- Retailers face several common POS security threats, including maliciously or accidentally installed malware, card reader tampering, hacking, phishing, and internal employees with access to sensitive information.
- Businesses can protect themselves with several best practices, including following PCI compliance, banning swiped transactions, installing updated software regularly, checking for any secretly installed hardware pieces, controlling access to the POS, using a cloud-based point of sale, and blocking web access from POS terminals.
- The best thing a business can do for their POS security is to consult with the POS software about measures they take to protect customer data.
Point of sale security is a vital step for any retailer or merchant. At its most basic level, it protects your POS system from external threats. This primarily includes all customer data, like account numbers, credit/debit card info, emails, addresses, and phone numbers, as well as business financial data. Though this data can be stolen from physical locations, it’s more commonly stolen digitally through hard drives or the cloud.
Luckily, modern POS solutions are armed with various ways of protecting against data theft. Nevertheless, it’s important to understand the potential threats that any business faces so that you can take some best practices in protecting yourself, your team, and your customers.
The rest of this blog will cover some common ways that thieves try to breach POS security as well as the best ways that you can protect your retail business from these threats.
Common POS Security Threats for Retailers
Unfortunately, there are MANY examples of data theft in retail in recent memory, including some well-known incidents with big-box retailers. There are various reasons these have occurred, including outdated retail tech, unsecured networks, employee negligence, internal theft, and phishing scams.
Ultimately, there will always be some risk of an attack on your store’s data. But knowing what the threats are will help you protect your business against them.
Malware in Your POS
This type of attack happens directly from your point of sale software. It can occur via your physical POS terminals or your eCommerce store.
In most cases, the malware unencrypts payment information from a shopper’s credit or debit card. Hackers access the system due to unprotected databases, password access, or outdated software. Once they install the malware, it can be difficult for businesses even to detect its presence.
There are several different common types of malware that can affect a merchant’s point of sale system:
- Viruses – One of the oldest and most common types of malware, viruses can spread from different devices on the same network. But they generally do need a user to take certain actions before they can infiltrate a system.
- Open Authentication – Often shortened to OAuth, is used to attack retailers through third-party sites. For example, if a user can log in to their account with you through a third-party login (which is increasingly common), their user data is at risk if your business OR the third-party is hacked.
- Ransomware – Ransomware attacks hold important data or access hostage in the hope that the business will pay a ransom to gain control and security of their data back. DDoS attacks take a similar approach but usually just knock the business offline until a fee is paid.
- Trojan – These are usually disguised as a valid download, tricking the user into installing the malware. Trojans can also be spread through email attachments.
- Spyware – A general term for many different types of malware, spyware is installed into the POS operating systems and sends stolen personal data to an outside database.
- Keylogger – A common type of spyware, keyloggers log key inputs made on a device. This is used on eCommerce stores to steal card info as the customer enters it in during the checkout process.
- Botnet – Botnets spread trojans or viruses by infecting numerous devices and automatically infecting other devices rather than just one.
Card Reader Tampering
POS hardware is also a risk to a merchant’s security. This is especially common with card readers that are not closely monitored by a cashier or retail associate.
Some industry leaders are concerned about the more widespread use of self-checkout kiosks for this reason. Tampering with their card readers will provide easier access to sensitive payment data.
Brute Force Hacking
Some hackers will write algorithms that make repeated guesses of usernames and passwords. These algorithms can make thousands of guesses every minute, leaving your customers’ data more vulnerable if they haven’t created a strong password or if your system doesn’t have a block on unlimited login attempts.
Phishing attacks prey on your employees. Most phishing occurs when the hacker sends an email asking for sensitive information. Good schemes might seem legitimate, leading to the employee sharing payment information or access to customer data.
Your retail employees will always have at least some level of access to sensitive information. Therefore, there’s some risk of them accessing it for malicious reasons or sharing the access with someone outside of your company who has ill intent. That’s why it’s important to implement strong training and set custom permission levels.
Very happy with my decision to use this software and track the performance of my remote stores. KORONA POS is well worth the money. I chose it because it did not require a payment processor. Highly recommend!
How to Protect Your Business with POS Security
The convenience of a more digital world means there are some added security risks with sensitive data. And there will always be certain individuals and groups trying to outsmart the latest security tech. However, retailers can take several steps to shore up their point of sale and provide security for their employees and customers.
This section covers several of the best ways to improve your POS security.
PCI DSS Compliance
Work with a credit card processor that is fully PCI DSS Compliant. All major processors are these days, but it’s still important to check. One important aspect of this compliance is that all payment software contains antivirus software to protect your system from outside malware or other threats.
KORONA POS only works with fully compliant processors, and all sensitive customer data is only stored in the processing software, not the POS software.
Don’t Allow for Swiped Transactions
Due to their security risk, banks now refuse to protect merchants against chargebacks on any fraudulent swiped transaction. They also come with higher processing rates, even if the transaction was legitimate.
On top of that, swiped transactions leave a business at higher risk for theft. A person swiping a compromised card might install malware into your card reader, allowing for the theft of card data from future users.
Install Security Patches
Be sure to follow through with all scheduled and recommended software updates to ensure your business always has the latest technology. KORONA POS updates automatically every quarter, so merchants don’t have to worry about anything manual.
Check for Strange Wires or Skimmers
It’s scary how quickly thieves can tamper with credit card readers or payment kiosks. Do routine checks of all your hardware to make sure there is nothing suspicious or amiss. This is particularly important to pay attention to for businesses that have unattended (even temporarily) payment terminals.
Install and Data Loss Prevention (DLP) Tool
There are various solutions to help merchants protect their data. These block the extraction of customer data so that, even if a breach occurs, the criminals lack the ability to access any sensitive information. Tools such as dlp testing ensure the viability of these systems so business owners always know they’re up-to-date and protected.
Control Access to Your POS
While you never want to hinder your employees’ ability to perform the functions of their role, it’s important to only grant permission to necessary tools, features, and information. For instance, there is no need for a cashier to have access to transaction histories that contain sensitive customer info. Choose permission levels for each role so you always know who has access to what.
Implement Strong Employee Training
Teach your team what to look out for. This included email communication. Show them common phishing schemes and other common attacks.
Also, encourage each person to use two-factor authentication (2FA) and strong passwords. KORONA POS allows merchants to use 2FA for all POS users if desired.
Opt for Cloud-Based POS Solutions
While there are certain risks to keeping everything digital, there are far more risks to having sensitive data stored in on-premise hard drives or other devices. Cloud POS systems are by far the more secure way to keep your customer data away from thieves. Hard drives can be easily and quickly stolen or duplicated by customers or employees.
Block Web Access on POS Terminals
Another important way to shore up security at the point of sale is to restrict access to web browsing from the terminal itself. iPad solutions, for instance, allow any user to access the internet. This opens the door for employees to fall into malware or phishing traps accidentally.
KORONA POS operates on its own proprietary operation system. Each device only has access to the point of sale software, blocking all access to web browsers and apps.
POS Security with KORONA Point of Sale
Want to learn more about how KORONA POS provides merchants with effective and secure software? Click below to schedule a product demo to see exactly how it all works. KORONA POS provides owners and managers with the tools to provide in-depth insight and secure data while giving cashiers a system with ease of use and convenience.