How to keep guests safe from a point-of-sale system data breach

Advancing technologies continue to challenge the balance between data security and the guest experience. While many all-in-one point-of-sale systems are vulnerable to a wide variety of attack scenarios because they leave card data in plain text within the memory of the system, there are systems and additional technologies that can mitigate a data breach. The best protection is to build a strong defense with a comprehensive POS system that not only meets business and guest needs, but also provides advanced data security.

Hackers heavily target POS systems because they typically hold consumer’s personal and financial data, said Elizabeth Chidiac, POS product manager at Springer-Miller Systems. Hackers most often use malware that “skims” or “scrapes” sensitive data en route from a credit card reader. It then transmits the data back to a holding computer where it is collected, cloned into fraudulent bank cards and sold on the black market.

“In order to protect themselves, hotels should fully review their operation to ensure that there are ample security measures in place and that they are compliant with the [payment card industry data security standard],” she said. “The fact that POS systems are the largest attack vector makes it the obvious starting point for businesses to lock down. At a minimum, all of the POS software should be [payment application data security standard] validated and implemented according to the recommendations found within the vendor’s implementation guide.” 

For data security and compliance, evaluate not only the POS, but also the payment and ancillary solutions where sensitive data may be transmitted, suggested Jim Walker, SVP of global revenue for Agilysys. He also suggested:

  • Ensure your property has a PCI-validated, point-to-point encrypted payment solution. PCI standards leverage the most rigorous security protocols while P2PE encrypts card data.
  • Implement solutions that are Europay, MasterCard and Visa-certified, which reduces card-present fraud risk.
  • Inspect for illicit payment device overlays intended to capture payment card data at the point of transaction.
  • Maintain and regularly update data security policies.
  • Educate the front-line staff so they know how to identify any red flags.

“If your business is the victim of an attack, early discovery can limit the extent of the damage,” Walker said. “Disconnect that POS terminal from the network. By isolating it, the hacker can't communicate on a network. If you’ve detected an illicit overlay on the payment terminal, deactivate and remove that device from operations immediately. In all cases, deploy your data-security protocols, which should include contacting officials as a first step.”

Malware attacks often leave indicators or evidence through diminished software performance. POS users will usually be the first to report a sudden slowdown in performance or in some cases notice a subtle change to a particular application function. Users are key to identifying these breaches early on because of their familiarity with the software. Degraded performance is very noticeable to a seasoned user, particularly in a high-paced POS environment, Chidiac said.

“IT staff can also spot breach indications by doing regular audits on their systems,” she said. “Red flags can be things such as large unknown files on company hardware, multiple failed log-in attempts or unusual activity on privileged accounts.”

How Mobile POS has Grown

Mobility is now absolutely essential in POS systems, said Peter Agel, global segment lead for hotels at Oracle Hospitality. Any employee should be able to execute a transaction whenever and wherever a guest requires service. From a food-and-beverage perspective, hoteliers, with the help of tablets, can expand the footprint of their restaurant by extending service to outdoor patios and poolside.

“Mobility’s capabilities are particularly valuable because they are so appealing to millennials, who expect zero-friction, instantaneous service,” Agel said. “Hoteliers who embrace mobility have a better chance to court the influential demographic, both as guests and employees. Managers also can escape from the back office with mobile reporting solutions, which provide the freedom to check in from anywhere and tend to pressing matters elsewhere.”

Mobile POS has had a consistent growth over the last few years because of the evolution of cloud-based systems, Chidiac said. The cloud-based POS market is very competitive and providers are now able to seamlessly move their solutions from the standard workstation / terminal environment to an app that can be downloaded to tablets or smartphones. Mobile POS also requires mobile payments, which can be delivered through any of the various e-wallet platforms such as Apple Pay, Google Wallet and such.
 
Whether you choose a stationary terminal, handheld tablets or a combination of the two, your POS infrastructure becomes the foundation of the business; playing an integral role in keeping things running smoothly while better meeting guest demands, Walker said.

“We have seen shifts in operational procedures among hoteliers looking to maximize the effectiveness of their mobile POS solutions,” he said. “There can be great returns as a result of these shifts, and some of the largest gains in revenue and guest satisfaction are realized when food-and-beverage servers optimize the amount of time spent providing personalized guest service with mobile ordering. We’ve also seen a movement towards complimentary solutions, such as kitchen video displays, which strengthens communication between managers, servers, cooks and other staff to ensure orders are not only accurate, but also delivered timely.”

The consumer’s expectation is to lower transaction time and increase self-sufficiency when purchasing in any environment, Chidiac said. This has been proven with online retailers and the trend is in demand and executed in brick-and-mortar stores, as well. This is not limited to the retail market space, however. 

“Food-and-beverage POS developers will need to mobilize as well in order to remain competitive,” she said. “Tableside ordering, online ordering, table reservations and mobile payments are just now becoming a product expectation rather than a nice-to-have. Business owners should be aware of trends such as mobility and social marketing to attract and drive new business.”