What Is a POS System?
Retailers use point-of-sale systems to process sale and credit card transactions. A typical POS System consists of three primary components:
- POS Terminal. A POS terminal is a computer. It acts as the functional equivalent of a traditional cash register. In many restaurants, a POS terminal consists of a touch screen computer with a built-in card reader. The POS terminal links via a cable or wireless connection to the…
- POS Server. A POS server is—as the name implies—a server. Think of it as the “hub” of the POS system, with the various POS terminals acting as the “spokes.” The POS server collects data (including customer credit card data) from the various POS terminals, and then relays that data to an authenticating source (i.e., a bank or credit card processor) using an Internet connection.
- POS Operating System. “Operating system” is a fancy word for software. If the POS terminals are the spokes, and the POS server the hub, then the POS Operating System is the brain. It tells the POS terminals and POS server how to operate.
Collectively, these components form a POS Network. Credit card data flows through the POS Network, from POS Terminal to POS Server to authenticating source (bank or credit card processor). Data security vulnerabilities exist at every stage of this process.
Why Are POS Systems So Vulnerable?
It comes down to resources. Everyone from large retailers to small- and medium-sized businesses (like “mom and pop” restaurants) use POS systems to process credit card transactions. Unlike large retailers, however, most small- and medium-sized businesses lack full-time, dedicated IT staff sophisticated in properly configuring POS systems to prevent data security breaches. As one observer noted, “[t]hese stores do not have local IT support and [generally] have such limited IT resources that they depend on third-party contractors to perform hands-on IT activities as needed. This results in an environment that is not well suited to downloading and installing patches for core operating systems, critical applications, or anti-malware.” That’s a fancy way of saying that many small- and medium-sized businesses lack the resources and know-how to implement common data security measures. (McAfee, Security and PCI Compliance for Retail Point-of-Sale Systems, available at http://www.mcafee.com/us/resources/solution-briefs/sb-security-pci-compliance-retail-pos.pdf.)
Additionally, many small- and medium-sized businesses use older, or “legacy” POS systems. The reason is simple: they often cost less. A 2008 study showed that more than half of small- and medium-sized businesses used “legacy” POS systems which were not PCI-compliant. (Aberdeen Group, Upgrading POS Systems in Small to Mid-Size Retail: Strategies for Success, available at http://skurlas.files.wordpress.com/2012/03/aberdeen-200806-1.pdf.)
There are two primary problems with legacy POS systems. First, legacy POS systems may improperly store customer credit card data. Improper storage of customer credit card data is a problem that plagued POS systems over the last decade, leading to several highly publicized and massive data security breaches. While it is often convenient for retailers to store customer credit card data for a period of time (in order, for example, to process customer returns), doing so means that the POS systems constitutes a literal treasure trove of customer financial data for the would-be thief or hacker.
Second, legacy POS systems usually are not technologically adapted to keep up with sophisticated, modern-day hackers. As one observer noted, “[i]n light of aging legacy systems and major gaps in security strategy, it’s likely that retailers’ defensive walls look a bit like Swiss cheese. And if those outdated and inadequate security systems have a tough time nabbing common malware, they are sure to come up short when attempting to block . . . advanced threats.”
Even newer POS systems, however, frequently come with certain built-in vulnerabilities. These newer POS systems often come installed with remote access management products that allow POS providers to perform maintenance and troubleshooting remotely. This saves money, but as Visa has observed, “[r]emote management products come with an inherent level of risk that may create a virtual ‘back door’ and therefore must be installed in a manner that complies with PCI DSS.” (Visa, Top Three POS Vulnerabilities Identified to Promote Data Security Awareness, available at http://usa.visa.com/download/merchants/top_three_pos_system_vulnerabilities_112106.pdf.)
What Are Common Threats to POS Systems?
When conceptualizing threats to POS systems, it is best think of them as coming from two potential sources: Physical Threats and Cyber Threats.
A. Physical Threats.
Physical Threats are those which arise from unauthorized physical access to POS Terminals and POS Servers. A criminal with physical access to POS Terminals and POS Servers could literally steal those network components. If POS Terminals or POS Servers store customer credit card data, then the criminal might be able to access that information and use it to make fraudulent charges. Alternatively, a disgruntled employee with physical access to POS Terminals and POS Servers could download customer credit card data or expose network components (whether intentionally or unintentionally) to Malware. Malware—which is short for “malicious software”—is frequently used to send customer credit card data to an unauthorized domain, where criminals collect the data and either sell it or use it to make unauthorized purchases.
These Physical Threats are the reason the PCI-DSS rules emphasize physical security over network components. For example,
- PCI-DSS Requirement 7 requires merchants to “[l]imit access to system components and cardholder data to only those individuals whose jobs require such access”;
- PCI-DSS Requirement 8 requires merchants to “[a]ssign all [network] users a unique ID before allowing them to access system components or cardholder data”;
- PCI-DSS Requirement 9 requires merchants to “[u]se appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment”; and
- PCI-DSS Requirement 12 requires merchants to “[m]aintain a policy that addresses information security for all personnel.”
The purpose of these PCI-DSS Requirements is to limit physical access to POS Network components to only authorized personnel, whose network activities can be clearly tracked and monitored. These PCI-DSS Requirements seek to avoid the following all-too-common nightmare scenario:
A restaurateur uses a back-of-the-house computer as the restaurant’s POS Server. The restaurateur does not restrict physical access to this back-of-the-house computer. In fact, he lets staff use the computer during slow periods throughout the day and evening to check their email and Facebook accounts. One day, a bartender unwittingly opens an email attachment that contains a computer virus. The attachment infects the back-of-the-house computer with a form of malware that sends customer credit card data to an unauthorized domain. Had the restaurateur restricted physical access to the POS Server, this data security breach may have been avoided.
