Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Endpoint Protection
Why Point of Sale (POS) Security Should be a Priority for Retailers
March 16, 2023
7 Minutes
Point of sale (POS) security is not often considered by retail businesses. Most people don’t realize that a POS computer system, the computer used to check out customers in retail stores, is a very high-value target for cybercriminals because it collects a lot of valuable information and because not many businesses prioritize its security.
To protect your customer’s information and your business’ network, you need to understand the threats posed by an unsecure POS system and the cybersecurity controls, best practices, and technologies you need to stay secure.
Sign up for our newsletter!
Cybersecurity is not often a major thought for small businesses, especially in retail. But it’s critical to carry a ‘security first’ mindset in everything you do and part of that is understanding the threats you’re facing and the security solutions available to you. Download our State of Cybersecurity for Small Businesses eBook now to see everything you need to know to stay protected.
What Cybersecurity Risks Does a POS System Pose?
A quarter of all cyberattacks are targeted at retailers. Most of these attacks come at the POS system because of how much (and how often) sensitive data is transferred onto the POS computer.
A typical transaction at the POS will have people sharing their ID information and credit or debit card numbers (including expiration dates and CVV codes) to make a purchase. and all that data is valuable to cybercriminals who can steal and sell it to third parties.
Cybercriminals specifically target the POS system because it’s often a less-guarded endpoint that connects directly to the larger network. This is similar to why small businesses are targeted over large ones: the odds are they simply have less cybersecurity in place. Cybercriminals will typically look for the path of least resistance and the POS system offers exactly that.
Why Cybercriminals Target POS Systems
-
Vulnerabilities in Out-of-Date POS Software: POS system software is often an afterthought, installed and forgotten about as transaction after transaction occurs. Just like any other software, vulnerabilities are discovered by bad actors and patched out by developers. But, if you’re not following closely, you could easily miss new updates or patches that secure these flaws. Cybercriminals know this and target POS systems for this reason.
-
Legacy Software: Similarly, if you’re using legacy software (one that you’ve always used), check to ensure it’s not so out of date that it’s no longer supported by the developers. If it’s not, it’s not receiving new patches at all which leaves vulnerabilities open.
-
Reactive Security Measures: Most retail businesses don’t have the proper proactive security controls in place to stop malware before it can have a big effect. Instead, they opt for reactive strategies that only come into play once a system has been infected. But, by then, it’s too late and a lot of data could have already been stolen.
Common POS Attacks
Without proper security in place, POS systems are very vulnerable to attack. They’re fairly exposed to the public, are in nearly constant use, are connected to the business network, and are mostly operated by employees who lack security training.
Here are some of the most common attacks targeted at POS systems and what their goals are:
-
Credit Card Info Swiping: Credit card (or debit card) numbers are a very common target of cyberattacks. Bad actors will steal this data with the intent to sell, blackmail, or just use to make unauthorized purchases. Card numbers can be stolen through network infiltration or by planting a physical card-swiping device.
-
Keyloggers: A keylogger tracks every key pressed on a computer keyboard. On a POS system, this gives cybercriminals a ton of information like credit card numbers, login information, PINs, and more. Keyloggers are often a first-step attack which plants the seeds for more serious attacks down the line.
-
Network Penetration: Some attacks don’t stop at the POS system. Advanced malware can get in using the POS computer but then uses it to access the larger corporate network and to move laterally once inside. This can lead to huge amounts of stolen data, data leaks, trojan malware, ransomware, and other brutal attacks.
-
RAM Scrapers: RAM scraping is a common cyberattack that steals consumer credit card information off of a POS system’s random-access memory (RAM). A RAM scraping attack on Target and Home Depot in 2013/2014 resulted in the theft of over 90 million customers’ personal information.
Protecting Your Business with POS System Security
Protecting a POS system is not a simple process. It involves the collaboration of many cybersecurity best practices, technologies, and policies to ensure your network and customer’s information stay secure, including:
POS Encryption
POS systems collect and transfer a lot of sensitive information. Make sure you’re using encryption software when sending this data to render it unusable if stolen or leaked. Encryption works by scrambling data when in transit or storage. Without a decryption key (which should be given only to those who need to access this data), it’s unreadable which makes it unusable for cybercriminals.
Related Blog: What is Data Encryption?
Endpoint Protection
An endpoint is any physical device (computer, tablet, phone, etc.) that connects to a business’ network. These devices are a common target for cyberattacks because they can act as gateways into an entire business network and are often less secure. A POS system is a great example of an endpoint that would make a valuable target for cybercriminals.
Endpoint protection is a set of security tools designed to protect these devices using software designed to filter threats, detect them if they get inside, and respond quickly to limit the damage.
Access Controls
Effective identity & access management (IAM) protocols can make a big difference in POS security. Essentially, IAM is the practice of protecting login credentials and limiting who has access to certain computers or data. In a retail environment, especially for POS systems, it means giving each operator a unique login credential and only what they need to keep the system secure.
With these controls in place, you can track who is using what system and what they’re doing. This helps track down the source of a cyberattack (if one occurs) and keeps your POS system secure against unauthorized use.
Additionally, you should implement strong password policies to help your employees create stronger passwords and store them securely. You could also use multi-factor authentication techniques like device or app authorization or biometrics (face scanning and fingerprints) as another layer of security.
Network Monitoring
With consistent network monitoring, you’ll be able to identify when something out of the ordinary occurs. This could be a strange log-in, files being transferred, or just any unusual activity that stands out from what an average day looks like.
Advanced monitoring technology even utilizes AI to help track standard network use, making bad actors stand out even more and making it easier to catch them earlier.
Related Blog: How is AI Used in Cybersecurity?
Awareness Training and Education
Well-trained employees who know what a potential cyberattack looks like and who know what to do to stop one in its tracks can reduce a business’ cyber risk by 70%. That means most attacks could be completely avoided if your team simply knows how to identify and avoid an attack.
Consistent cybersecurity awareness training and education is a key part of a strong cybersecurity defense and is critical in securing POS systems.
Key Takeaways
-
POS systems are high-value targets for cybercriminals due to the amount of sensitive information (credit card numbers, banking information, personal data) that they collect and transfer over a business’ network.
-
The most common attacks on POS systems are looking to steal data and infiltrate the business' network though the POS computer.
-
To secure a POS system, businesses need up-to-date software and security policies in place to help educate their teams, control access to POS software, monitor network activity, and protect POS system itself.
Learn everything you need to know about cybersecurity for small businesses. Download the State of Cybersecurity for Small Business eBook today and get current on what you need to know to stay protected.