POS Security

POS Security Secrets

Point of sale (POS) hacks are commonplace in the digital age, and they’re devastating to small businesses and international corporations alike. When customer data — such as credit card numbers, social security numbers, or other personal information is acquired by criminals, trust breaks between customers and a business.

After a security breach, a brand must often spend ten times as much money rebuilding their reputation as it would have cost to protect their customers’ data in the first place. And sometimes worse, if negligence was found to play a part in the breach, it can result in costly legal incidents that threaten the livelihood of an organization.

To avoid a POS hack, follow these security best practices, but shhh! Don’t tell the hackers!

Institute strong password policies

To protect the security of a POS system, it’s imperative that secure password policies are in place and maintained. First and foremost, each staff member must understand the importance of discretion when it comes to keeping their passwords private, because even the strongest security measures can’t withstand penetration if passwords are shared freely. Similarly, a password should never be written on a sticky note placed in a commonly accessed location like inside a desk drawer or on a computer monitor.

Next, use a two-factor authentication process for access to your POS system and instate a policy that requires passwords are changed every two months. When selecting a password, instruct employees to use the following guidelines:

  • Avoid easy to guess phrases such as a family member’s name, home address, birthday, phone number, or personal facts that may appear on the outside of envelopes found in the mail
  • Use more than 6 characters
  • Use uppercase letters
  • Use lowercase letters
  • Use numerals
  • Use symbols
  • Abbreviate a full English sentence to randomize a password

Limit remote access

Don’t allow a third party vendor access to your POS system, as any remote access to a computer involves the use of other computers that could intercept passwords along the way. Avoid enabling remote access when possible.

Restrict personal use on your business equipment

Do not allow activity on a machine dedicated to POS functions to be used for surfing the internet. It is incredibly important that the employees operating POS machines are not allowed to login to social media accounts using that same machine. When using social media, your employees are vulnerable to manipulation, and while not a traditional form of hacking, socially engineered manipulation can be used by an outsider to persuade an employee to accidentally give away critical company information.

Make customer privacy a priority

Businesses and the employees who operate their POS machines must never print out or reveal a customer’s credit card number. VISA and MasterCard prohibit merchants from recording a full credit card number on a sales receipt.

Within a computer system or database, store identifying cardholder information separate from the customers’ full names. Restrict customer database records when possible to allow access only by senior members of your team on a need-to-know basis.

Two important security notes: never record or store the CVV number or PIN associated with a credit or debit card.

Establish secure POS key procedures

When a POS machine is set up, it is loaded with encryption keys. Those keys must never be shared or substituted within an organization’s test system. Further, one person should not have access to the keys for every POS system in the organization.

Each POS device should have a unique key. The PIN and the initialization keys should be distinct. Following this best practice will make it difficult for the entirety of an organization’s POS devices from being hacked at the same time.

Use an SSL encryption for remote access

Allowing a third party to remotely access your POS system puts your entire system in a vulnerable position, but if you must make this allowance, encrypt the code that will be transmitted. When a remote login occurs, computers on the route between the remote user and the server are able to view the information being sent.

Use at least a 128-bit SSL encryption when credit card information is transmitted remotely. An SSL encryption will make the information indecipherable to computers that lie on the path between the remote user’s machine and your own.

POS security should be a top priority of any organization and although the rigors of maintaining POS security may appear at first to be time-consuming, they don’t actually need to be.

With a cloud-based cyber security subscription, any business (large or small) can keep up with the security requirements of practicing business in today’s digital world where protecting customer data is paramount to maintaining a brand’s reputation.

Follow these best practices to guide your POS security efforts. For more tips on how to maintain your organization’s security, check out this whitepaper on how to prevent cyberattacks.