For the past several years, Point of Sale (POS) systems have been a prime target for cyber-attacks, making it more important than ever for retailers to consider the security of these machines and the information they store.
There are few things more embarrassing to a company than being forced to admit that customer payment information has been stolen.
It is a situation that many organisations, among them the hotel group Starwood, have faced.
Back in 2014, the company, which is now owned by Marriott, had its point of sale (POS) systems hacked, a breach that lasted until 2015 and affected scores of Westin and Sheraton properties.
Among the other companies to have been hit in a similar way is a United States-based Italian restaurant chain called B&B Hospitality Group, which midway through last year reported POS-related breaches at nine of its outlets.
The blame was placed on malware-infected POS devices that allowed customers’ card data to be stolen.
The use of malware is typical in hacks aimed at securing card information, according to Rajesh Gopinath, the Dubai-based vice president sales engineering (cybersecurity) Middle East and Africa for the cybersecurity and information security company Paladion.
While this type of attack is more common in North America and Europe than in the Middle East, this part of the world is not immune.
“It’s not uncommon for these attacks to happen in other regions like the Middle East. There have been many cases in the past where attacks have happened,” he says.
Nicolai Solling, the Dubai-based chief technology officer for the cybersecurity consultancy Help AG, says that point-of-sale security is “definitely” a field that many companies are focused on.
He works with a number of large retail chains in the region who are trying to ensure that their systems are not vulnerable to attack.
“All of these ones I’m working with, they have problems around how they secure their point-of-sale systems. That’s a good thing, to see they’re investing money in it,” he says.
These companies’ focus on POS security could be driven, says Solling, by the retail chains’ own desire to secure their systems. It could also result from pressure by banks and payment providers to clamp down on fraud.
“If you swipe a card, if you want to store anything from the cards, you have to make sure the machines are secure,” says Solling.
When POS breaches happen, customers can have their credit card and debit card data stolen, including the key details needed to commit fraud: name, card number, security code and expiration date.
POS systems additionally offer criminals the prospect of stealing data that goes beyond such credit card and debit card details.
“If you look at the current underground market for hacked information, it’s not just about payment card information,” says Gopinath.
“They’re not just after card information, but information about names, date of birth, any other information they can get their hands on. That sells pretty well on the black market,” he says.
One reason for this is because, as Trend Micro notes in a research paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industry, POS systems do much more than accept payments. They may also be involved in accounts, managing inventory and keeping track of sales.
“POS terminals have many different purposes. They track payment, but it’s not unlikely that this POS system is also telling the mall operator about the performance of your store, and the rent is related to how many people are paying and what the revenue and turnover is,” says Solling.
“So we have more and more requirements to integrate these POS systems. It means they’re mini computers in all of these stores.”
As a result, POS systems are a potential entry point for fraudsters to access a host of sensitive information. They can be used as an way in to a company’s network, to the extent that criminals can even use them to reach, electronically, a company’s headquarters.
When it comes to small businesses, the link to the credit or debit card company is often achieved using a cellular data connection.
As Trend Micro outlines in its report, with larger businesses the POS device may connect to the company’s internal network, something that will enable it to link up to other back-end systems.
It is common for POS terminals to run on Microsoft Windows operating systems such as Windows 7 and Windows XP and, as Solling notes, this can create problems, including the need for updates.
“Just because there’s a new patch, you cannot just roll that out. You have an opening where it’s more challenging to maintain these systems,” he says.
“A lot of the point-of-sale systems are really old as well. They’re still serving the purpose of a POS system, but the underlying operating system is still a version of Windows that may not be maintained any more.
“We’ve had a few vulnerabilities that Microsoft didn’t release patches for Windows XP and Windows 7, so these systems today would be vulnerable to a specific form of attack.”
Solling says that security is less complex for a company if all of its POS devices are the same. That allows specialists like Help AG to “harden” the whole system.
“We have one client with 6,000 POS terminals all the same. If you [deploy a security solution] on one device and deploy the same security across them all, it’s very beneficial,” he says.
Other companies may have 50 or fewer of any one kind of POS terminal, perhaps if they have made an acquisition and not replaced its POS terminals.
“And you have a lot of different flavours of POS system; it’s not necessarily a big device on a desk. It can be something in a pocket,” he says.
One method of securing POS systems is the use of the Point-to-Point Encryption (P2PE) standard, which prevents criminals from accessing data while it is being transmitted through a merchant’s system. In a briefing paper, Paladion notes that, at the point of interaction (POI), this standard encrypts the data.
“Even if it’s stolen, it doesn’t make sense to the hacker. Not many financial institutions have adopted it [because of] the complexity of implementing such a solution and the cost,” says Gopinath.
“There are some alternatives – tokenisation solutions. Even there the adoption is not that great. But there are many providers that provide similar solutions without having to make separate investments. I believe the technique does work, but the adoption is not that great.”
Another measure recommended is complying with the Payment Card Industry Data Security Standard (PCI DSS), a set of guidelines on how card information should be handled.
“Any organisation that transmits card information should comply if they’re using Visa, Mastercard or Amex,” says Gopinath.
“It has 12 requirements for secure storage and processing. It’s pretty detailed based on the controls that enterprises should follow if they’re processing or storing card information.”
Another measure to have in place is a system that monitors for, and reacts rapidly to, threats. This is known as managed detection and response or MDR.
So, although the threats are many and various, there are myriad measures that can be taken to counter them. This can help companies to secure their customers’ data – and to avoid the kind of nightmare publicity that Starwood and B&B Hospitality Group suffered when their POS systems were compromised.
