What Is Point-of-Sale (POS) Security?
This article is part of a larger series on POS Systems.
Point-of-sale (POS) security protects the computer systems that process debit and credit card transactions. Because POS systems can contain sensitive data like account numbers, emails, and addresses, a data breach can be costly both for damage control and the store’s reputation. POS system security does not only apply in-store. Many point-of-sale systems vulnerabilities come from online stores and information accessed through the cloud.
To protect this information, POS systems are typically equipped with a variety of security measures, including firewalls, intrusion detection and prevention software, and encryption techniques. However, it’s up to you to make sure your whole system—from employee to network—is as secure as it can be.
POS Security Threats
POS systems are a common target for hackers, as they can be used to steal credit and debit card data. Things like outdated software, unsecure networks, and unsecure third-party integrations, along with the theft of devices or passwords, sometimes through scams, can leave you vulnerable to attacks. These include malware infections, hardware tampering, brute force attacks, phishing and social engineering, and employee theft.
Click to learn more about the types of POS security threats:
A POS malware attack infiltrates POS terminals or online stores via compromised or poorly secured systems, searching payment card data, which is then sent to the attacker unencrypted. Hackers get in through unprotected databases, program vulnerabilities, or personal access. Then, they install malware that will collect credit card data and other personal information from customers as they make purchases. The data can then be sold on the black market or used to commit identity theft.
POS malware can be very sophisticated and difficult to detect. Often an attack can go on quietly for months or years before it’s noticed. Sometimes, a business only finds out from law enforcement investigating another fraud case. Here are some of the most common types of point-of-sale malware attacks:
- Spyware: This kind of malware uploads itself onto a POS system and uploads the stolen data elsewhere. BlackPOS and its derivative Kaptoxa, which were used in the 2013 Target POS breach, are well-known examples.
- Trojan: This software disguises itself as a legitimate program (usually an email link or file) to get into your system and steal data. For example, in 2014, the Chewbacca Trojan stole more than 49,000 credit cards from 45 retailers in 11 different countries over two months.
- Keyloggers and skimmers: Some spyware steals data by logging keystrokes. Backoff POS and Poseidon both have this capability. This could have been the culprit in 2020, when TrueFire, which offers guitar lessons online, was hacked. Since it does not store payment card information, the info was most likely captured as customers were making payments.
- OAuth hijacking: Open Authentication (OAuth) manages identities and secures online areas across third-party services. This lets users have temporary and secure access tokens—allowing customers to log in to an account using Facebook, for example. While convenient, it can put your account at risk if the other authorization site is hacked. MITRE’s 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses Report says this continues to be a top threat for businesses, although it did not mention point-of-sale systems directly.
- Ransomware: This malware attacks your system, usually cutting off company access to computers, email, and customer orders, but an increasing number of cases feature threats to release public information online if the ransom is not paid. In 2022, The Allison Inn & Spa experienced such an attack, putting information from 1,500 employees and former employees and 2,500 reservations in jeopardy. Ransomware attacks rose 13% in 2021 and most often happen through desktop sharing and email.
Hackers can tamper with point-of-sale system hardware, such as the card reader, to steal data. This happens with gas pumps, for example, which is why they should be regularly inspected and sealed. However, as self-serve kiosks become more vulnerable, this could be another point of risk.
Security seals make it easy to know if a pump has been tampered with.
(Image from TydenBrooks)
Hackers can try to guess the passwords or usernames used to access the POS system to gain access and steal data. They use programs to make attempts at hundreds of guesses per second. That’s why it’s important not only to have strong passwords, which reduces the likelihood of being hacked, but to have restrictions on the number of login attempts.
Employees and sales agents are also an area of vulnerability. For example, the White Sox lost over $1 million when two ticket sellers generated and sold unauthorized game tickets between 2016 and 2019. In Canada, hackers bribed employees at multiple businesses to “borrow” POS devices for about an hour to load card-skimming software. The result was a loss of over $7 million.
How Do Hackers Gain Access to POS Systems?
Businesses don’t always reveal how a data breach occurred, but in massive breaches, the details come out over time as the retailer works to protect data and settle with customers affected by the breaches. Here are a few recent examples:
- Bonobos was hacked through an unsecure cloud backup.
- Estee Lauder was hacked through a database that was not password-protected.
