Why security remains a critical issue for vulnerable credit-card traffic

This article is part one of a three-part series on POS systems.

Security is a critical issue for point-of-sale systems. POS companies fall under the Payment Card Industry Data Security Standard, a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. A subsection of the PCI Standard requires that the POS companies undergo reviews and audits to ensure all data is properly secured and handled, said Greg Grant, senior director for Phoenix Managed Networks.

“Overall, everything is great and there are no problems with POS companies meeting that compliance—they are securing that electronic payment information as the card is being swiped,” he said. “The problem is that POS companies don’t do anything to protect the network in the macro view. That’s where the hackers are getting in.”

The day-in and day-out hacks are being done on the back-office computer, through the Wi-Fi connection or on the digital signage board, Grant said. Hackers are getting to the other things that are connected to the network that the financial information is being transmitted through.

"Companies don’t think they need to do anything once they are PCI-compliant and certified,” Grant said. “But you still need to protect the network—hackers will find a way in. The encryption device may be good but it’s everything else that it’s connected to that is vulnerable.”

Chris Donahue, director of product management for Springer-Miller Systems, agreed that property-management and POS systems are frequently targeted because the industry has been identified as a soft target.

“POS malware and other threat vectors continue to evolve and are one of the largest sources of stolen information today,” he said. “BlackPOS continues to be the most well-documented threat but many others exist as well. It’s imperative for payment applications developers to stay out ahead of these threats and to architect solutions that safeguard the guest data at all times.”

Taking Action

There are a number of actions that can help protect guest information, said Roberta Braum, director of product management for Agilysys. Point-to-point encryption renders card data useless from the moment it enters a merchant’s system all the way through the transaction cycle. It is of no value without the proper key to decrypt it.

While the data is being stored, it is tokenized. Tokenization products devalue payment card data by replacing the primary account number with a token. These solutions can reduce risk and simplify payment security efforts for merchants by removing the need to store valuable card numbers in their networks and systems.

EMV (Europay, MasterCard and Visa) chip payment cards also help protect the merchant from stolen or fraudulent cards because it checks against the network to make sure the card is valid.

“Those three mechanisms are three key parts to having that very secure point-of-sale system,” Braum said. “Hoteliers need to get the credit-card data out of their systems as much as possible.”