Attention POS vendors,

In my years of working in security in various capacities, I’ve seen POS vendors of all shapes and sizes.  I’ve by no means evaluated every POS solution out there, so maybe I’ve had the misfortune of only dealing with some of the lesser quality solutions.  Maybe it’s not the POS solution at all, but what the customer was willing to put up with/pay for during integration.  All the same, I’ve seen some egregious POS installations and I would like to publicly plea that you at least consider some of my recommendations:  (more…)

Every business has to keep security as a top priority in order to protect confidential information as well as the customers’ sensitive financial information. One area that needs special focus is definitely Point of Sale (POS) security. While some business owners believe that they only have to focus on online security when it comes to payment processing, it’s just as important to make sure that POS security is maintained as well.

One of the greatest factors that can improve POS security is stronger encryption. Many POS systems still use wireless technology that doesn’t integrate quality encryption. For example, of the most common wireless protection schemes is still WEP (Wired Equivalent Privacy) which has been proven to be quite easy to bypass with consumer-level technology. It’s better to implement strong encryption for the network to make it much harder for potential intruders to invade your network in the first place.  When it comes to POS security, you will also want to make sure that cardholder data isn’t stored directly on the POS controller, something that is also part of the Payment Card Industry Data Security Standard (PCI DSS).

Overall, the fight to increase POS security is not going to be solved overnight, but there are still things you and your company can do to boost security over the long term.

Contact SecureConnect to learn about how our solution helps you achieve PCI compliance and strengthern POS security.

Due out in October, the next revision of the Payment Card Industry Data Security Standard (PCI DSS) will contain clarifications but no major changes.  “There won’t be any surprises.  We’re more likely to see guidance documents” said Bob Russo, PCI Security Standards Council general manager.  Topics expected to gain more attention include, Encryption, virtualization and the use of more secure payment terminals.  Several special interest groups managed by PCI SSC are studying these topics as well as emerging technologies that may shape future versions of the standard.

Rather than a major PCI DSS revision, this year the council expects to release guidance documents to help merchants being bombarded by vendors with new card data protection technologies.  “We need to be careful and study all the different technologies before prescribing them in the standard,” Russo said.

A topic gaining increased attention among card brands is Chip and PIN, which is popular in Asia, Europe and now being phased in at payment terminals in Canada.  This technology would replace the magnetic strip on the back of a card with an embedded microchip and add a four-digit PIN to confirm a payment.  “The rest of the world is using some form of Chip and PIN so we can’t ignore it,” Russo said.  “It’s an enormous endeavor and implementing this poses huge costs.”

With Chip and PIN still far away on the horizon, it is important to implement proper security measures now in order to secure payment card environments and comply with the PCI DSS.

Revisions to the PCI DSS take place every two years, with the last major update released in 2008.  The updated PCI DSS standard will be finalized and made public by mid-October of this year.

To read more about the 2010 PCI DSS revision, click here.

Dial up swipe machines used at the POS (Point of Sale) are highly practical and allow shop and restaurant owners to accept debit card and credit card so that a whole new selection of customers can use their services. This is almost a requirement today where so few individuals carry cash on them due to expectation and everything from ice cream vans to large function rooms now need to accept card.

However dial up swipe machines do have a connection and also deal with the card details of the customer meaning that there is still a risk of data breach. While POS systems that use internet connections are at greater risk, those that rely on dial up connections are still a risk, and in some ways more so as they’re often overlooked. One statistic suggests that four in five data breaches occur at POS systems, and with this knowledge it should be self evident how important it is to make sure your dial up systems comply too. The PCI SSC provides a list of validated payment applications and you can also check with the vendor of your dial up system. SecureConnect, a PCI compliance vendor, can also help by identifying cardholder data and by tracking the flow of data to look for inconsistencies or irregularities.

The PCI Security Standards Council (SSC) announced it is entering phase three of its lifecycle process.  Throughout phase two, insights were gathered from global stakeholders including merchants, service providers, financial institutions, vendors, QSAs and ASVs and third party experts. Feedback from these stakeholders will be evaluated for the next iteration of the PCI DSS and PA-DSS to ensure the standards are as effective as they can be.

“Our structured, but flexible, lifecycle process allows us to respond effectively to new security challenges so that organizations and assessors have the right tools for their security programs.” – Bob Russo, General Manager of the PCI SSC.

Read the press release in its entirety.