As data security continues to evolve, so does criminal behavior. Hackers are looking for different vulnerabilities in systems in order to attack them where they’re weakest.
In light of the many ransomware cyberattacks in recent years (such as the worldwide WannaCry attack), we’ve put together this quick guide on how to safeguard your point of sale system from any potential data thieves.
Let’s first make sure you’re PCI compliant.
What is PCI Compliance?
PCI compliance stands for Payment Card Industry compliance. It is the standard set of protection requirements used by major card brands like Visa, MasterCard, American Express, and Discover. There are twelve requirements to become PCI compliant:
- The installation and maintenance of a firewall.
- Non-use of vendor-supplied defaults for system passwords and other security parameters.
- Protection of stored cardholder data.
- Encrypted transmission of cardholder data across open and public networks.
- The use of regularly updated anti-virus software on all systems commonly affected by malware.
- Development and maintenance of secure systems and applications.
- Restriction of access to cardholder data.
- Assignment of a unique ID to each person with computer access.
- Restriction of physical access to cardholder data.
- Appropriate management of all access to network resources and cardholder data.
- Regular tests of security systems and processes.
- Maintenance of a policy that addresses information security.
Though PCI compliance is not required by law, it’s a highly recommended step to take to ensure the safety of your and your customer’s data. If you’d like to learn how to become PCI compliant, let us know and we can help you out.
Where Do the Vulnerabilities in POS Systems Lie?
There are three areas where data is most vulnerable to a cyber attack: data in memory, in transit, and at rest.
Data in memory refers to data brought into your POS system using a point of interaction device such as a pin pad.
Data in transit refers to data transferring between all the networks it takes to process a credit card.
Data at rest refers to any data stored in your POS system.
How do I Protect Myself from these Vulnerabilities?
Data In Memory
Data in memory will be the most difficult to protect if a hacker has already gained access to your POS system. The best way to secure data in your system’s memory is to encrypt it through point-to-point encryption (P2PE), sometimes referred to as tokenization.
What is the difference between P2PE and tokenization?
Through P2PE, data is encrypted when a card is swiped, dipped, or retrieved via a NFC contactless payment method and then encrypted information is sent to the bank and merchant services company. This method leaves the information useless to thieves who might try and steal it.
Tokenization is an additional way to protect customer data while gaining authorization for charges. Similar to how contactless payments (NFC, Apple Pay) work, the customer’s information is secured in a virtual vault and the data is substituted with a unique code that is used one time for that transaction only. This is called a “token”. If the token is stolen or compromised by hackers, they can do nothing with it because the code will mean nothing to the hacker.
Further Reading: Credit Card Encryption and Tokenization Explained.
Data In Transit
For data in transit, the best solution is to encrypt it using a Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
What is a Secure Socket Layer?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
What is Transport Layer Security?
Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging and voice over IP.
Data At Rest
The best way to protect data at rest is to NOT store it in your POS system. If you need to store cardholder data, make sure you’re set up with P2PE.
What are Possible Methods of Attack I should Look Out For?
Here’s a list of common attack methods:
- Skimming: An electronic method of capturing a victim’s personal information by using a small device that scans a credit card and stores the information contained in the magnetic stripe. You have probably most often heard of this type of crime at ATM machines.
- Supply chain integrity: When you purchase software for use as a POS, vulnerabilities can then be exploited by attackers.
- Memory scraping: This occurs when an attacker inserts malware into a POS system, collects data, and then withdraws it.
- Forcing offline authorization: An attacker can force your POS system offline causing you to authenticate transactions locally. When this occurs, data is more vulnerable.
- Sniffing: Taking network traffic and analyzing it for cardholder data.
- Crimeware kit usage: Attackers purchase illegal crimeware kits designed to allow easy access to a system’s data.
- Phishing: Attackers deceive you into revealing sensitive information – such as your credit card information – for example, by impersonating a business you work with.
Further Reading: Safeguarding Your Business Against Phishing Threats.
What Else Can I Do to Protect My Business?
Though PCI compliance is a great first step, there are many additional steps you can take to make sure your business is safeguarded from potential attacks. Here’s a list of action steps you can take from the SANS institute:
- Use strong passwords and do not use your vendor’s default passwords.
- Ingress and Egress firewalls.
- Restrict POS system access to the internet.
- Strict network segmentation to limit access of the entire network as much as possible.
- Two-factor authentication.
- True hardware P2P encryption for all sensitive data.
- Application whitelisting which restricts the application software that can be used in your business to only the software you have approved.
- File integrity monitoring.
- Actively monitoring the environment via use of automated tools and anti-malware software.
- Ensure card holder data is deleted.
Process Payments Safely with Gravity
At Gravity, we provide a white glove setup and we ensure your business meets PCI compliance standards as part of our merchant services.
Our credit card terminals and POS systems are secure and support the latest technology such as encryption and tokenization – ensuring that the credit card payments you process are protected.
Don’t hesitate to contact us if you have any further questions about protecting sensitive payment information in your business.