigate this risk.