The point of sale (POS) is the place where a retail transaction occurs and the merchant calculates the amount owed by the customer, indicates the amount, prepares an invoice for the customer, and indicates the options for the customer to make pay-ment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving the payment, the mer-chant issues a receipt for the transaction, this is usually printed, but is increasingly being dispensed with by sending it electronically.
POS systems consist of hard-ware as well as software that tell the hardware what to do with the information it cap-tures. When consumers use a credit or debit card at a POS system, the information stored on the magnetic stripe of the card is collected and processed by theattached device. The data stored on the magnetic stripe is referred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account and it in-cludes items such as the cardholders name as well as the account number. Track 2 data contains information such as the credit card num-ber and expiration date.
Threats to POS Systems
Skimming
Skimming is an electronic method of capturing a vic-tim’s personal information used by identity thieves. The skimmer is a small de-vice that scans a credit/debit card and stores the information contained in the magnetic strip. Skim-ming can take place during a legitimate transaction at a business.
POS Malware
Point-of-sale malware (POS malware) is a type of mali-cious software (malware) that is used by cybercrim-inals to target point of sale (POS) terminals with the in-tent to obtaining credit card and debit card information by reading the device mem-ory from the retail checkout point of sale system.
Best Practices for Users to remain safe
Owners and operators of POS systems should follow best practices to increase the security of POS systems and prevent unauthorized access.
For organizations / service providers:
- Update POS SoftwareApplications: Keep all POS Systems regularly updated includ-ing POS application soft-ware.
- Use Antivirus: It is suggested to contin-ually update the antivirus programs for it to be ef-fective on a POS network.
- Install a Firewall: Firewalls should be uti-lized to protect POS systems from outside attacks. A firewall can prevent unauthorized ac-cess to, or from, a private network by screening out traffic from hackers, vi-ruses, worms, or other types of malware specif-ically designed to com-promise a POS system.
- Restrict Access to Inter-net: Apply access control lists on the router configura-tion to limit un authorized traffic to POS devices.
- Disallow Remote Access: Cyber Criminals can ex-ploit remote access con-figurations on POS sys-tems to gain access to these networks. To pre-vent unauthorized access of POS systems, disallow remote access to the POS network at all times.
- Review all Logs: Organizations and mer-chants providing POS services should review all system logs for any strange or unexplained activity on a regular ba-sis.
- Encrypt transmission of card holder data across open, public network.
For Merchants:
- Update POS Software Applications: Keep all POS Systems regularly updated includ-ing POS application soft-ware.
- Review all Logs: Organizations and mer-chants providing POS services should review all system logs for any strange or unexplained activity on a regular ba-sis.
- Account Lock out policy: Locking out accounts af-ter N number of incorrect login attempts.
- POS systems should not be used for general inter-net access by retailers.
- Use Strong Passwords: All POS devices owners should change passwords to their POS systems on a regular basis, using unique account names and complex passwords.
- Merchants should en-sure that all their Wi-Fi and internet connections are secured. Merchants may use a network name that is extremely generic but unique keeping the network simple and in-conspicuous. In addition, Merchants may modu-late the signal strength of their Wi-Fi network so that it does not extend too far from the area of use or shop or building.
- Ensure that no electron-ic / magnetic devices are attached with POS sys-tems. Enter the PIN num-bers in a secret manner.
- Merchants should always purchase POS Systems from reputable dealers.
- If any suspected transac-tions are observed, con-tact the service provider / bank immediately.