POS Security and Protecting Data in 10 Steps
This article is part of a larger series on POS Systems.
Point-of-sale (POS) security is the prevention of unauthorized access to transaction data including customer payment information, credit card numbers, usernames, passwords, birthdays, and addresses. Having strong POS security is a must for businesses small and large.
There are multiple actions you can take to help protect customer’s personal data—and your business. Some of these actions should be ongoing, so it’s important to make these 10 steps the best practices for your business.
1. Inspect Terminals for Tampering
Regularly check for card skimmers, cables, or any other tampering. Keep a list or photos of all your terminals with their serial numbers so that you can compare them to the physical terminals to ensure they haven’t been swapped with another device.
2. Limit Access to POS System
Managers are going to need access to the back-end of your POS system, so only allow permissions that are necessary. Other employees that need user permissions should have the lowest level, as well. Vendors may need access too. Keep a list of who has access and what each access level is, so you can trace any breaches and where they occurred.
3. Choose Strong Passwords (and Change Them Often)
Avoid using passwords that are easy to guess. You want to use a long string of numbers, letters (upper- and lowercase), and symbols. Also, it’s a good idea to change these passwords often, and you should instruct employees to do the same.
4. Train Anyone With Back-End Access About Phishing
Malicious attackers typically use email to try to get employee or vendor credentials, but requests may come over the phone or even in person. Make sure that everyone who works for or with you understands how to avoid social engineering attacks. For example, no official customer service or IT worker will ask for your username and password. Always verify.
5. Use End-to-End Encryption
Most POS systems will include 256-bit level encryption for any data stored on your system, but it’s a good idea to use a payment gateway that also employs end-to-end encryption. This will ensure data is encrypted from the transaction to the gateway.
6. Install Antivirus Software
Antivirus software can protect your POS devices from malware. It will scan your system periodically and identify any harmful files or apps on your system. If you’re unsure of which software you should use or how to install it, speak with your POS software account executive.
7. Update Your POS Software Regularly
All kinds of software and components get updates often, which may include new features and patches to any vulnerabilities hackers could exploit. It’s important to not wait on new updates, as they could protect your data. As of March 2019, 75% of US retailers use EMV.
8. Upgrade Credit Card Readers
If you’re still using the older swipe style card readers, it’s a good idea to update them to EMV chip card readers. These chip-and-pin style terminals do more to protect customers from fraud than swipe or chip-and-signature devices.
9. Segment Your Wi-Fi Network
An external network is great for customers at a brick-and-mortar store—they get free Wi-Fi, and you’re likely collecting useful data. Make sure you’ve segmented your network because hackers can easily exploit a system and gain access to payment information. Use an internal network only for payment processing and business-related internet use.
10. Monitor POS Activity & Keep Track of Devices
Keep an eye on POS activity in your system. Make sure sales and inventory counts make sense and that there aren’t any anomalies in the activity. Also, if your team uses handheld devices to accept payments from customers, make sure you collect them all at the end of the day and lock them up. Employee theft is one concern, but a device could be lost or stolen at some point, and you need to take appropriate action if this happens.
Costs of Securing Your POS
Most of your POS security will come from built-in features of your POS system. However, there are extra steps you can take for enhanced security, and they line up with the best practices and tips above.
- Antivirus software: Average costs for antivirus software for your business systems will be about $200 per year. Popular options include McAfee and Norton.
- Firewall: A physical firewall, or router, can help protect data transfers on your small business network. These come in a range of prices, but you can expect to pay $100 to $300. Popular options include SonicWall and Cisco.
- Security cameras: Having a camera that covers any areas with POS terminals or devices is a great way to protect them from physical tampering. Business security systems like SimpliSafe, Vivint, and ADT offer plans starting at $19.99 per month.
- EMV chip readers: This may be the biggest expense if you haven’t upgraded yet. The average cost of EMV readers is anywhere from $500 to $1,000 each. Contact your merchant account provider to make sure you have the latest payment technology.
Who’s Responsible for POS Security?
At the end of the day, it’s the data owner (the merchant) who is responsible for any data breach. So, even if a data breach occurs because of stolen third-party vendor credentials, it’s still the merchant’s responsibility. Most POS companies include security features to help protect POS hardware and software.
POS Security Responsibilities of Small Business Owners
- Keep terminals and other POS equipment physically safe
- Maintain regular security updates of POS software
- Monitor transactions and users of the POS system
- Limit who can access the back-end of the POS system
- Employ all security features provided by the POS company to their fullest potential
- Install firewalls, end-to-end encryption, anti-malware, and other security measures on your business’s computer system
POS Security Responsibilities of POS Systems & Payment Processors
- Provide robust security tools and features to the POS system
- Release regular updates to patch known security vulnerabilities
- Communicate with clients when major threats or breaches occur
- Offer round-the-clock customer support and/or fraud reporting systems
What Happens Without POS Security?
In a recent study by IBM and the Ponemon Institute, data breaches affect almost all industries, and they’re particularly pricey for the healthcare industry with an average cost of $7.13 million. Some good news is that retail data breaches are down to an average of $2.01 million from $3.9 million in 2015, thanks to stricter security for POS systems.
The biggest retail data breaches revealed the personal data of hundreds of millions of customers. About 110 million Target customers had their credit card info stolen in 2013. In 2014, The Home Depot’s servers were attacked, and 56 million credit card numbers were stolen. Meanwhile, retailer TJ Maxx dealt with an 18-month attack starting in 2007, which caused $162 million in damages.
How Do Hackers Gain Access to POS Systems?
Businesses don’t always reveal how a data breach occurred, but in these massive breaches, the details came out over time as the retailer worked to protect data and settle with customers affected by the breaches.
- Target: An unauthorized person used vendor login info to access Target’s POS system, and then uploaded malware to steal credit card data.
- Home Depot: A hacker used vendor credentials to access and feed malware into the hardware store’s network to glean the credit card data of 40 million customers.
- TJ Maxx: The retail giant used outdated Wi-Fi security, which created a security hole for hackers to exploit. They were able to gather employee logins and then made their own logins to steal unencrypted transaction data (for 18 months).
Just because those incidents above happened to large corporations doesn’t mean that small businesses aren’t also targets. The percentage of SMB cyber-attacks was just 18% in 2011; and by 2015, it increased to 43%, according to Symantec’s 2016 Internet Security Threat Report. A 2020 survey from ConnectWise shows that 55% of SMBs have reported cyber-attacks, costing an average of $58,902. So, POS security is increasingly important for small businesses.
Who Pays for Fraudulent Charges When There’s a Data Breach?
Financial institutions (banks and payment processors) usually bear the brunt of unauthorized charges to debit and credit cards. However, these financial companies may take a merchant to court to cover the cost of protecting customers—Home Depot settled with banks; Target paid a settlement too.
Bottom Line
The biggest takeaway from all this info: Most data breaches that target POS systems are stolen credentials and installed malware—both of which are preventable. To ensure you’re fully protected, follow the steps we outlined above. You’re ultimately responsible for securing customer’s data, but it helps to use the best POS hardware and software for top-notch POS security.