Test Parts

PCI Compliance Challenges

Keeping Point-Of-Sale Equipment Secure

While TV credit card commercials have been showing how merrily shoppers can go around buying stuff using their credit cards and delight on how convenient the life on a cashless society, they don't point out the very real risk of identify theft at the cash register.

Solidcore's director for embedded solutions, Monica Chauhan, a leading provider of real-time change control software, cites Gartner Group statistics showing that 4 out of five data breaches occur at POS (point-of-sale) systems.

Lock It Down

These POS systems, if not properly locked down, can be vulnerable to exploitation. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”

Chauhan observed that this standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open OS like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

Some of These Systems Are Vulnerable

The CEO of Trustwave (www.trustwave.com), Robert J. McCullen, a security firm that focuses on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

According to McCullen, dial-up swipe machines is a low-risk device, what's more susceptible to attacks are devices that are computer-based and/or have Internet access; the danger lies in those two prime factors.

According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

As Chauhan points out other vulnerabilities, she claims that because the POS systems today are similar to networked PCs, constant patching is required. Chauhan also said that embedded systems have also become vulnerable to inappropriate and unauthorized changes as they are handed off to others in the distribution channel. With these, equipments often results to malfunctions and/or can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

PCI DSS (PCI Data Security Standard) Challenges

Both Chauhan and McCullen agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. The ativirus software can be a very high overhead expense for a low POS system, she notes; inspite of that, change control software can eliminate the need for antivirus software.

For example, NEC Infrontia installed and uses a change control software on its POS offerings which prevented unauthorized code from breaking unpatched systems. This allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, Chauhan notes.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be difficult for POS equipment providers in ensuring that their systems provide PCI compliance after they are shipped put into production through the dealer network.

By embedding Solidcore change control in its systems, StoreNext (www.storenext.com) - a large supplier of technology and POS systems for independent grocers and small retail stores - have solved their PCI DSS Requirement 6 patching problems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. The PCI auditing requirement can be met through change control software, claimed Chauhan.

Other difficult areas, as McCullen confirmed, includes data encryption and user-based access controls.

---

Want To Ask A Point of Sale (POS) Specialist?

For more information and advice on this topic you can quickly contact a Restaurant POS professional serving your area.

The author of this article is the Vice President of Customer Relations at www.POS-For-Restaurants.com with over 20 years experience in the restaurant point of sale industry.

 

When I go for my yearly physical can my doctor do a urine/blood drug test?

I'm 16 and i have to get have a physical to play sports at my high school. Is a drug test part of the normal yearly physical from the urine sample they take? Can they do a drug test without telling me?

By law they have to tell you or your legal gaurdians that they are doing a drug test. you have to ask for them to do it specifically. all out of the ordinary tests that they do, eg std's, hiv, drug tests etc you have to ask for. they will not do them with out telling you first.

ASUS Transformer Prime Hands-on and Unboxing (Slash Gear)

The newest Android tablet by the name of ASUS Transformer Prime is also the
first place on earth you'll be able to work with the NVIDIA Tegra 3 quad-core
mobile processor, and today we're going to have a peek at it's power for the
very first time. We've got both the tablet itself and the [...]

Slash Gear

Part 01 - CONSPIRACY TEST: THE RFK ASSASSINATION - 1 of 11