June 05, 2008

Security - Changing the POS burden

SC Magazine, one of the leading security publications, today published an article by Rosen Sharma of Solidcore about point-of-sale security.

Changing the POS security burden - SC Magazine US

Point of sale (POS) payment devices, servers and self-service kiosks have enjoyed rapid deployment. Most make use of off-the-shelf components and readily available operating systems. Vendors may try to hide this fact with custom enclosures, but the fact is that they morph and meld into just another one of the fixed-function devices on the Merchant's Point of Service payment network. Each disclosure of yet another breach in the news exposes this truth. In retail environments in which average lifespan of POS systems is approximately seven to nine years, the ability of thieves to continue to use standar systems for profit will continue.

In retail, the focus is on how to reach more buyers with technology innovations -- enabling more business. Some key trends I've been reading about are alluring, and as a consumer, I am looking forward to the added convenience and personalization they may bring. Self-service kiosks aid consumers in the selection and purchase of merchandise, extending the on-premise inventory options. The shift from standard check-out lanes to self-service options co-located with merchandise within normal retail zones offers quick cashless purchases. And of course there is a trend to track and integrate the buying habits and preferences, bringing the use of CRM and the POS closer together. For my first preference, I'd request my local Safeway grocer to not read my name from my sales receipt accompanied with a “Thank you for shopping with us today” as it provides a false means for the clerk to pretend they have an interest in knowing who I am. Personally, I find it a security risk. What happened to shopping with anonymity? A stranger announcing my name in a group of strangers leaves me feeling a bit exposed.

The general guidelines and assumption used when first conceiving POS systems and how to protect them are shifting, and these new trends elevate the need to re-evaluate current practices. Multi-channel transactions at the store premise can now be generated through a kiosk -- say, to order parts or accessories in addition to buying stock merchandise at the checkout. This gives potential thieves another digital means to collect information about critical backend systems or network configurations. Both self-service kiosks and the shift away from checkout lanes leave deployed POS systems open to potential mischievous or malicious tampering without the watchful eyes of a lane clerk. Can a person with a USB key install malware or a sniffer, or alter configurations to open a back door for later use? Can a PIN pad be swapped or altered? The integration of CRM and POS information for better retail analytics and the adoption of points based rewards programs are valuable to the retailer facilitating the purchase of merchandise. But will these things be future targets for theft and fraud as these systems process and store personally identifiable information?

Even without considering these new innovations, current POS systems are still the weakest link and have been neglected in overall risk assessments because individually they process only a small percentage of overall merchant transactions. The focus -- especially with PCI DSS -- has been targeted at directly-connected critical backend systems to the payment network and the largest merchants (Tier 1 and Tier 2), which pose the largest liability to Visa if they are not compliant. But in any offensive maneuver, attack are made where there is weakness, and due to the large amount of POS distributed systems, all that is needed is persistence and motivation. Current headlines scream out on targeted breaches within several sites across multiple states -- toward the same type of POS system -- proving that persistence has the potential for profitability.

Today's layered approach for securing against malware includes properly configured firewalls, changing vendor defaults and passwords, encrypting the transmission of sensitive cardholder data, and regularly updating antivirus protections. This multiple-step approach takes a lot of human effort to oversee. At larger merchants, the ability for technicians to meet current service level agreements is at jeopardy, especially with costs of goods rising and with heightened competitive pressures in the retail sector. At smaller merchants, the skillset and knowledge is lacking as to what proper configurations should be established for POS systems, with many organizations relying on distributors to provide a minimum level of service. The security implementation at the POS system must be easier and accessible to all merchants regardless of size.

I enjoy visiting my favorite breakfast spot where the owner and staff knows me by my first name. Their POS system looks very much like a standard desktop with a cash drawer and attached PIN pad. I know this is the workhorse of their establishment -- assisting with inventory, orders, payroll, etc. I'll recommend the food always. However, I'm not as upbeat about their POS security. Easing the burden of security and compliance must come from all participants in the retail environment: the manufacturers, the software and hardware providers, the technology added-value resellers and the distributors.

Posted by staff at June 5, 2008 10:40 AM