FitSmallBusiness
Fit Small Business content and reviews are editorially independent. We may make money when you click on links to our partners. Learn More.

Retail | What is

What Is Point-of-Sale (POS) Security?

Meaghan Brophy

REVIEWED BY: Meaghan Brophy

Meaghan has provided content and guidance for indie retailers as the editor for a number of retail publications and a speaker at trade shows. She is Fit Small Business’s authority on retail and ecommerce.

 

WRITTEN BY: Karina Fabian

Published August 9, 2022

Karina Fabian writes and reviews business software, services, and topics for starting a business, startups, and small businesses. She has more than seven years of business writing experience.

Published August 9, 2022

This article is part of a larger series on POS Systems.

TABLE OF CONTENTS
  1. 1 POS Security Threats
  2. 2 Best Practices
  3. 3 Who is Responsible for POS Security?
  4. 4 POS Security Costs
  5. 5 What to Do If Affected by a Data Breach
  6. 6 FAQ
  7. 7 Bottom Line
  8. Learn more about POS & Payment Security:
    1. POS Reconciliation
    2. PCI Compliance for Small Businesses
    3. Ecommerce Payment Security
    4. How to Detect Counterfeit Money
    5. How to Prevent Chargebacks

Point-of-sale (POS) security protects the computer systems that process debit and credit card transactions. Because POS systems can contain sensitive data like account numbers, emails, and addresses, a data breach can be costly both for damage control and the store’s reputation. POS system security does not only apply in-store. Many point-of-sale systems vulnerabilities come from online stores and information accessed through the cloud.

To protect this information, POS systems are typically equipped with a variety of security measures, including firewalls, intrusion detection and prevention software, and encryption techniques. However, it’s up to you to make sure your whole system—from employee to network—is as secure as it can be.

POS Security Threats

POS systems are a common target for hackers, as they can be used to steal credit and debit card data. Things like outdated software, unsecure networks, and unsecure third-party integrations, along with the theft of devices or passwords, sometimes through scams, can leave you vulnerable to attacks. These include malware infections, hardware tampering, brute force attacks, phishing and social engineering, and employee theft.

Click to learn more about the types of POS security threats:

A POS malware attack infiltrates POS terminals or online stores via compromised or poorly secured systems, searching payment card data, which is then sent to the attacker unencrypted. Hackers get in through unprotected databases, program vulnerabilities, or personal access. Then, they install malware that will collect credit card data and other personal information from customers as they make purchases. The data can then be sold on the black market or used to commit identity theft.

POS malware can be very sophisticated and difficult to detect. Often an attack can go on quietly for months or years before it’s noticed. Sometimes, a business only finds out from law enforcement investigating another fraud case. Here are some of the most common types of point-of-sale malware attacks:

  • Spyware: This kind of malware uploads itself onto a POS system and uploads the stolen data elsewhere. BlackPOS and its derivative Kaptoxa, which were used in the 2013 Target POS breach, are well-known examples.
  • Trojan: This software disguises itself as a legitimate program (usually an email link or file) to get into your system and steal data. For example, in 2014, the Chewbacca Trojan stole more than 49,000 credit cards from 45 retailers in 11 different countries over two months.
  • Keyloggers and skimmers: Some spyware steals data by logging keystrokes. Backoff POS and Poseidon both have this capability. This could have been the culprit in 2020, when TrueFire, which offers guitar lessons online, was hacked. Since it does not store payment card information, the info was most likely captured as customers were making payments.
  • OAuth hijacking: Open Authentication (OAuth) manages identities and secures online areas across third-party services. This lets users have temporary and secure access tokens—allowing customers to log in to an account using Facebook, for example. While convenient, it can put your account at risk if the other authorization site is hacked. MITRE’s 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses Report says this continues to be a top threat for businesses, although it did not mention point-of-sale systems directly.
  • Ransomware: This malware attacks your system, usually cutting off company access to computers, email, and customer orders, but an increasing number of cases feature threats to release public information online if the ransom is not paid. In 2022, The Allison Inn & Spa experienced such an attack, putting information from 1,500 employees and former employees and 2,500 reservations in jeopardy. Ransomware attacks rose 13% in 2021 and most often happen through desktop sharing and email.

