POS 101: Security

Criminal behavior is constantly changing in response to the methods designed to prevent it. Given technological advances, successfully robbing a bank is much more difficult than it used to be. And this holds true for any form of theft that requires the offender to be physically present.

The advent and proliferation of the internet, however, has presented new electronic security challenges for merchants. Crimes involving breaches in point of sale security are an unavoidable aspect of the modern retail and restaurant industries. Combine lucrative pay-offs with a low chance of being caught, and it is unlikely that data breaches will stop anytime soon. But, there are ways to best protect your business from POS security failure. This article describes common POS data attacks and what you can do about them.

Payment Card Industry Data Security Standard (PCI DSS)

First, I’ll begin by discussing the standard known as PCI DSS (or often just PCI). PCI DSS is the standard of protection used by Visa, Mastercard, American Express, Discover, and JCB. In order to be PCI compliant, the following twelve requirements must be met:

1. The installation and maintenance of a firewall
2. Non-use of vendor-supplied defaults for system passwords and other security parameters
3. Protection of stored cardholder data
4. Encrypted transmission of cardholder data across open, public networks
5. The use of regularly updated anti-virus software on all systems commonly affected by malware
6. Development and maintenance of secure systems and applications
7. Restriction of access to cardholder data
8. Assignment of a unique ID to each person with computer access
9. Restriction of physical access to cardholder data
10. Appropriate management of all access to network resources and cardholder data
11. Regular tests of security systems and processes
12. Maintenance of a policy that addresses information security

Where Vulnerabilities Lie

Even when a system is PCI compliant (meaning all twelve requirements have been met) data can still be vulnerable to attacks. The data in your point of sale system is essentially vulnerable on three fronts: data in memory, data in transit, and data at rest.

Data in memory refers to data is brought in the POS system using a point of interaction (POI) device, such as a PIN pad.

Criminals can also attack data when it is traveling–or in transit–between networks that process card data.

Lastly, criminals can attack data is stored within your POS system–data at rest, in other words. This does not include data stored in a primary form of storage such as the system memory or cache.

How To Best Address These Vulnerabilities

Data that is in memory is very difficult to secure if an attacker has already gained access to your POS system. The best way to secure data that is in your system’s memory is to encrypt it for as long as possible while it is in your system. Point to point encryption (P2PE) is the recommended solution here. P2PE requires that data is immediately encrypted once entered and only decrypted once within a secure data zone of the payment processor.

Data that is in transit is also vulnerable when not encrypted. Common solutions for securing data in transit are the Secure Sockets Layer/Transport Layer Security and IPsec.

The best solution for securing data that is at rest may be the simplest answer of them all: don’t do it. If you do need to store data within your POS system, P2PE is the best choice when securing it. Direct symmetric encryption is also an option, although P2PE is the better option.

Methods Of Attack

Attackers attempt to steal data from your POS system using various methods that I have described below. Note that while I have listed common attack methods, this list is not exhaustive in scope.

• Skimming. Skimming occurs when a would-be thief replaces your POS system’s POI components with their own. This requires the attacker to actually physically swap your POI for their own.
• Supply chain integrity. When a software is purchased by a company for use as a POS, vulnerabilities can exist within that software. These vulnerabilities can then be exploited by attackers.
• Memory scraping. Memory scraping is a highly effective attack technique. The attacker uses malware that inserts itself into the POS system, collects data, and then exfiltrates that data. Common malware attackers use is Alina, Dexter, vSkimmer, FYSNA, Decebel, and Black POS.
• Forcing offline authorization. If an attacker is able to force a POS system offline, the payment card information will then have to be locally authenticated. When payment card information is authenticated locally, it is more vulnerable to theft and an attacker can more easily steal it.
• Sniffing. Sniffing involves taking network traffic and analyzing it for payment card data.
• Crimeware kit usage. Amateur attackers typically purchase illegal crimeware kits. These kits are designed to allow easy access to a systems data.

What You Can Do To Ensure You Are Protected

While the PCI adds a certain level of protection, there is more you can do to secure your POS system from data attacks. Recent data breaches have successfully been executed on many large corporations which were PCI compliant, demonstrating the need for additional layers of protection. The following is a list, recommended by the SANS institute, of further defense measures you can take:

• Strong password use that does not involve vendor default passwords
• Ingress and Egress firewalls
• Restrict POS system access to the internet
• Strict network segmentation (limit access of entire network as much as possible)
• Two factor authentication
• True hardware P2P encryption for all sensitive data
• Application whitelisting (restricts the application software that can be used to only the software approved by you)
• File integrity monitering
• Actively monitor the environment via use of automated tools and anti-malware software
• Ensure cardholder data is deleted (even if encrypted)

Conclusion

The standard in data security is PCI compliance. However, being PCI compliant may not be adequate as attackers adapt and evolve. POS systems are inherently vulnerable and so long as they remain vulnerable, individuals will exist who will seek to exploit them. The suggested additional defense measures make it much more difficult for attackers to steal your customers’ data. However, it is also important to evaluate your POS system’s weaknesses based on its own unique vulnerabilities. Addressing your own weak-points and ensuring that you have taken advantage of every available protection is the best way to secure your data from attack.