Point of Sale Security Precautions Every Business Owner Should Take
Have you ever stopped to wonder how those who came before us imagined the future world? While it’s fun to view creative predictions from the past (I’m talking to you, Back to the Future II), it really is amazing to realize just how advanced the age of technology we live in is. Many of these modern luxuries have improved our lives and contributed to the advancement of the human race. The invention of computers, the world wide web, tablets, and smartphones (to name just a few) helped revolutionize the business world, and more specifically, the Point of Sale (POS) world. That said, every rose has its thorn. This is especially true when it comes to the technology advancements that have benefited the POS world in the last 20 years or so. While cutting-edge software systems and devices have provided extreme convenience, too many business owners seem to forget that these advancements come with a price.
Let me ask all of you merchants out there a question: Assuming you currently employ a POS system, when was the last time you ran any sort of security checkup or update? If you’ve been keeping up with the news in recent years (don’t worry, this isn’t about to get political), then you know that the Point of Sale (POS) industry has taken quite a few big blows from the hackers and cyber attackers of the world. Cybersecurity should be at the forefront of every business owner’s mind when considering their future or current POS system.
When you partner your business with a third-party POS system, you are exposing the data of your company, and by extension the data of your customers, to someone else’s security standards. Before you partner with another company, you should understand their security protocols so that you can factor them into your own precautions. (Yes, in addition to the protection offered by your POS vendor, it is paramount for you to have your own security plan in place. No one has your best interest at heart more than you do.)
Table of Contents
Why Should I Care About My POS System’s Security?
As I hope I’ve just made abundantly clear, one of the most important features of your POS system is its security. In fact, Verizon released a data breach investigations report in 2014 stating: “75 percent of data security incidents in the food services industry happen at the Point of Sale [system].” Yikes! The retail side of the industry isn’t faring any better. A recent data security report from Thales revealed: “More than 80% of retailers consider themselves vulnerable to data threats, and 37% said they are ‘very’ or ‘extremely’ vulnerable.”
As I mentioned earlier, we’ve seen prominent businesses in the news over the last several years for major hacks. For those who may have missed these headlines, let’s take a quick stroll down memory lane, shall we? 2003 brought one of the worst POS data breaches the world has seen when retail chain T.J. MAXX failed to update their data encryption system. Hackers accessed the company’s POS systems and stole the credit and debit card information of at least 45.7 million people. You read correctly. That’s at least 45.7 million people. And who could forget 2013, the year Target’s POS system was infiltrated by hackers because someone overlooked the fact that the HVAC system was on a network with access to internal servers. That mistake affected 41 million customers. Just this May, Target agreed to pay $18.5 million dollars to settle claims made by 47 states and the District of Columbia. Maybe arts and crafts retailer Micheals’ 2014 POS data breach rings a bell? Ah, memories!
It can be easy to think these hacks only affect large, soulless corporations, but that is a major misconception. It is estimated that roughly 43 percent of cyber attacks are directed at small businesses. Even more alarming? Within six months of a data breach, 60 percent of these same small businesses go out of business. Those numbers aren’t leaving me with any warm fuzzy feelings.
As you can clearly see, even simple mistakes can have huge consequences. The backlash from these attacks is swift and can have major lasting effects. Here are just a few examples of what you may face after your system is breached:
- The reputation of your business takes a hard hit.
- Consumer confidence/trust is impacted and as a result, your revenue is affected.
- You remain liable even if the breach came through a third-party POS system.
- If hackers are able to access proprietary information it can cost you competitive ability.
- You could face government fines if you have failed to comply with any industry-specific security standards.
- You will also face a lot of unexpected expenses (legal fees, software updates, customer reimbursement, and damage control, for example).
As many experts in the industry say, the full costs and effects these major data breaches have on companies is hard to quantify, but the damage is lasting.
