PCI Compliance: Facing The Challenging Parts

The Payment Card Industry (PCI) has made an effort in establishing a set of rules and guidelines for merchants/restaurateurs to protect their customers' credit card data. Here are some of the challenging part in PCI compliance you might find useful.
Spread the Word
Listed Under

* Pos
* Point Of Sale
* Restaurant Pos
* Restaurant Point Of Sale
* Restaurant Pos System
* Pos Systems
* Restaurant Pos Equipment

* Pos
* Restaurant pos
* Point of sale

* US

Sept. 8, 2009 - PRLog -- Payment Card Industry (PCI): Securing Your Point Of Sale Equipment

On credit card commercials, we can see a line of dancing shoppers merrily swiping their credit cards, from store to store, and glorifyhow convenient it is to use, they tend to forget to care to discuss the peril of identify theft when using credit cards.

Monica Chauhan, director of embedded solutions for Solidcore (www.solidcore.com), a leading provider of real-time change control software, cites Gartner Group statistics showing that four out of five data breaches occur at POS (point-of-sale) systems.

Lock It Down

These Point of Sale systems, if not properly locked down, can be vulnerable to attacks. “For decades, embedded devices consisted of specialized hardware running proprietary software, but in recent times, there has been a shift towards standardization, such as Unified Point of Sale (UPoS) in the retail industry.”

Chauhan observed that this standardization has enabled devices to become increasingly interconnected , allowing the use of off-the-rack software on commoditized hardware running commercial or open operating systems (OS) like Windows XP Embedded, WEPOS (Windows Embedded for Point of Service), as well as Linux.

According to Chauhan, greater system flexibility and quicker development time has created security risks for POS equipment owners.

There Could Be Vulnerable Systems

Robert J. McCullen, chairman and CEO of Trustwave (www.trustwave.com), a security firm focused on the security of information and compliance management solutions, agreed to Chauhan that many but not all POS systems are vulnerable to exploitation.

“A little dial-up swipe machine is a low-risk device,” McCullen says. “POS equipment more prone to vulnerable exploitation are those that are computer-based and/or have Internet access; the risk lies in those two prime factors.”

According to McCullen, if a POS system stores credit card track data, exploitation can occur, and swipe terminals can be exploited through tampering.

“Generally, hardware swipe terminals have low exploit risk, rather a higher risk of tampering, and thus the tampering will allow hackers to read the cards, whether through a Bluetooth device used later to get the card data or other efforts to retrieve the information,” McCullen explains.

Chauhan points out other vulnerabilities. She claims that because today’s POS systems are similar to networked PCs, they require constant patching. Chauhan says embedded systems have also become vulnerable to changes that are unauthorized and inappropriate as they are handed off to others in the distribution channel. Results of this can cause malfunctions to the equipment and may even loose their PCI DSS (PCI Data Security Standard) requirements.

PCI DSS Challenges

Both Chauhan and McCullen agreed that Point of Sale equipment is faced with unique challenges when it comes to complying with the PCI DSS.

Chauhan says that in the PCI DSS requirement 5, it states that an antivirus software must be used and regularly updated. Antivirus software can be an overhead expense on a low POS system, she even notes; inspite of that, you can eliminate the need of an antivirus with the aid of change control software.

For example, the NEC Infrontia installed a change control software on its POS offerings which prevented unauthorized code from breaking unpatched systems. This allowed NEC Infrontia to remove the antivirus software that was impacting the performance of its devices, Chauhan notes.

PCI DSS Requirement 6, “Develop and maintain secure systems and applications,” presents unique challenges, Chauhan notes.

It will be tough for POS equipment providers in ensuring that their systems will supply the PCI compliance after they are shipped put into production through the dealer network.

With the help of embedding Solidcore change control in its systems, StoreNext (www.storenext.com) - a large supplier of technology and POS systems for independent grocers and small chains - have solved their PCI DSS Requirement 6 patching difficulties.

“In addition, StoreNext was able to reduce the amount of time spent on monthly test and patch distribution cycles by reducing its patch frequency to quarterly,” Chauhan states. Chauhan also claims that the PCI auditing requirement can be met through change control software.

Other difficult areas include data encryption and user-based access controls, McCullen states.


Do You Have Any Questions?
For more information and advice on this topic you can quickly contact a Restaurant Point of Sale professional serving your area at POS-For-Restaurants.com.

The author of this article is the Vice President of Customer Relations at http://www.pos-for-restaurants.com, with over 20 years experience in the restaurant point of sale industry.


# # #

Searching for the best Restaurant POS System Solution for your business?
We're a National network of POS System Solution Experts who offer better value and features than most "Major National Suppliers"!
Email:***@kisse.us Email Verified
Tags:Pos, Point Of Sale, Restaurant Pos, Restaurant Point Of Sale, Restaurant Pos System, Pos Systems, Restaurant Pos Equipment
Industry:Pos, Restaurant pos, Point of sale
Location:United States
Account Email Address Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share