Point Of Sale Security
Recent news tells us that retail and hospitality organizations are under attack by cyber criminals. In fact, nearly half of the US companies and 30% of UK companies on the Top 250 Global Powers of Retailing have experienced a publicized breach. Why? These organizations have what cyber criminals want: credit card numbers. Because these businesses interact heavily with consumers, they collect massive amounts of credit card data.
Point Of Sale = Point Of Entry: Pos Security & Cybercrime
Cyber criminals have found a new way in: the POS terminal. Long considered a "dumb device" only 30% are protected by endpoint anti-malware. We've examined this issue and many others in this new white paper. This paper will help you understand the unique security challenges of POS devices and how iSheriff handles those challenges, such as the startling size of this risk and why POS devices are the entry point, the three primary security vulnerabilities unique to POS devices, and which malware affects POS devices the most.
It's a real problem. Payment information is central to what a retailer does and increasingly sales are made with debit and credit cards instead of cash. The very numbers that enable retailers to operate must be protected at all costs. Yet this is the same information that cyber criminals desire. Consider these recent and well-reported case studies:
While few details have emerged about the Home Depot breach, it's clear the attack hit the stores’ registers
The hack put as many as 56 million cards at risk
The home-improvement chain expects to pay about $62 million this year to recover from the incursion, including costs for call-center staffing and legal expenses
Target revealed that the company’s point-of-sale (POS) systems were infected with malware
Approximately 40 million credit and debit card accounts impacted by the breach; an additional 70 million names, email addresses, mailing addresses and phone numbers have also been stolen
POS systems are actually computers with peripherals like card readers and keypads attached to them. Many of these systems run a version of Windows Embedded as the OS as well as special cash register software. Hence, they can be both protected and hacked in the same manner as all other computers. However, protection on these devices is lacking.
Overview Of PCI Requirements
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
Organizations that are held to a PCI standard must satisfy these requirements and perform self-assessments to ensure continued compliance.