B. Network Vulnerabilities.
Network Vulnerabilities invite or permit unauthorized intrusion into your POS Network environment. When you see the term Network Vulnerability, you should think “hacker.” A hacker is a cyber-criminal—someone who lacks physical access to your POS Terminals and POS Servers, but who nevertheless is able to “hack” into your POS Network, usually by exploiting an insecure remote desktop application or an insecure wireless connection.
Much has been written about POS Network Vulnerabilities, most of which will be indecipherable except to the most tech-savvy POS users. Much of the risk of using a POS System can, however, be mitigated by understanding three core concepts:
- Remote Access Security;
- Password Security; and
- Network Security.
Gaining remote access to a POS System typically requires a password. Too often, however, POS Vendors use default passwords common to all merchants who use their POS Systems. Hackers frequently learn these default passwords and then share them with fellow hackers in Internet chat rooms. For example, this website maintains a list of thousands of default passwords, organized by vendor. Armed with such information, a hacker can use a default password to remotely access the POS Networks of all merchants who use a particular POS System and a particular default password.
Password Security. The problem associated with the use of default passwords is not limited to remote access management products. POS Terminals, POS Servers, modems, and routers typically come equipped with default passwords. Too often, system installers (be they merchants, POS Vendors, or IT professionals) fail to change these default passwords. Study after study show that common passwords like “password” and “username” remain in frequent use.
The vulnerability associated with the use of default passwords is fairly obvious. Imagine setting up a Gmail, Facebook, Hotmail or PayPal account and using a well known, easily guessed password like “password” or “username.” Would you feel that account was secure? Would you feel comfortable using that account for financial transactions? Probably not.Network Security A properly configured firewall and up-to-date antivirus software are the best defenses against preventing and detecting unauthorized network intrusions. A properly configured firewall will block unapproved outside access to your POS Network while allowing it to communicate with approved third parties, like your bank or credit card processor. Antivirus software detects, identifies and removes malware and other damaging software applications. Unfortunately, many POS Vendors do not provide a firewall; rather, the merchant is responsible for installing and maintaining a properly configured firewall. To the extent POS Vendors provide antivirus software for POS Terminals and POS Servers, they usually do through optional support and maintenance packages which many merchants opt not to renew. Consequently, many POS Networks are left unguarded by a properly configured firewall and up-to-date antivirus software.
The existence and prevalence of these Network Vulnerabilities explain why the PCI-DSS rules place such emphasis on Network Security. For example,
- PCI-DSS Requirement 1 requires merchants to “[i]nstall and maintain a firewall configuration to protect cardholder data”;
- PCI-DSS Requirement 2 requires merchants to “[a]lways change vendor-supplied passwords before installing a system on the network”; and
- PCI-DSS Requirement 5 requires merchants to “use and regularly update anti-virus software or programs.”
What Questions Should I Ask My POS Vendor?
As discussed above, small- and medium-sized retailers frequently rely upon third-parties, like POS Vendors, to install, configure and service their POS System. Merchants should ask the following questions of their POS Vendors to assure that they are providing such services appropriately.
Does the POS System retain credit card transaction data in permanent storage and, if so, for how many transactions?
As noted above, the storage of customer credit card data exposes it to a potential breach. Knowing how many transactions the POS System stores allows for an estimate of the impact of a compromise. If the POS System holds only one credit card at a time, then the impact of a breach is lower. If the POS System retains hundreds, then the impact is much higher.
How long does the POS System retain credit card transaction data?
Storing confirmation codes is generally not a risk, but storing full credit card information is a very high risk. The longer it is held, the bigger the risk of being compromised.
How often does the POS System purge credit card transaction data?
Frequent purges reduce a merchant’s risk. If a POS System holds information indefinitely, then the impact of a breach will be more significant.
Does the POS System purge credit card transaction data automatically?
If personnel must remember to enter a code to purge customer credit card data, then there is a risk it will not happen. Automated clearing is much more secure. Information should not be stored if there is no method to purge the data.
Can the POS Terminal be used to browse credit card information stored on the POS Server?
While browsing or listing transactions can be useful for auditing information, it can also be exploited by allowing an attacker to list sensitive information. This should never be allowed from a POS terminal.
Is the POS System’s permanent storage medium removable? What is required to remove it?
The more effort required to remove permanent storage medium, the less likelihood it will be improperly removed.
Does the POS System encrypt permanently stored data?
Encrypted file systems cannot be accessed without a unique key. If the POS terminal’s permanent storage is not encrypted, then an attacker can easily access it.
When deleting information from permanent storage, does the POS System use a “secure erase”
Simply deleting a file can leave behind recoverable information. At minimum, overwriting the file with zeros will clear the disk space. More secure deletion options include overwriting with a set of random data.
Does the POS System require changing the default authorization code?
Secure systems require setting or changing the default password during the initial configuration. POS terminals and servers should not allow use with default passcodes.
Is there a backdoor code for bypassing or resetting authentication?
If a backdoor exists, then it can be used by an administrator or an attacker.
Does resetting the authentication also clear stored records?
If a reset allows access to stored records and an attacker can perform an authentication reset, then an attacker can access stored records. Ideally, resetting the authentication should also reset all stored information. This prevents an attacker from gaining unauthorized access.
Is an administrative code needed to reprint receipts or view transactions?
If no code is needed, then anyone with access to the POS terminal can view transaction information.
Are all actions logged and associated with a specific operator account?
Creating, modifying, or viewing transaction information should be logged. The logs should indicate the unique operator performing the action.