Point-of-sale systems are in a war against POS malware — and they are losing. Scarcely a week passes without news of another victory for the bad guys.
One thing seems clear: current POS security is not enough.
18 ways to boost POS security are listed below. But first we ask, why do the systems keep getting breached?
POS systems are often sold on the notion that they will last years, maybe even a decade. The majority use a Windows-based OS, and about 30% use the officially obsolete Windows XP according to one estimate.
The use of common, older operating systems adds to their vulnerability. This is often compounded by organizations that do not adhere to POS security best practices.
Some organizations allow POS systems to access the internet – never a wise choice.
For example, small and medium businesses (SMBs) often lack enough resources for a dedicated POS system. They may use the same machine to browse the web or read email.
POS systems are more widely available than ever. SMBs can buy one without the help of an IT provider who can deploy and configure the system securely.
Many organizations rely too heavily on anti-virus software to keep their POS systems clear of malware. This is a poor strategy for many reasons, not least of which is the fundamental inability of anti-virus to stop the most advanced attacks.
Anti-virus prevents only known malware. New or custom variants can go undetected.
POS malware is often tailored to infect and persist in the target environment. This makes it very hard for signature-based anti-virus software to detect the threat.
The PCI DSS regulations require organizations to protect cardholder data. They dictate many sound security practices, but they are clearly not enough.
Of the retailers recently breached, how many do you think:
It’s safe to assume that retailers often believe they are compliant the day before they realize hackers have been stealing their cardholder data for months.
Aside from following standard information security best practices, here are some steps you can take to help protect yourself from POS malware attacks.
1. Isolate the cardholder data environment (CDE) with network segmentation. Separate it from public-facing services and the Internet.
2. Restrict systems in the CDE to connect only to known, trusted sources. Block all other traffic that is not explicitly allowed.
3. Implement outbound / egress filtering policies to scan traffic attempting to enter or leave the CDE.
4. Implement intrusion detection and prevention.
5. Use only encrypted protocols to transmit cardholder data, even within the corporate network
6. Reduce the number of personnel with access to the CDE. Allow even fewer personnel to access both the CDE and other internal networks.
7. Use POS devices only for transaction-related purposes. Do not allow use for other purposes, such as checking email or printing documents.
8. Use two-factor authentication for all administrative access and entry points to the CDE.
9. Use two-factor authentication for all configuration changes to the CDE.
10. Establish an incident response plan to isolate, resolve, and investigate all detected breaches.
11. Place a firewall between every corporate network.
12. Deploy endpoint security software with frequent and automatic updates.
13. Invest in a POS system that encrypts cardholder data immediately upon entry. Decrypt only at secure points outside the merchant’s environment, such a payment processor.
14. Audit all connections to the CDE.
15. 1Review remote connection logs.
16. Review running processes.
17. Review all administrative accounts for password complexity.
18. Review POS systems for physical tampering.
POS Malware: Review of the retail attacker
Ransomware: Hello Critroni and Goodbye Cryptolocker
Top Threats: How to prevent Cryptolocker
PCI DSS for IT Providers – The rules and impact on MSPs and Resellers
