Secure Payments, PCI DSS, Regulatory Compliance Blog

5 Steps to Your Next (Secure) POS

November 24th, 2007 by admin Posted in Credit Card Fraud, Merchant, Payment Applications, Point of Sale, pa-dss

ipos.jpgSo you might have read the recent Visa (USA) timeline for migrating to more secure point-of-sale (POS) technology. Or maybe you are looking at your aging systems and wanting to take the plunge and upgrade to a sexier, and more secure, system.

Here are a few things to consider before taking out the check book and laying new infrastructure.

  1. Ask your acquiring bank if your prospective POS is a known vulnerable payment application. As the deadlines loom for payment application security some vendors may be looking to exploit a loophole in the system. You may notice that in 2008 companies cannot board new merchants using known vulnerable payment applications, so some of them may try to offload that technology before the end of 2007. The kicker being that in 2009 those companies may have to upgrade again to remove those known vulnerable systems. (More importantly, you may be installing a system known to make your environment non-PCI compliant.)
  2. Confirm that your prospective POS vendor and version number is listed as a validated payment application. Visa publicizes a list of validated payment applications. If the integrated POS (IPOS) is not on that list — caveat emptor — regardless of what the vendor may tell you to the contrary. (This process is to be taken over by the PCI SSC in the coming years [PDF].)
  3. Ask your payment application vendor or reseller for the Implementation Guide (or Implementation Documentation).  So you purchased and installed a validated payment application — you may be safe and you may not.  Each validated payment application comes with an instruction manual for configuring that app in a secure manner.  Without this Rosetta stone you may be living in a false sense of security.  It is a requirement that vendors and resellers provide this to you and educate you about it, but sometimes these things are overlooked.  Make sure you read and understand this document.
  4. Encrypt data from the POS to the back-end systems.  Even though the payment application may be securing the data on the system itself, many are still transmitting the track data across the network to the back-end systems for authorization.  It is not a PCI requirement to encrypt this data, but recent compromises have shown that hackers are using technologies such as MPACK to sniff track data from the POS to the back-end systems.  Choosing a POS that has the ability to encrypt this data puts you one step ahead of the hacker.
  5. Keep your POS network (and retail systems) segmented from the rest of the network (and from the Internet).  Network segmentation sounds like a monolithic task for some companies, but I’m only going to discuss two types here: segmenting one store from another, and within each store the cardholder data from all other systems.  It is well known that if you have stores directly connected to the Internet instead of a totally private network then you are a higher risk for compromise.  Also, if an attacker can compromise the wireless in-store network you want to make sure they cannot use that vulnerability to compromise cardholder data or any other retail store.

Knowing how the attacker thinks will help in defending against their most common attacks.  There is no way to have zero risk but we can limit it enough to have the hacker go elsewhere.

Know their weak points in the same way they know yours.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “5 Steps to Your Next (Secure) POS”

  2. By Bruno on Jan 7, 2008

    Thanks for the informative post. There is certainly a lot to keep in mind.

  3. By Fatbully on Mar 26, 2008

    What is the best practice for handling AV & Patching processes for POS registers/kiosks that are running embedded XP? Assuming that the client is absolutely refusing to implement these controls, can they rely on compensating controls such as 1) hardening the devices so that there is no way cashiers can break out to the OS layer to access the file system; 2)ensure that there is no input ports open (USB or others)or other means that injection of viruses from external sources is possible; 3) most importantly, these POS registers do not store any CHD (the only reason why they are considered system components is because they are located in the same VLAN as the POS server).

  4. By Jeff on Sep 8, 2008

    What if the POS vendor’s payment application is being used by other retailers with the bank (Fifth 3rd or First Data) but has not been validated and on the list? Does the Visa phase II apply and am I not allowed to get certified and use that POS vendor? What if the POS vendor is in the process of getting certified under the new PA-DSS standards?

  5. By T. Phillips on Oct 19, 2008

    With comments about staying off the internet and being on a completely private network, this can be very costly for small companies. What can be done if you utilize the internet, such as a DSL? Can a POS system system utilizing an HTTPs transmitted over the internet?

  1. 1 Trackback(s)

  2. Nov 24, 2007: technology » Blog Archive » 5 Steps to Your Next (Secure) POS

Sorry, comments for this entry are closed at this time.