Challenges In Complying With The PCI DSS Standards

The Payment Card Industry (PCI) have addressed that merchants/restaurateurs must comply with their rules and guidelines in order to protect credit card holders. And here are some of the difficulties you may encounter, as well as helpful advices.
Spread the Word
Listed Under

Point Of Sale
Restaurant Pos
Restaurant Point Of Sale
Restaurant Pos System
Pos Systems
Restaurant Pos Equipment

• Pos
• Restaurant pos
• Point of sale


Sept. 8, 2009 - PRLog -- Keep Your Point-Of-Sale Equipment Secure

On credit card commercials, we can see a line of dancing shoppers merrily swiping their credit cards, from store to store, and glorifyhow convenient it is to use, they do not discuss the very real danger behind the cash register.

Monica Chauhan, director of embedded solutions for Solidcore (, a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

* Locking it Down

These Point of Sale systems are susceptible to attacks if not properly locked down. In the past decades, these embedded devices consisted of specialized hardware running proprietary software, but in recent times, where Unified Point of Sale (UPoS) shifted the retail industry standards.

“Standardization has enabled devices to become increasingly interconnected and has allowed for the use of off-the-shelf software on commoditized hardware running commercial or open operating systems, such as Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), and Linux,” Chauhan observes.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

* Vulnerable Systems

From Robert J. McCullen, chairman and CEO of Trustwave ( - a security firm specializing in information security and compliance management solutions, agrees with Chauhan that there are many POS systems that are vulnerable to exploitation.

“A little dial-up swipe machine is a low-risk device,” McCullen says. “POS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”

According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

In general, as McCullen explained, there is a low risk of exploit with hardware swipe terminals, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts in retrieving the information.

As Chauhan points out other vulnerabilities, she says that because today our POS systems are similar to networked PCs, constant patching is required. Chauhan also included that embedded systems have also become susceptible to attack through unauthorized and inappropriate changes as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.

* PCI DSS (PCI Data Security Standard) Challenges

Both Chauhan and McCullen agreed that POS equipment faces some unique challenges when complying with the PCI DSS.

PCI DSS requirement 5 states that a regularly updated antivirust software must be used, according to Chauhan. An ativirus software can be a very high overhead expense on a low-footprint POS system, she notes; by contrast, change control software can eliminate the need for antivirus software.

For example, Chauhan explains that NEC Infrontia installed change control software on its POS offerings and thus prevented unauthorized code from breaking unpatched systems. It allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, according to Chauhan.

In the PCI DSS Requirement 6, developing and maintaining a secure system and application is a must. It also presents unique challenges, as Chauhan noted.

It will be difficult for POS equipment providers in ensuring that their systems provide PCI compliance after the equipments are shipped through the dealer network and put into production.

One of the large suppliers of technology and POS systems for independent grocers and small retail stores, StoreNext (, have solved their patching difficulties with PCI DSS Requirement 6 by embedding Solidcore change control in its systems.

In addition, the amount of time spent was reduced by StoreNext on monthly test and patch distribution cycles by reducing its patch frequency to quarterly. The PCI auditing requirement can be met through change control software, claimed Chauhan.

Other thorny areas include data encryption and user-based access controls, McCullen states.


Do You Have Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at

The author of this article is the Vice President of Customer Relations at, with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:*** Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Systems, Restaurant Pos Equipment
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share