- Carter’s was hacked when its third-party vendor Linc shortened Carter’s purchasing and shipping URLs without security precautions.
- Guess was hacked through an unspecified “unauthorized access.”
- Restaurant giant Landry’s was hacked (it believes) when waitstaff erroneously swiped credit cards through the order entry instead of the payment system. Order entry was not encrypted.
- Claire’s fashion accessories store was breached after it closed all its retail stores when a hacker then reserved the claires-assets.com URL to launch an attack through Salesforce.
- Dickey’s BBQ locations were hacked through outdated magstripe credit card scanners. Hackers can gain access through adjusted credit cards that direct the system to contact a rogue point-of-sale server to download card-skimming software.
- Marriott International was a victim of a social engineering attack, in which an anonymous hacking group tricked an employee into granting them access to its system.
Other areas of vulnerability are tapping in through Bluetooth, especially through remote printing channels, bribing employees to lend them their devices, and finding loopholes in a program.
Just because the incidents above happened to large corporations doesn’t mean that small businesses aren’t also targeted. These are just the ones that get the press. POS security is increasingly important for small businesses.
Best Practices for POS Security
One of the requirements of the Payment Card Industry Data Security Standard (PCI DSS) is to use antivirus software on all point-of-sale (POS) systems. POS antivirus software helps protect your POS system from malware and other cyber threats. However, these are not enough. Here are other ways you can prevent a point-of-sale security breach:
- Regularly check for card skimmers, cables, or any other tampering. Keep a list or photos of all your terminals with their serial numbers so that you can compare them to the physical terminals to ensure they haven’t been swapped with another device. This is especially important for self-serve kiosks and gas pumps where employees may not have a constant watch.
- Stop allowing card swipe. Hackers can alter credit cards to direct point-of-sale systems to download malware. Use EMV payment tools instead. If you must use card swipe, be sure they are up-to-date.
- Keep the software up to date with the latest security patches. All kinds of software and components get updated often, which may include new features and patches to any vulnerabilities hackers could exploit.
- Install antivirus and malware protection on your POS device and all devices connected to the network. Antivirus software scans your system periodically and identifies any harmful files or apps on your system. If you’re unsure of which software you should use or how to install it, speak with your POS software account executive.
- Set strict permissions in your software. Managers need access to the back end of your POS system, but you should allow only the permissions that are necessary. Other employees that need user permissions should have the lowest level, as well. Vendors may need access too. Keep a list of who has access and what each access level is, so you can trace any breaches and where they occurred.
- Employees at all levels should use strong passwords and change them regularly. The best passwords have at least 12 characters, a combination of capital and small letters, numbers, and characters like ! or &. They can be a phrase (T1m32MK3D0nuts! – Time to make the donuts!) but should not tie to personal information.
- Teach employees email and text security. Malicious attackers typically use email to try to get employee or vendor credentials, but requests may come over the phone or even in person. Employees should be trained on how to identify phishing emails and other common scams, and how to protect their login credentials. For example, no official customer service or IT worker will ask for your username and password. Always verify.
- Get end-to-end encryption. Most POS systems will include 256-bit level encryption for any data stored on your system, but it’s a good idea to use a payment gateway that also employs end-to-end encryption. This will ensure data is encrypted from the transaction to the gateway.
- Segment your network. An external network is great for customers at a brick-and-mortar store—they get free Wi-Fi, and you’re likely collecting useful data. However, make sure you’ve segmented your network because hackers can easily exploit a system and gain access to payment information. Use an internal network only for payment processing and business-related internet use.
- Keep an eye on point-of-sale activity in your system. Make sure sales and inventory counts make sense and that there aren’t any anomalies in the activity. Also, if your team uses handheld devices to accept payments from customers, make sure you collect them all at the end of the day and lock them up. Employee theft is one concern, but a device could be lost or stolen at some point, and you need to take appropriate action if this happens.
- Have a contingency plan. Businesses should be prepared in case their POS system is compromised.
Who Is Responsible for POS Security?
At the end of the day, the data owner (the merchant) is responsible for any data breach. So, even if a data breach occurs because of stolen third-party vendor credentials, it’s still your responsibility to make good on the losses, including loss of customer trust.
Click to see a breakdown of security responsibilities.
