The plug-and-play mindset is ruining Point-of-Sale (POS) security.
Just like many conveniences in life, we tend to have a very plug-and-play mentality when it comes to electronics and devices. In our minds, faster is better. In a similar way, the plug-and-play mindset is ruining Point-of-Sale (POS) security. From manufacturers to salesmen to implementation, the security process can be sacrificed for convenience.
When a new POS system is created, manufacturers and developers go through a delicate balancing act. The object is to get a product out as fast as possible. The more security aspects they implement, the more competitors beat them to the punch. This can be applied to just about every industry.
POS manufacturers are great marketers. “This POS system is secure!” or “Guaranteed compliant!” are great ways to differentiate from the competition...but often aren’t necessarily true.
See also: SecurityMetrics PCI Guide
The faster a merchant can enjoy the benefits of a new POS system, the more money he makes. The less time he has to spend fiddling around with settings, the more he can spend making pizzas, or shining shoes, or developing software for his business.
Merchants are told by manufacturers, salesmen, and installers that the system is safe, so they plug it right in to their environment without a second thought. On occasion, POS systems aren’t properly configured right out of the box, which can lead to devastating POS malware being uploaded onto the POS device. Additionally, the POS device itself may be missing crucial patches.
Here are three important questions to consider before installing a point-of-sale-system in your cardholder data environment.
It doesn’t take long for a POS system to become ‘old.’ Here’s what I mean. Every second after a released update isn’t installed, the system falls further and further from security and non-compliance.
Chances are if you’re running an old POS system in your environment, it’s riddled with weaknesses. Maybe you missed a few security patches along the way. Or maybe it’s no longer supported by the manufacturer.
Even if you bought and installed a new POS system every week (a ridiculous notion, I know), your security wouldn’t be foolproof. Technology increases so rapidly, that by the time you got the brand new system home or to your business, a new update may be waiting to be installed.
That’s why updates are so important to maintaining point-of-sale security. I recommend going to the POS manufacturers website to discover the most recent patches and updates for your device…right after you read the rest of this post of course.
If you dip a marshmallow in a pot of melted chocolate, what color is it when you pull it out? Brown. It’s unlikely any amount of licking will get it back to pure white.
Just like my marshmallow example, a squeaky-clean POS system can become immediately infected if placed in an insecure environment.
That’s why your payment processing environment must be regularly tested for vulnerabilities, both internally and externally. Not only should you scan your environment every quarter, but you should scan before and after ANY changes are made including installing a new POS system.
Some business owners, POS installers, and even IT experts think, “We have a quarterly test coming up in 2 months, let’s worry about scanning then.” Or, “We just ran a vulnerability scan yesterday, I’m sure our system is fine.”
Hackers search for the smallest of holes to squeeze into a business environment. Weaknesses are discovered every minute. Resolving the issues you find in your vulnerability scan immediately prior to installing any new technology will save you a lot of heartache in the long run and may save you from a business crippling data breach.
Many merchants believe security is being dealt with by someone else and thereby means it’s not their problem. This is wrong. It is always the merchant’s responsibility to make sure a POS system is secure, fully patched, and devoid of known vulnerabilities. That means it’s also the merchant’s responsibility to pay for any breaches that result from an insecure POS system.
No matter how pushy he is, don’t let your IT guy or POS installer talk you out of testing your systems before going live. Even if he’s someone you trust. Remember, you’re ultimately the one liable if something goes wrong.
If your IT guy balks at all the security precautions (testing, updating, vulnerability scanning, remediating vulnerabilities, etc.) remind him that you require rigorous testing of all systems prior to production, no matter the device or system.
Remember the story of the tortoise and the hare? Slow and steady wins the race. Stop racing to a breach and start walking to security.
See also: 7 Hearty Tips to Avoid Costly Data Breaches
If you need help with POS configuration, vulnerability scanning, installing security patches, please ask. Contact your POS vendor, PCI vendor, or your QSA who will be happy to help you secure not only your POS environment, but the rest of your systems as well.
.svg)
