Let’s be clear – POS is an ill-termed acronym for Point of Sale. As the collective giggles fade, it’s time to think about security in the retail industry. With Black Friday fast approaching, stores preparing for the mad rush of shoppers should ensure their POS systems are secure. Cardholder data has been a lucrative draw for the cybercriminals seeking to make some serious money selling your stolen credit card data. Along with cardholder data comes your customers’ personally identifiable information that is now floating around the Internet and could potentially fall into the wrong hands.
Point of sale systems is the catchall term to describe the consumer’s relationship to the store and how the consumer exchanges money for the goods and/or services. A point of sale system has many different facets operating at different levels. For the purpose of this blog post, I am only referring to the information technology assets that retailers have control over. Payment gateways and bank systems are beyond the scope of this post.
The breaches of Home Depot, Target, and Neiman Marcus are prime examples of major retailer organizations that attested to PCI compliance, yet they were still breached. While PCI compliance is important and ensures your organization has its ducks in a row, it doesn’t necessarily make your POS system more secure. There are additional steps every organization should take to become proactive about securing your POS, arguably the lifeblood of your store.
3 Steps To Secure Your POS Systems
1: Conduct a Security Assessment
How do you secure your bread and butter? For starters, I recommend a security assessment. Conducting a security assessment will not only identify gaps in coverage but will provide your organization with a valuable roadmap to becoming more secure. A security assessment will measure how your people, processes, and technologies stack up against your chosen security framework (be it NIST, SANS, etc). The assessment is designed to quickly identify problems, as in the case of the 2014 Neiman Marcus breach where over 60,000 alerts were triggered but ignored or went unnoticed while the thieves moved around the network over a period of months. An interview with personnel could have identified the problems or concerns personnel may have had with a particular security tool, such as too many alerts, or not enough personnel to monitor the systems.
2: Invest in a Governance, Risk, and Compliance Tool
Following the assessment, I recommend bringing your metrics and reporting together with governance, risk, and compliance tool. This will provide your organization with valuable metrics, superb reporting capability, and a single dashboard to give your security team time to respond to incidents. Your compliance team will love it because they can effectively manage compliance requirements and documentation. PCI compliance is a major undertaking for any organization. Having everything in one place for the auditors will make your next PCI audit go smoothly. Even if you are a small organization with no team in place, having a centralized way to view metrics and spot trends will keep you ahead of the curve.
3: Develop a Continuous Monitoring Strategy
And finally, institute a continuous monitoring strategy. From the major retailers to the local mom-and-pop shops, some type of system that generates valuable alerts when there is suspicious activity on your network will provide that shift your organization needs to become proactive about security. Having a strategy in place will allow you to quickly identify events of interest and provide the guidance you need to respond to an incident. Spotting anomalies in your network and making sure your systems are up-to-date will go a long way in preventing a costly data breach. If you are at a loss as to where to begin, check out CyberSheath’s blog post on vulnerability management to get some helpful ideas.
CyberSheath will work with your organization, large or small, to help secure your valuable assets.