3 Lessons on POS Security

If you have followed the news for the last six months, you’ve probably heard that cybercriminals have switched from major retailers to the U.S. hotel chains. By the end of 2015, hotel chains such as Hyatt, Starwood, Hilton, Mandarin Oriental, White Lodging, and the Trump Collection had admitted security breaches. Their IT infrastructures were infected by point-of-sale (POS) malwares, which allowed cybercriminals to get access to information from customers’ payment cards, including numbers, expiration dates, and security codes.
Back in 2014, the FBI released a confidential warning for retailers. The document notified about possible credit card breaches using POS malware and recommended them to strengthen their defenses. Unfortunately, disregarding all attempts to raise awareness about increased security risks, the attacks on retailers reached epidemic proportions. Through the use of malware, POS systems not only became the easiest way to steal customers’ credit card data, but they have also served as a point of access for cybercriminals to penetrate deeper into the networks for even more valuable data.
Why are POS devices so easy to hack? Many of them use the Windows XP Embedded operating system (OS), which Microsoft barely supports. Although the support of Windows Embedded POSReady 2009 has been extended till 2019, it doesn’t receive regular security updates, nor is it compatible with many modern anti-malware solutions. As long as companies have these legacy POS systems in place, they will remain wide open for attack.
Recent breaches offer us several lessons on how to protect against POS attacks. Here, Netwrix, a provider of IT auditing software that delivers complete visibility of IT infrastructure changes and data access goes over three best practices for hotels to shore up security.
A strong password is the first security law. There’s nothing new to say about the importance of having strong passwords; even the latest version of PCI DSS has been expanded with more requirements that enforce the use of strong passwords. This would not be necessary if retailers changed their weak passwords or the default POS administrative credentials. Obviously enough, cracking a simple password is one of the easiest and quickest methods of a cyberattack. For this reason it’s vital for organizations to enforce a strong password policy, which would include requirements for two-factor authentication and regular password changes, especially for the administrator accounts on operating systems and POS applications.
Know who is doing what, when, and where. The second POS security law is to be sure you know who has access to POS service accounts used for maintenance and configuration changes. Restrict administrator access only to the systems over which they require control to perform their duties. Regularly check that the access to POS systems is limited to certain individuals. Also, never forget to monitor your POS systems for suspicious activity, such as multiple failed user logons; this could might mean that someone is trying to gain control over your POS operating system. A sudden spike in suspicious activity should trigger a careful investigation.
Standard approaches won’t help. Being certified as a PCI-compliant organization doesn’t prove that all security risks have been mitigated. The key to protecting cardholder data is to continue improving your security policies and risk assessment procedures beyond compliance requirements. The best option here is to consider PCI DSS as a minimal security scope. It is also important to make sure you fix all security issues identified by the auditors as soon as they are revealed.
Even if you are not planning to update your POS system, this doesn’t mean that you should sit and wait for a breach to hit you hard. Look for security best practices, evaluate the weak points in your security posture, and test them in order to keep everything under control. Regularly train your employees and keep them informed about recent security threats. Finally, remember that you are not alone. Stay connected with the community, educate yourself about new threat patterns and discovered vulnerabilities, and share your knowledge. All of this might minimize the chance of a data breach, and millions of credit card holders from being victimized.