Hackers can tamper with point-of-sale system hardware, such as the card reader, to steal data. This happens with gas pumps, for example, which is why they should be regularly inspected and sealed. However, as self-serve kiosks become more vulnerable, this could be another point of risk.

Security seals sample.

Security seals make it easy to know if a pump has been tampered with.
(Image from TydenBrooks)

Hackers can try to guess the passwords or usernames used to access the POS system to gain access and steal data. They use programs to make attempts at hundreds of guesses per second. That’s why it’s important not only to have strong passwords, which reduces the likelihood of being hacked, but to have restrictions on the number of login attempts.

Phishing generally involves an email asking for certain information, such as account numbers, in order to transfer money (and they then take money out instead). Social engineering involves manipulating someone into doing something that lets the hacker in.

One example is an email, supposedly from a manager or even the CEO, asking the employee to go to a website and purchase gift cards for an event. The scammer then scrapes the payment information. Other scams are similar, with someone claiming to be in the company and asking for confidential information. The FBI said these scams have cost businesses around the world over $43 billion between 2016 and 2021—and there was a 65% increase in losses between July 2019 and December 2021.

Employees and sales agents are also an area of vulnerability. For example, the White Sox lost over $1 million when two ticket sellers generated and sold unauthorized game tickets between 2016 and 2019. In Canada, hackers bribed employees at multiple businesses to “borrow” POS devices for about an hour to load card-skimming software. The result was a loss of over $7 million.

How Do Hackers Gain Access to POS Systems?

Businesses don’t always reveal how a data breach occurred, but in massive breaches, the details come out over time as the retailer works to protect data and settle with customers affected by the breaches. Here are a few recent examples:

  • Bonobos was hacked through an unsecure cloud backup.
  • Estee Lauder was hacked through a database that was not password-protected.
  • Carter’s was hacked when its third-party vendor Linc shortened Carter’s purchasing and shipping URLs without security precautions.
  • Guess was hacked through an unspecified “unauthorized access.”
  • Restaurant giant Landry’s was hacked (it believes) when waitstaff erroneously swiped credit cards through the order entry instead of the payment system. Order entry was not encrypted.
  • Claire’s fashion accessories store was breached after it closed all its retail stores when a hacker then reserved the claires-assets.com URL to launch an attack through Salesforce.
  • Dickey’s BBQ locations were hacked through outdated magstripe credit card scanners. Hackers can gain access through adjusted credit cards that direct the system to contact a rogue point-of-sale server to download card-skimming software.
  • Marriott International was a victim of a social engineering attack, in which an anonymous hacking group tricked an employee into granting them access to its system.

Other areas of vulnerability are tapping in through Bluetooth, especially through remote printing channels, bribing employees to lend them their devices, and finding loopholes in a program.

Just because the incidents above happened to large corporations doesn’t mean that small businesses aren’t also targeted. These are just the ones that get the press. POS security is increasingly important for small businesses.

Best Practices for POS Security

One of the requirements of the Payment Card Industry Data Security Standard (PCI DSS) is to use antivirus software on all point-of-sale (POS) systems. POS antivirus software helps protect your POS system from malware and other cyber threats. However, these are not enough. Here are other ways you can prevent a point-of-sale security breach:

