Point of sale security is crucial for creating safe environments that protect cardholder data, stop unauthorized access, defend against malware, and prevent malicious attacks. After all, a POS system is a treasure trove of data that hackers could sell or manipulate to use in fraud or financial crimes.
Furthermore, you know there’s a lot more at stake. Beyond safeguarding consumer accounts, POS security protects consumers and their banks from losses, while maintaining the merchant’s reputation. It also protects your business if a security event occurs. However, as technology evolves, so do the malicious attacks against it. VARs and ISVs must continually evaluate point of sale security to identify any vulnerabilities and then provide the support to fortify POS environments against exploitation.
Start with PCI Compliance
Payment Card Industry (PCI) compliance is fundamental to POS security and continued business viability. According to QSR Magazine, “The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.”
You must ensure solutions your customers use in their POS environment are PCI-validated, designed for secure data handling, encryption, and storage. In the past, the yardstick for evaluating software security in the payments industry was the PCI Payment Application Data Security Standard (PA-DSS). While this was one of the first standard programs of its kind, according to Jake Marcinko, PCI SSC’s Sr. Manager, Emerging Standards, “[While the PA-DSS program served the industry’s needs for 10 years]…those needs, however, have evolved to the point that it no longer made sense to make incremental changes to an aging standard and program. A new approach was needed to support modern payment software architecture and software development methodologies, and to protect payment software from increasingly complex software attacks.”
PCI is migrating to the Software Security Framework (PCI SSF), which gives developers a more flexible, effective approach to security that includes:
- More dynamic responses allowing for faster security validation
- Expanded beyond payment authorization including fraud monitoring or cardholder authentication
- An objective-based approach to meeting requirements rather than a standard-specific approach
Understanding this framework and PCI’s perspective on cardholder data and systems security and complying with all requirements is pivotal to providing solutions with maximum POS security.
Steps to Stronger Point of Sale Security
All PCI requirements have their roots in principles designed to enhance POS security. However, as a solutions provider, your clients will require your expertise to comply with these essential elements:
- Segmentation
Network segmentation is a crucial strategy that isolates cardholder data from other parts of the network. With segmentation, separate networks are used for different functions, such as a dedicated network for payments infrastructure versus a public network for customers. With segmentation, the risk of unauthorized access is reduced. By deploying physical barriers like firewalls, VLANs, and subnets, VARS and ISVs can effectively minimize a merchant’s attack surface, helping to protect payment data and reducing PCI scope, which makes compliance easier.
- Semi-Integration
Consider leveraging semi-integrated payment solutions to enhance point of sale security by keeping card data completely out of the merchant’s system. While fully integrated systems allow the payment data to flow through the POS system, in a semi-integrated environment, the payment data travels from the payment terminal directly to the payment processor. Authorization is sent back to the terminal, which then communicates success or denial to the POS system. Semi-integrated solutions enhance security because the payment data is out of PCI scope and never available to a hacker, even if the merchant’s system is breached.
- Tokenization
Tokenization replaces cardholder personally identifiable data with unique, random identifiers called “tokens. Merchants can store the tokens, which can only be mapped back to the original data by the tokenization system for transactions like tip adjustments, voids, and returns. With tokenization, merchants can complete tasks, but keep data safe because readable card numbers or other sensitive data are never accessible.
Utilize Fraud-Prevention Tools Where Applicable
Preventing fraud is another important factor in enhancing point of sale security. Start a conversation with your clients to understand their challenges with fraud and implement solutions that address them, such as:
- Suspicious Activity Monitoring: Integrate smart systems that can flag unusual transactions, like repeated small-quantity purchases or several large purchases in one day.
- Identity Verification: Use fraud detection tools and address verification systems to authenticate that the user of the card and their details match those of the card’s rightful owner.
- Chargeback Guarantee Solution: Work with a payments processor that offers a chargeback guarantee, meaning that full responsibility lands on the provider to monitor behaviors indicative of fraud. If something is missed and later identified as chargeback fraud, the service provider pays the associated costs instead of the merchant.
Stay Current With Point of Sale Security Basics
Although new technologies and solutions continually come to market to help merchants strengthen POS security and mitigate the risks of fraud, you need to keep your clients focused on taking a holistic approach. Balance modern solutions with security fundamentals, including:
- EMV: All merchants should accept EMV payments and eliminate the use of magstripe cards, which are prone to counterfeiting.
- Secure Self-Checkout: Newer self-service systems are integrated with anti-theft measures including security cameras and checkout audits to minimize losses.
- Training: Ensure that all employees are knowledgeable and follow security best practices.
- Regular System Updates: Use patch management to keep all systems updated and patched.
- Access Control: Employee access to the POS system should require a code, smart card, or biometric credential.
- Layered Security: Firewall configuration, intrusion detection and prevention, and endpoint protection are barriers between sensitive information and potential threats, further fortifying a security infrastructure.
Finally, you need a payments partner in your corner that can provide you with the information and support you need to strengthen point of sale security for your clients. That includes secure technology, continued innovation to keep up with the threat landscape, and expertise you can tap into to solve unique challenges.
With your clients’ businesses, consumer account security, and your own reputation at stake, the right partnership is vital. To learn what we offer to keep cardholder data and businesses safe, contact us.