The modern POS systems are customized computers equipped with a card reader and sales software’s installed in them. POS malware can copy payment card data as soon as it is read by the card reader. Attacking POS systems using malware is much easier for attackers as a more direct method known as ‘skimming’ would require additional hardware and physical access to the card reader.
At present all organizations that handle payment data are required to adhere to Payment Card Industry Data Security Standards (PCI DSS), to ensure that their systems and procedures are properly secured. Also, PCI DSS explains a novel concept called Cardholder Data Environment (CDE) which encompasses all people, processes, and technology that store, process or transmit cardholder data and all connected system components involved. It also offers specific guidelines and explains the need to protect CDE from breaches.
But a major loophole is that the current standards do not require CDE to be segmented from other POS systems and public internet. On the other hand, a completely isolated POS system is not practical, as POS systems should be opened up for software updates and maintenance.POS system also requires maintaining connectivity to external processors.
However, PCI standards do mandate several measures to monitor remote access to POS systems. But the common route through which attackers target the POS systems – the corporate network, remain exposed.
Lack of Point to Point Encryption (P2PE) is a major contributor to POS systems’ vulnerability. Installing sniffing tools can allow hackers to steal card information as they pass through internal networks.
Retailers who use network level encryption within their internal networks can still be breached using “RAM Scrapping” malware. Secure Card Readers have been found to be effective in blocking RAM Scrapping malware. Using P2PE can considerably secure the POS systems.
Further, most POS systems use the Windows and UNIX Operating Systems. Operating Systems such as Windows XP and Windows XP Embedded could contain bugs which pose risks the system integrity.
Common modes of attacks on POS systems include Infiltration, Network traversal, Exhilaration and by using data-stealing tools.
There are many basic steps that POS system operators should take to ensure the safety of the systems such as maintaining network segmentation using Firewalls, activating Intrusion Protection System and using file integrity and monitoring software.
Efficient Security Information and Event Management (SIEM) is essential to monitor all network and data access.
Implementing P2PE and adopting secure payment cards such as Euro pay, MasterCard, and VISA (EMV) can make it difficult for hackers to steal data. EMV is commonly referred to as Chip and PIN. These cards are difficult to clone.
The impact of recent attacks on POS systems has been proved to be vast and scary. The malware attack on Home Depot alone affected around 56 million payment cards. A similar malware named as “Backoff” was later detected by several other retailers in their POS systems. The breaches severely affected their sales and reported erosion in customer base. The legal ramifications these companies have to face after the breaches are another cause to worry.
The amount of data and money involved in the transactions through POS systems alone should be a reason for ensuring their protection from malicious elements.