  • Regularly check for card skimmers, cables, or any other tampering. Keep a list or photos of all your terminals with their serial numbers so that you can compare them to the physical terminals to ensure they haven’t been swapped with another device. This is especially important for self-serve kiosks and gas pumps where employees may not have a constant watch.
  • Stop allowing card swipe. Hackers can alter credit cards to direct point-of-sale systems to download malware. Use EMV payment tools instead. If you must use card swipe, be sure they are up-to-date.
  • Keep the software up to date with the latest security patches. All kinds of software and components get updated often, which may include new features and patches to any vulnerabilities hackers could exploit.
  • Install antivirus and malware protection on your POS device and all devices connected to the network. Antivirus software scans your system periodically and identifies any harmful files or apps on your system. If you’re unsure of which software you should use or how to install it, speak with your POS software account executive.
  • Set strict permissions in your software. Managers need access to the back end of your POS system, but you should allow only the permissions that are necessary. Other employees that need user permissions should have the lowest level, as well. Vendors may need access too. Keep a list of who has access and what each access level is, so you can trace any breaches and where they occurred.
  • Employees at all levels should use strong passwords and change them regularly. The best passwords have at least 12 characters, a combination of capital and small letters, numbers, and characters like ! or &. They can be a phrase (T1m32MK3D0nuts! – Time to make the donuts!) but should not tie to personal information.
  • Teach employees email and text security. Malicious attackers typically use email to try to get employee or vendor credentials, but requests may come over the phone or even in person. Employees should be trained on how to identify phishing emails and other common scams, and how to protect their login credentials. For example, no official customer service or IT worker will ask for your username and password. Always verify.
  • Get end-to-end encryption. Most POS systems will include 256-bit level encryption for any data stored on your system, but it’s a good idea to use a payment gateway that also employs end-to-end encryption. This will ensure data is encrypted from the transaction to the gateway.
  • Segment your network. An external network is great for customers at a brick-and-mortar store—they get free Wi-Fi, and you’re likely collecting useful data. However, make sure you’ve segmented your network because hackers can easily exploit a system and gain access to payment information. Use an internal network only for payment processing and business-related internet use.
  • Keep an eye on point-of-sale activity in your system. Make sure sales and inventory counts make sense and that there aren’t any anomalies in the activity. Also, if your team uses handheld devices to accept payments from customers, make sure you collect them all at the end of the day and lock them up. Employee theft is one concern, but a device could be lost or stolen at some point, and you need to take appropriate action if this happens.
  • Have a contingency plan. Businesses should be prepared in case their POS system is compromised.

Who Is Responsible for POS Security?

At the end of the day, the data owner (the merchant) is responsible for any data breach. So, even if a data breach occurs because of stolen third-party vendor credentials, it’s still your responsibility to make good on the losses, including loss of customer trust.

Click to see a breakdown of security responsibilities.

  • Keep terminals and other POS equipment physically safe
  • Maintain regular security updates of point-of-sale software
  • Monitor POS system transactions and users
  • Limit who can access the back end of the point-of-sale system
  • Employ all security features provided by the POS company to their fullest potential
  • Install firewalls, end-to-end encryption, anti-malware, and other security measures on your business’s computer system
  • Double-check the vulnerability of your databases
  • Train employees on proper password use and dangers from phishing and other scams
  • Do not allow unauthorized users access to any part of the system
  • Use strong passwords
  • Do not share passwords or other confidential information with anyone, even another employee
  • Close programs and/or screen lock computers when away from the room
  • Provide robust security tools and features to the POS system
  • Release regular updates to patch known security vulnerabilities
  • Communicate with clients when major threats or breaches occur
  • Offer round-the-clock customer support and/or fraud reporting systems

Point-of-Sale Security Costs

A 2021 study by Ponemon Institute found that the average cost of a data breach is $4 million—the highest in 17 years. Small businesses fared “better”: Niche insurance agency Hiscox said the average cost for a data breach to a small business from mid-2020 to mid-2021 was $25,000.

Nonetheless, the price can be devastating. Before Covid, 60% of small businesses that suffered a data breach went out of business within six months. That’s why it’s important for businesses to invest in point-of-sale security systems. These systems can help protect your customers’ information and help you avoid costly data breaches.

Tech analyst Gartner found that worldwide spending on data security increased by 17.5% between 2020 and 2021. Most POS companies include security features to help protect POS hardware and software. However, there are extra steps you can take for enhanced security, and they line up with the best practices and tips above.

