As data security continues to evolve, so does criminal behavior. Hackers are looking for different vulnerabilities in systems in order to attack them where they’re weakest. In light of the recent #WannaCry ransomware cyberattack, we’ve put together this quick guide on how to safeguard your point of sale system from any potential data thieves.

Let’s first start with making sure you’re PCI compliant.

What is PCI compliance?

PCI compliance stands for Payment Card Industry compliant. It is the standard protection requirements used by major card brands like Visa, MasterCard, American Express, and Discover. According to Merchant Maverick, there are twelve different requirements:

  1. The installation and maintenance of a firewall.
  2. Non-use of vendor-supplied defaults for system passwords and other security parameters.
  3. Protection of stored cardholder data.
  4. Encrypted transmission of cardholder data across open and public networks.
  5. The use of regularly updated anti-virus software on all systems commonly affected by malware.
  6. Development and maintenance of secure systems and applications.
  7. Restriction of access to cardholder data.
  8. Assignment of a unique ID to each person with computer access.
  9. Restriction of physical access to cardholder data.
  10. Appropriate management of all access to network resources and cardholder data.
  11. Regular tests of security systems and processes.
  12. Maintenance of a policy that addresses information security.

Though it’s not necessary to be PCI compliant, it’s a good step to take to ensure the safety of your and your customer’s data. If you’d like to learn how to become PCI compliant, let us know and we can help you out.

Where do the vulnerabilities in POS systems lie?

There are three areas where data is most vulnerable to a cyber attack: data in memory, in transit, and at rest.

Data in memory refers to data brought into your POS system using a point of interaction device such as a pin pad.

Data in transit refers to data transferring between all the networks it takes to process a credit card.

Data at rest refers to any data stored in your POS system.

How do I protect myself from these vulnerabilities?

Data In Memory

Data in memory will be the most difficult to protect if a hacker has already gained access to your POS system. According to Merchant Maverick, the best way to secure data in your system’s memory is to encrypt it through point-to-point encryption (P2PE), sometimes referred to as tokenization.

What is the difference between P2PE and tokenization?

Through P2PE, data is encrypted when a card is swiped, dipped, or retrieved via a NFC contactless payment method and then encrypted information is sent to the bank and merchant services company. This method leaves the information useless to thieves who might try and steal it.

Tokenization is an additional way to protect customer data while gaining authorization for charges. Similar to how contactless payments (NFC, Apple Pay) work, the customer’s information is secured in a virtual vault and the data is substituted with a unique code that is used one time for that transaction only. This is called a “token”.  If the token is stolen or compromised by hackers, they can do nothing with it because the code will mean nothing to the hacker.

Data In Transit

For data in transit, the best solution is to encrypt it using a Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

What is a Secure Socket Layer?

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. (Source)

What is Transport Layer Security?

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging and voice over IP.

Data At Rest

The best way to protect data at rest is to NOT store it in your POS system. If you need to store cardholder data, make sure you’re set up with P2PE.

What are possible methods of attack I should look out for?

Here’s a list of common attack methods:

  • Skimming: An electronic method of capturing a victim’s personal information by using a small device that scans a credit card and stores the information contained in the magnetic stripe. You have probably most often heard of this type of crime at ATM machines.
  • Supply chain integrity: When you purchase software for use as a POS, vulnerabilities can then be exploited by attackers.
  • Memory scraping: This occurs when an attacker inserts malware into a POS system, collects data, and then withdraws it.
  • Forcing offline authorization: An attacker can force your POS system offline causing you to authenticate transactions locally. When this occurs, data is more vulnerable.
  • Sniffing: Taking network traffic and analyzing it for cardholder data.
  • Crimeware kit usage: Attacker purchase illegal crimeware kits designed to allow easy access to a systems data.

What else can I do to protect my business?

Though PCI compliance is a great first step, there are many additional steps you can take to make sure your business is safeguarded from potential attacks. Here’s a list of action steps you can take from the SANS institute:

  • Strong password use that does not involve vendor default passwords.
  • Ingress and Egress firewalls.
  • Restrict POS system access to the internet.
  • Strict network segmentation to limit access of entire network as much as possible.
  • Two-factor authentication.
  • True hardware P2P encryption for all sensitive data.
  • Application whitelisting which restricts the application software that can be used to only the software approved by you.
  • File integrity monitoring.
  • Actively monitoring the environment via use of automated tools and anti-malware software.
  • Ensure card holder data is deleted.

For more security tips & tricks, check out our “Risky Business” series by our Senior Security Engineer, Mick Grove. If you’re a small business owner and want more information on how to safeguard your POS or looking to switch processors, sign up with us today!

