As data security continues to evolve, so does criminal behavior. Hackers are looking for different vulnerabilities in systems in order to attack them where they’re weakest. In light of the recent #WannaCry ransomware cyberattack, we’ve put together this quick guide on how to safeguard your point of sale system from any potential data thieves.
Let’s first start with making sure you’re PCI compliant.
What is PCI compliance?
PCI compliance stands for Payment Card Industry compliant. It is the standard protection requirements used by major card brands like Visa, MasterCard, American Express, and Discover. According to Merchant Maverick, there are twelve different requirements:
- The installation and maintenance of a firewall.
- Non-use of vendor-supplied defaults for system passwords and other security parameters.
- Protection of stored cardholder data.
- Encrypted transmission of cardholder data across open and public networks.
- The use of regularly updated anti-virus software on all systems commonly affected by malware.
- Development and maintenance of secure systems and applications.
- Restriction of access to cardholder data.
- Assignment of a unique ID to each person with computer access.
- Restriction of physical access to cardholder data.
- Appropriate management of all access to network resources and cardholder data.
- Regular tests of security systems and processes.
- Maintenance of a policy that addresses information security.
Though it’s not necessary to be PCI compliant, it’s a good step to take to ensure the safety of your and your customer’s data. If you’d like to learn how to become PCI compliant, let us know and we can help you out.
Where do the vulnerabilities in POS systems lie?
There are three areas where data is most vulnerable to a cyber attack: data in memory, in transit, and at rest.
Data in memory refers to data brought into your POS system using a point of interaction device such as a pin pad.
Data in transit refers to data transferring between all the networks it takes to process a credit card.
Data at rest refers to any data stored in your POS system.
How do I protect myself from these vulnerabilities?
Data In Memory
Data in memory will be the most difficult to protect if a hacker has already gained access to your POS system. According to Merchant Maverick, the best way to secure data in your system’s memory is to encrypt it through point-to-point encryption (P2PE), sometimes referred to as tokenization.
What is the difference between P2PE and tokenization?
Through P2PE, data is encrypted when a card is swiped, dipped, or retrieved via a NFC contactless payment method and then encrypted information is sent to the bank and merchant services company. This method leaves the information useless to thieves who might try and steal it.
Tokenization is an additional way to protect customer data while gaining authorization for charges. Similar to how contactless payments (NFC, Apple Pay) work, the customer’s information is secured in a virtual vault and the data is substituted with a unique code that is used one time for that transaction only. This is called a “token”. If the token is stolen or compromised by hackers, they can do nothing with it because the code will mean nothing to the hacker.
Data In Transit
For data in transit, the best solution is to encrypt it using a Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
What is a Secure Socket Layer?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. (Source)
What is Transport Layer Security?
Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, instant messaging and voice over IP.
Data At Rest
The best way to protect data at rest is to NOT store it in your POS system. If you need to store cardholder data, make sure you’re set up with P2PE.
What are possible methods of attack I should look out for?
Here’s a list of common attack methods:
- Skimming: An electronic method of capturing a victim’s personal information by using a small device that scans a credit card and stores the information contained in the magnetic stripe. You have probably most often heard of this type of crime at ATM machines.
- Supply chain integrity: When you purchase software for use as a POS, vulnerabilities can then be exploited by attackers.
- Memory scraping: This occurs when an attacker inserts malware into a POS system, collects data, and then withdraws it.
- Forcing offline authorization: An attacker can force your POS system offline causing you to authenticate transactions locally. When this occurs, data is more vulnerable.
- Sniffing: Taking network traffic and analyzing it for cardholder data.
- Crimeware kit usage: Attacker purchase illegal crimeware kits designed to allow easy access to a systems data.
What else can I do to protect my business?
Though PCI compliance is a great first step, there are many additional steps you can take to make sure your business is safeguarded from potential attacks. Here’s a list of action steps you can take from the SANS institute:
- Strong password use that does not involve vendor default passwords.
- Ingress and Egress firewalls.
- Restrict POS system access to the internet.
- Strict network segmentation to limit access of entire network as much as possible.
- Two-factor authentication.
- True hardware P2P encryption for all sensitive data.
- Application whitelisting which restricts the application software that can be used to only the software approved by you.
- File integrity monitoring.
- Actively monitoring the environment via use of automated tools and anti-malware software.
- Ensure card holder data is deleted.
For more security tips & tricks, check out our “Risky Business” series by our Senior Security Engineer, Mick Grove. If you’re a small business owner and want more information on how to safeguard your POS or looking to switch processors, sign up with us today!