  • Antivirus software: Average costs for antivirus software for your business systems will be about $200 per year. Popular options include McAfee and Norton.
  • Firewall: A physical firewall, or router, can help protect data transfers on your small business network. These come in a range of prices, but you can expect to pay $100 to $300. Popular options include SonicWall and Cisco.
  • Security cameras: Having a camera that covers any areas with point-of-sale terminals or devices is a great way to protect them from physical tampering. Business security systems like SimpliSafe, Vivint, and ADT offer plans anywhere from $9.99 to $59.99 per month.
  • EMV chip readers: This is a must. The average cost of EMV readers is anywhere from $50 to $1,000 each. Contact your merchant account provider to make sure you have the latest payment technology.
  • Security AI and automation controls: Security AI and automation controls help businesses detect and contain data breaches much faster. These come with monthly fees of $80 to $1,500 per month, but by cutting down detection and reaction time, they reduced data breach costs by 80%.
  • Chargeback protection services: Hacking isn’t just about exposing compromised data on the dark web. Criminals use this information to make fraudulent purchases. While many POS systems and payment providers provide some chargeback protection, you may want to consider a more robust chargeback protection service. Most offer custom pricing, but some have minimum monthly spends of $1,000-plus.

What To Do if Your Business Is Affected by a Data Breach

Sometimes, the best point-of-sale security efforts can’t prevent a breach. When a data breach occurs, it is important for your business to react quickly and efficiently. In this case, time really is money as well as reputation.

  • Step 1: Determine the extent of the breach. Identify which systems or networks were compromised and what information was accessed. Once the extent of the breach is known, you can start to mitigate the damage.
  • Step 2: Notify customers and employees who may have been affected. Let them know how likely they were directly affected (such as cards used between these dates or at this store). Include suggestions for protecting themselves, like changing passwords or checking for purchases they didn’t make.
  • Step 3: Consider offering identity theft protection to your customers for a year. This can get pricey but goes a long way toward repairing customer goodwill.
  • Step 4: Hire a cybersecurity firm to investigate the breach and implement additional security measures.
  • Step 5: Keep track of all communication related to the data breach so that it can be used as evidence if legal action is taken.
  • Step 6: Contact the Federal Trade Commission (FTC) law enforcement, and credit bureaus. Law enforcement can help investigate the breach and determine who is responsible. The FTC can provide resources and advice on how to handle the aftermath of a data breach. Credit bureaus can help businesses protect their customers’ credit information.
  • Step 7: Contact your insurance company to confirm whether it covers data breaches.

Point-of-Sale Security Frequently Asked Questions (FAQ)

Financial institutions (banks and payment processors) usually bear the brunt of unauthorized charges to debit and credit cards. However, these financial companies may take a merchant to court to cover the cost of protecting customers—Home Depot settled with banks; Target paid a settlement, too. Others are in lawsuits. Still, others pay the hackers the ransom to prevent a data breach.

No. If you access your POS in the cloud or have an online store on your website, then these also need to be secure against hackers. For example, a virus on your computer or server could then pull passwords and other information that you are putting into your POS system or get your password to access the system directly. One of the most common data breach avenues for 2020 and 2021 was through unsecure databases. Be sure you properly label, password, and secure your POS databases and backups.

Bottom Line

It’s more important than ever for businesses to have comprehensive security protocols in place, particularly where point-of-sale security is concerned. That means ensuring that all devices used for transactions are up-to-date and properly secured, using strong passwords and authentication methods, and regularly monitoring for suspicious activity. Employees also need to be trained on how to spot potential threats and respond accordingly.

About the Author

Karina Fabian
Karina Fabian

Karina Fabian has more than seven years of experience writing on business topics and reviewing software. Before writing for Fit Small Business, she reviewed business software and services for other online websites. Karina has also worked as a marketing content specialist for Naviga. After her husband started a rocket company, Karina got a crash course on the ins and outs of starting a business and all the work that goes into launching a startup. In her free time, she writes science fiction and fantasy.

Sign Up For Our Retail Newsletter!
Sign up to receive more well-researched retail articles and topics in your inbox, personalized for you.
This email address is invalid.
Sign Up For Our Retail Newsletter!
This email address is invalid.