Josh Young

“We regret to inform you that our credit card systems were compromised, and your personal information may have been inappropriately accessed.”

Hopefully you’ve never received an email with a message like that, or even worse, had to send one. But more than likely you have. Over the past several years, attacks on point-of-sales (POS) systems have become commonplace, and pretty much any business that processes credit card transactions is at risk.

And criminals aren’t solely focusing on big scores with major businesses. When closely tracking incidents of POS malware during the third quarter of 2015, Trend Micro found that 45 percent of cybersecurity incidents or breaches involved small and medium-sized business — particularly since these organizations lack comprehensive security technology.

Of course, criminals are targeting more than physical POS systems. Experian reported that in 2016, incidents of ecommerce fraud increased by roughly 30 percent over the previous year.

With So Many Threats, What Can You Do?

1. Limit access

By taking proactive measures, your business can limit its exposure and reduce the likelihood of a successful attack. Consider employing hardware-based point-to-point encryption for any financial transactions conducted by your POS systems. Routinely delete cardholder data, and encrypt any records that you need to keep long-term.

Where possible, limit physical access to any POS equipment and use whitelists to restrict system access to only authorized users. You should also limit internet access to sales systems, only authorizing access if you have sufficient security software in place.

2. Keep current

If you haven’t done so recently, perform a deep, thorough audit of your entire network environment, including any POS or sales systems. Not only should you verify that all software and firmware is up to date (along with critical security patches), but you should also double check communication and security settings.

Often, scammers exploit misconfigured network equipment or poorly secured remote access features for Microsoft Windows-based POS terminals to gain illegitimate access. In fact, you may want to follow the recommendation of the U.S. Computer Emergency Readiness Team and completely disable any remote access capabilities unless they are crucial to your business.

3. Work with staff

Any security measures you take to protect your customers will only be as effective as the staff that support them. Regularly provide security awareness training to your workers — particularly customer-facing employees — on proper procedures for handling purchases as well as overall POS cybersecurity. After all, without proper training, they might not be able to properly answer questions like:

• Can I just key in the customer’s credit card number if they forgot their card?
• Is it okay if the back of the credit card isn’t signed?
• Why can’t I use “password” for my POS password?

4. Coordinate with vendors

Perhaps the most infamous compromise of a POS system — the Target data breach that affected over 100 million credit card holders — originated from the compromised credentials of a third-party vendor.

To protect your business, require any vendors that have direct access to your network — or tangential access to your POS systems — to comply with the same security standards and training that you require of your own staff.

The Next Step

Criminals will always follow the money, and as more businesses rely on virtual and electronic sales systems, cybercrime will continue to be a growing threat. By taking proactive measures now to shore up your POS systems and other technology, you can better protect your business, your reputation, and your customers.

To learn more about how we can help you encourage your staff to be an asset rather than a liability in the fight against cybercriminals and scammers, check out a demo of our cybersecurity awareness courses today.