Security Features To Look For In A POS System
Finding the right POS system to fit the needs of your particular operation is an overwhelming task. This is where searching for the best security system can actually help you narrow down your choices. You need to weed out undesirable options by first evaluating who offers the most comprehensive security measures. As I mentioned before, when you choose to pair yourself with a third-party vendor, you are allowing another company’s security protocols to affect your business. The Ponemon Institute has found that “65% of companies that reported sharing customer data with a partner also reported a subsequent breach through that partner.” I’m not a gambler, but I don’t like those odds. This does not mean that every third-party vendor is destined to be your demise. However, it is in your best interest to do some research before you sign any dotted lines.
- Is there an update cycle?
- Does the POS vendor focus on PCI compliance?
- Does the POS vendor respond quickly to security threats and patch them? Does it appear that they have they done so in the past?
- Does the vendor supply or are they compatible “semi-integrated” terminals?
- Do they [the POS company] employ standard encryption? Is their website encrypted with HTTPS (That’s usually a good first-step when evaluating)?
- If a locally installed system, is the software installed and maintained by professionals?
Just because your third-party POS system has a security system doesn’t mean you are no longer responsible for the safety of your consumer data. According to Your Liability in Third Party Data Breaches:
While such third party data processing service providers have an obligation to keep your data safe, this does not relieve your firm of your data security responsibilities. You have to make sure your data is stored, processed and transmitted securely, even when in the hands of others.
Create A Security Routine And Stick To It
POS systems are the lifeblood of the retail and foodservice industry, and I don’t see that changing anytime in the near or distant future. Once you understand that these integral pieces of technology are highly profitable targets for hackers (who seem to view security updates as challenges), you will realize that cybersecurity is a constantly changing issue. It will never go away. Setting up your security system, crossing your fingers, and walking away simply isn’t going to cut it.
You need to start thinking of your security system as an organic object that needs to be tended to regularly. Don’t worry, you don’t need to be a neurotic helicopter parent, but it is important to set up a consistent routine to ensure that your security system is up to date and prepared for an attack at all times.
Chuck Rubin, the chief executive of Micheals arts and crafts stores, puts it quite nicely:
In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance.
So what can you do? Start by sitting down and setting up a security plan. Once again, Guagenti has some great advice:
- Check and run PCI scans quarterly. Some vendors offer internal scan tools that you can also run.
- Have your IT personnel check your router and firewalls configuration quarterly.
- Verify that your devices are updated, and turn on auto-update when possible. If you must turn off auto-update, ensure you check for updates manually once per month, or when news of security patches surface. Have your IT personnel justify why auto-updates are turned off if they must be disabled.
- If your locally-installed system has a management interface, don’t open it up to the outside world. Period. Only open up ports that are required for your system to operate, and set up IP restrictions. If you have to access your locally-installed system remotely, work on setting up a secure VPN. Also, note that a VPN should only operate within a network that does not handle credit card data.
- Have a process. While not all business owners have to have a process as thorough as say, a payment processor, having a written down process for security makes sure that someone or a group of people are always tasked with security.
Some points of my own to add:
- Be your own advocate! Don’t blindly trust that a third-party provider has your back. You wouldn’t just hop into a car with the first stranger who offered you something shiny. Even our mothers taught us better than that!
- Know who is handling your data. Familiarize yourself with the third-parties involved in handling your business information and examine their security standards.
- Make sure you understand the regulations and laws in your country regarding what you are liable for in the event of an attack.
- Hire a security company to perform audits on third-party vendors.
- Strongly consider taking out Cyber Liability Insurance. While this won’t protect you from every aspect of a breach, you won’t be left high and dry on your own in the event of an attack.
It’s pretty typical in our culture for us to hit the “Remind Me Later” button when updates pop up on our devices. While procrastinating on these updates in our personal lives may not result in a catastrophic data breach, doing so in the business world is wholly irresponsible. Verizon’s 2017 Data Breach Investigations Report opens with this statement: “If you haven’t suffered a data breach you’ve either been incredibly well prepared, or very, very lucky.”
No one is in control of whether their company is chosen for an attack. It is, however, in everyone’s best interest to make themselves an undesirable target by having a strong defense system and preparing themselves for the worst. I sincerely hope this article has given you a reason to re-evaluate your current POS security methods and to ask yourself: Just how “incredibly well prepared” am I?