Point-of-Sale Security Costs
A 2021 study by Ponemon Institute found that the average cost of a data breach is $4 million—the highest in 17 years. Small businesses fared “better”: Niche insurance agency Hiscox said the average cost for a data breach to a small business from mid-2020 to mid-2021 was $25,000.
Nonetheless, the price can be devastating. Before Covid, 60% of small businesses that suffered a data breach went out of business within six months. That’s why it’s important for businesses to invest in point-of-sale security systems. These systems can help protect your customers’ information and help you avoid costly data breaches.
Tech analyst Gartner found that worldwide spending on data security increased by 17.5% between 2020 and 2021. Most POS companies include security features to help protect POS hardware and software. However, there are extra steps you can take for enhanced security, and they line up with the best practices and tips above.
- Antivirus software: Average costs for antivirus software for your business systems will be about $200 per year. Popular options include McAfee and Norton.
- Firewall: A physical firewall, or router, can help protect data transfers on your small business network. These come in a range of prices, but you can expect to pay $100 to $300. Popular options include SonicWall and Cisco.
- Security cameras: Having a camera that covers any areas with point-of-sale terminals or devices is a great way to protect them from physical tampering. Business security systems like SimpliSafe, Vivint, and ADT offer plans anywhere from $9.99 to $59.99 per month.
- EMV chip readers: This is a must. The average cost of EMV readers is anywhere from $50 to $1,000 each. Contact your merchant account provider to make sure you have the latest payment technology.
- Security AI and automation controls: Security AI and automation controls help businesses detect and contain data breaches much faster. These come with monthly fees of $80 to $1,500 per month, but by cutting down detection and reaction time, they reduced data breach costs by 80%.
- Chargeback protection services: Hacking isn’t just about exposing compromised data on the dark web. Criminals use this information to make fraudulent purchases. While many POS systems and payment providers provide some chargeback protection, you may want to consider a more robust chargeback protection service. Most offer custom pricing, but some have minimum monthly spends of $1,000-plus.
What To Do if Your Business Is Affected by a Data Breach
Sometimes, the best point-of-sale security efforts can’t prevent a breach. When a data breach occurs, it is important for your business to react quickly and efficiently. In this case, time really is money as well as reputation.
- Step 1: Determine the extent of the breach. Identify which systems or networks were compromised and what information was accessed. Once the extent of the breach is known, you can start to mitigate the damage.
- Step 2: Notify customers and employees who may have been affected. Let them know how likely they were directly affected (such as cards used between these dates or at this store). Include suggestions for protecting themselves, like changing passwords or checking for purchases they didn’t make.
- Step 3: Consider offering identity theft protection to your customers for a year. This can get pricey but goes a long way toward repairing customer goodwill.
- Step 4: Hire a cybersecurity firm to investigate the breach and implement additional security measures.
- Step 5: Keep track of all communication related to the data breach so that it can be used as evidence if legal action is taken.
- Step 6: Contact the Federal Trade Commission (FTC) law enforcement, and credit bureaus. Law enforcement can help investigate the breach and determine who is responsible. The FTC can provide resources and advice on how to handle the aftermath of a data breach. Credit bureaus can help businesses protect their customers’ credit information.
- Step 7: Contact your insurance company to confirm whether it covers data breaches.
Point-of-Sale Security Frequently Asked Questions (FAQ)
Financial institutions (banks and payment processors) usually bear the brunt of unauthorized charges to debit and credit cards. However, these financial companies may take a merchant to court to cover the cost of protecting customers—Home Depot settled with banks; Target paid a settlement, too. Others are in lawsuits. Still, others pay the hackers the ransom to prevent a data breach.
No. If you access your POS in the cloud or have an online store on your website, then these also need to be secure against hackers. For example, a virus on your computer or server could then pull passwords and other information that you are putting into your POS system or get your password to access the system directly. One of the most common data breach avenues for 2020 and 2021 was through unsecure databases. Be sure you properly label, password, and secure your POS databases and backups.
Bottom Line
It’s more important than ever for businesses to have comprehensive security protocols in place, particularly where point-of-sale security is concerned. That means ensuring that all devices used for transactions are up-to-date and properly secured, using strong passwords and authentication methods, and regularly monitoring for suspicious activity. Employees also need to be trained on how to spot potential threats and respond accordingly.