Difficulties In Facing The PCI Compliance

For merchants/restaurateurs, the PCI compliance is sinch, but there are those who continuesly scratching their heads figuring out how their POS system can comply with the standards set by the credit card industry.
Spread the Word
Listed Under

* Pos
* Point Of Sale
* Restaurant Pos
* Restaurant Point Of Sale
* Restaurant Pos System
* Pos Systems
* Restaurant Pos Equipment

* Pos
* Restaurant pos
* Point of sale

* US

Sept. 8, 2009 - PRLog -- Securing Your Point Of Sale Equipment

In credit card commercials, although they show us a couple of happy shoppers swiping their credit cards as they go on a shopping spree and enjoying the convenience of a cashless society, they don't include the very real risk of identify theft at the cash register.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

Lock It Down

These Point of Sale systems are vulnerable to attacks if not properly locked down. For decades now, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) has shifted the standards in the retail industry.

Chauhan have also observed that the standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open OS like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and also Linux.

Chauhan also included, the security risks for POS equipment owners came from greater system flexibility and quicker development time of these equipments.

There Could Be Vulnerable Systems

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm focused on the security of information and compliance management solutions, agreed to Chauhan that there are many, but not all, POS systems that are susceptible to attacks.

“A little dial-up swipe machine is a low-risk device,” McCullen says. “POS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”

Another thing, McCullen said that if a POS system stores credit card track data, exploitation can occur, and the swipe terminals can be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan also included that embedded systems have also become susceptible to attack through unauthorized and inappropriate changes as they are handed off to others in the distribution channel. With these, equipments often results to malfunctions and/or can cause the equipment to no longer meet PCI DSS (PCI Data Security Standard) requirements.

PCI DSS (PCI Data Security Standard) Challenges

Both Chauhan and McCullen agreed that POS equipment is faced with unique challenges with its PCI DSS compliance.

“Requirement 5 states that you must use and regularly update antivirus software,” Chauhan says. An ativirus software can be an overhead expense on a low-footprint POS system, she notes; however, change control software can eliminate the need for antivirus software.

For example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

“It is difficult for POS equipment providers to ensure their systems sustain PCI compliance after they are shipped through the dealer network and get put into production at the retail location,” Chauhan observes.

A large supplier of technology and POS systems for independent grocers and small chains, StoreNext (www.storenext.com), have solved their patching difficulties with PCI DSS Requirement 6 though embedded Solidcore change control in its systems.

By simply reducing its patch frequency to quarterly, StoreNext was able to reduce the amount of their time on monthly test and patch distribution cycles. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other hard areas, as McCullen stated, included data encryption and user-based access controls.


Want To Ask A Point of Sale (POS) Expert?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:***@kisse.us Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Systems, Restaurant Pos Equipment
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse
POS For Restaurants News
Most Viewed
Daily News

Like PRLog?
Click to Share