[gravityform id="37" title="false" description="false" ajax="true"]
<div class='gf_browser_unknown gform_wrapper' id='gform_wrapper_37' ><div id='gf_37' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_37' id='gform_37' action='/blog/protect-point-sale-system/#gf_37'> <div class='gform_body'><ul id='gform_fields_37' class='gform_fields top_label form_sublabel_below description_below'><li id='field_37_1' class='gfield gf_left_half gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible' ><label class='gfield_label' for='input_37_1' >First Name<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_1' id='input_37_1' type='text' value='' class='medium' placeholder='First Name*' aria-required="true" aria-invalid="false" /></div></li><li id='field_37_2' class='gfield gf_right_half gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible' ><label class='gfield_label' for='input_37_2' >Last Name<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_2' id='input_37_2' type='text' value='' class='medium' placeholder='Last Name*' aria-required="true" aria-invalid="false" /></div></li><li id='field_37_3' class='gfield gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible' ><label class='gfield_label' for='input_37_3' >Email<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_email'> <input name='input_3' id='input_37_3' type='email' value='' class='medium' placeholder='Email*' aria-required="true" aria-invalid="false" /> </div></li><li id='field_37_9' class='gfield field_sublabel_below field_description_below hidden_label gfield_visibility_visible' ><label class='gfield_label' for='input_37_9' >Phone</label><div class='ginput_container ginput_container_phone'><input name='input_9' id='input_37_9' type='tel' value='' class='medium' placeholder='Phone Number' aria-invalid="false" /></div></li><li id='field_37_4' class='gfield gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible' ><label class='gfield_label' for='input_37_4' >Business Name<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_4' id='input_37_4' type='text' value='' class='medium' placeholder='Business Name*' aria-required="true" aria-invalid="false" /></div></li><li id='field_37_7' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_7' id='input_37_7' type='hidden' class='gform_hidden' aria-invalid="false" value='Gravity Website' /></li><li id='field_37_8' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_8' id='input_37_8' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></li><li id='field_37_13' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_13' id='input_37_13' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></li><li id='field_37_12' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_12' id='input_37_12' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></li><li id='field_37_11' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_11' id='input_37_11' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></li><li id='field_37_10' class='gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible' ><input name='input_10' id='input_37_10' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></li><li id='field_37_14' class='gfield mixpanel-id field_sublabel_below field_description_below gfield_visibility_hidden' ><label class='gfield_label' for='input_37_14' >Mixpanel ID</label><div class='ginput_container ginput_container_text'><input name='input_14' id='input_37_14' type='text' value='' class='medium' aria-invalid="false" /></div></li><li id='field_37_15' class='gfield gf-post-slug field_sublabel_below field_description_below gfield_visibility_hidden' ><label class='gfield_label' for='input_37_15' >Post Slug (js)</label><div class='ginput_container ginput_container_text'><input name='input_15' id='input_37_15' type='text' value='' class='medium' aria-invalid="false" /></div></li> </ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_37' class='gform_button button' value='Submit' onclick='if(window["gf_submitting_37"]){return false;} if( !jQuery("#gform_37")[0].checkValidity || jQuery("#gform_37")[0].checkValidity()){window["gf_submitting_37"]=true;} ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_37"]){return false;} if( !jQuery("#gform_37")[0].checkValidity || jQuery("#gform_37")[0].checkValidity()){window["gf_submitting_37"]=true;} jQuery("#gform_37").trigger("submit",[true]); }' /> <input type='hidden' name='gform_ajax' value='form_id=37&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_37' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='37' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_37' value='WyJbXSIsIjFkZWJiYTQzOTc0NWE5NmY1ODc3NTgwMWVlMTJhNGM1Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_37' id='gform_target_page_number_37' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_37' id='gform_source_page_number_37' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> </form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_37' id='gform_ajax_frame_37' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type='text/javascript'>jQuery(document).ready(function($){gformInitSpinner( 37, '' );jQuery('#gform_ajax_frame_37').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_37');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_37').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_37').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_37').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_37').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_37').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_37').val();gformInitSpinner( 37, '' );jQuery(document).trigger('gform_page_loaded', [37, current_page]);window['gf_submitting_37'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_37').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_37').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [37]);window['gf_submitting_37'] = false;}, 50);}else{jQuery('#gform_37').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [37, current_page]);} );} );</script><script type='text/javascript'> jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 37) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }jQuery('#input_37_9').mask('(999) 999-9999').bind('keypress', function(e){if(e.which == 13){jQuery(this).blur();} } );} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} );</script><script type='text/javascript'> jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [37, 1]) } ); </script>